security: round 3 — token security (crypto random, hashed storage, portal middleware)

Token generation: - Replace Str::ulid() with bin2hex(random_bytes(32)) for 256-bit entropy - Store SHA-256 hash in database, never plaintext tokens - Hash input before lookup on all token endpoints Invitation tokens: - InvitationService: generate crypto random, store hash, pass plain token transiently for email URL via UserInvitation::$plainToken - InvitationController show/accept: hash input before DB lookup - AcceptInvitationRequest: hash token before invitation lookup - Migration: widen user_invitations.token and artists.portal_token from char(26) to char(64) for SHA-256 hex digests Portal token auth: - PortalTokenController: remove Schema::hasTable() runtime checks, hash token before lookup, return shaped response via PortalEventResource instead of raw model data - Create PortalEventResource (name, dates, status only — no internals) - Handle missing production_requests table gracefully via try/catch Portal token middleware: - Implement full token validation: extract from Bearer header or ?token= query param, hash, look up in artists/production_requests, verify event exists and is not draft/closed, set portal context on request - Return generic 401 on any failure (no information leakage) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-14 06:52:54 +02:00
parent 090d2b7d89
commit 52f6380ac0
14 changed files with 258 additions and 30 deletions
--- a/api/database/migrations/2026_04_14_100000_update_token_columns_for_hashed_storage.php
+++ b/api/database/migrations/2026_04_14_100000_update_token_columns_for_hashed_storage.php
@@ -0,0 +1,40 @@
+<?php
+
+declare(strict_types=1);
+
+use Illuminate\Database\Migrations\Migration;
+use Illuminate\Database\Schema\Blueprint;
+use Illuminate\Support\Facades\Schema;
+
+/**
+ * Widen token columns from char(26) (ULID) to char(64) (SHA-256 hex digest).
+ * Existing tokens become invalid — acceptable for pre-production.
+ */
+return new class extends Migration
+{
+    public function up(): void
+    {
+        Schema::table('user_invitations', function (Blueprint $table) {
+            $table->char('token', 64)->change();
+        });
+
+        if (Schema::hasTable('artists')) {
+            Schema::table('artists', function (Blueprint $table) {
+                $table->char('portal_token', 64)->change();
+            });
+        }
+    }
+
+    public function down(): void
+    {
+        Schema::table('user_invitations', function (Blueprint $table) {
+            $table->char('token', 26)->change();
+        });
+
+        if (Schema::hasTable('artists')) {
+            Schema::table('artists', function (Blueprint $table) {
+                $table->char('portal_token', 26)->change();
+            });
+        }
+    }
+};