bert.hausmans/crewli
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

security: round 3 — token security (crypto random, hashed storage, portal middleware)

Browse Source 
Token generation:
- Replace Str::ulid() with bin2hex(random_bytes(32)) for 256-bit entropy
- Store SHA-256 hash in database, never plaintext tokens
- Hash input before lookup on all token endpoints

Invitation tokens:
- InvitationService: generate crypto random, store hash, pass plain
  token transiently for email URL via UserInvitation::$plainToken
- InvitationController show/accept: hash input before DB lookup
- AcceptInvitationRequest: hash token before invitation lookup
- Migration: widen user_invitations.token and artists.portal_token
  from char(26) to char(64) for SHA-256 hex digests

Portal token auth:
- PortalTokenController: remove Schema::hasTable() runtime checks,
  hash token before lookup, return shaped response via PortalEventResource
  instead of raw model data
- Create PortalEventResource (name, dates, status only — no internals)
- Handle missing production_requests table gracefully via try/catch

Portal token middleware:
- Implement full token validation: extract from Bearer header or ?token=
  query param, hash, look up in artists/production_requests, verify
  event exists and is not draft/closed, set portal context on request
- Return generic 401 on any failure (no information leakage)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
bert.hausmans
2026-04-14 06:52:54 +02:00
parent 090d2b7d89
commit 52f6380ac0
14 changed files with 258 additions and 30 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
api/tests/Feature/Api/V1/VolunteerRegistrationTest.php
View File

@@ -18,7 +18,6 @@ use Database\Seeders\RoleSeeder;
use Illuminate\Foundation\Testing\RefreshDatabase;
use Illuminate\Support\Facades\Hash;
use Illuminate\Support\Facades\Mail;
use Illuminate\Support\Facades\Schema;
use Laravel\Sanctum\Sanctum;
use Tests\TestCase;
@@ -402,17 +401,13 @@ class VolunteerRegistrationTest extends TestCase
$response->assertJson(['message' => 'Invalid or expired portal token']);
}
public function test_token_auth_returns_501_when_no_tables(): void
public function test_token_auth_with_empty_token_returns_422(): void
{
// Drop the artists table to simulate no token tables existing
Schema::dropIfExists('artists');
$response = $this->postJson('/api/v1/portal/token-auth', [
'token' => '01JTEST000000000000000000',
'token' => '',
]);
$response->assertStatus(501);
$response->assertJson(['message' => 'Token-based portal access is not yet available']);
$response->assertStatus(422);
}
// ─── Portal Me ──────────────────────────────────────────────────────