security: round 3 — token security (crypto random, hashed storage, portal middleware)

Token generation:
- Replace Str::ulid() with bin2hex(random_bytes(32)) for 256-bit entropy
- Store SHA-256 hash in database, never plaintext tokens
- Hash input before lookup on all token endpoints

Invitation tokens:
- InvitationService: generate crypto random, store hash, pass plain
  token transiently for email URL via UserInvitation::$plainToken
- InvitationController show/accept: hash input before DB lookup
- AcceptInvitationRequest: hash token before invitation lookup
- Migration: widen user_invitations.token and artists.portal_token
  from char(26) to char(64) for SHA-256 hex digests

Portal token auth:
- PortalTokenController: remove Schema::hasTable() runtime checks,
  hash token before lookup, return shaped response via PortalEventResource
  instead of raw model data
- Create PortalEventResource (name, dates, status only — no internals)
- Handle missing production_requests table gracefully via try/catch

Portal token middleware:
- Implement full token validation: extract from Bearer header or ?token=
  query param, hash, look up in artists/production_requests, verify
  event exists and is not draft/closed, set portal context on request
- Return generic 401 on any failure (no information leakage)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

api/tests/Feature/Api/V1/VolunteerRegistrationTest.php

@@ -18,7 +18,6 @@ use Database\Seeders\RoleSeeder;
 use Illuminate\Foundation\Testing\RefreshDatabase;
 use Illuminate\Support\Facades\Hash;
 use Illuminate\Support\Facades\Mail;
-use Illuminate\Support\Facades\Schema;
 use Laravel\Sanctum\Sanctum;
 use Tests\TestCase;
 
@@ -402,17 +401,13 @@ class VolunteerRegistrationTest extends TestCase
         $response->assertJson(['message' => 'Invalid or expired portal token']);
     }
 
-    public function test_token_auth_returns_501_when_no_tables(): void
+    public function test_token_auth_with_empty_token_returns_422(): void
     {
-        // Drop the artists table to simulate no token tables existing
-        Schema::dropIfExists('artists');
-
         $response = $this->postJson('/api/v1/portal/token-auth', [
-            'token' => '01JTEST000000000000000000',
+            'token' => '',
         ]);
 
-        $response->assertStatus(501);
-        $response->assertJson(['message' => 'Token-based portal access is not yet available']);
+        $response->assertStatus(422);
     }
 
     // ─── Portal Me ──────────────────────────────────────────────────────

api/tests/Feature/Invitation/InvitationTest.php

@@ -111,7 +111,7 @@ class InvitationTest extends TestCase
             'invited_by_user_id' => $this->orgAdmin->id,
         ]);
 
-        $response = $this->getJson("/api/v1/invitations/{$invitation->token}");
+        $response = $this->getJson("/api/v1/invitations/{$invitation->plainToken}");
 
         $response->assertOk();
         $response->assertJsonPath('data.organisation.name', $this->org->name);
@@ -126,7 +126,7 @@ class InvitationTest extends TestCase
             'expires_at' => now()->subDay(),
         ]);
 
-        $response = $this->getJson("/api/v1/invitations/{$invitation->token}");
+        $response = $this->getJson("/api/v1/invitations/{$invitation->plainToken}");
 
         $response->assertOk();
         $response->assertJsonPath('data.status', 'expired');
@@ -151,7 +151,7 @@ class InvitationTest extends TestCase
             'expires_at' => now()->addDays(7),
         ]);
 
-        $response = $this->postJson("/api/v1/invitations/{$invitation->token}/accept", [
+        $response = $this->postJson("/api/v1/invitations/{$invitation->plainToken}/accept", [
             'first_name' => 'New',
             'last_name' => 'User',
             'password' => 'Password123',
@@ -184,7 +184,7 @@ class InvitationTest extends TestCase
             'expires_at' => now()->addDays(7),
         ]);
 
-        $response = $this->postJson("/api/v1/invitations/{$invitation->token}/accept");
+        $response = $this->postJson("/api/v1/invitations/{$invitation->plainToken}/accept");
 
         $response->assertOk();
         $response->assertJsonStructure(['data' => ['user', 'token']]);
@@ -204,7 +204,7 @@ class InvitationTest extends TestCase
             'expires_at' => now()->subDay(),
         ]);
 
-        $response = $this->postJson("/api/v1/invitations/{$invitation->token}/accept", [
+        $response = $this->postJson("/api/v1/invitations/{$invitation->plainToken}/accept", [
             'first_name' => 'Test',
             'last_name' => 'User',
             'password' => 'Password123',
@@ -223,7 +223,7 @@ class InvitationTest extends TestCase
             'expires_at' => now()->addDays(7),
         ]);
 
-        $response = $this->postJson("/api/v1/invitations/{$invitation->token}/accept", [
+        $response = $this->postJson("/api/v1/invitations/{$invitation->plainToken}/accept", [
             'first_name' => 'Test',
             'last_name' => 'User',
             'password' => 'Password123',