fix: register AuthScopeContextListener for Sanctum bearer-token flow
Live HTTP smoke test on the post-architectural-fixes branch surfaced
that captured Sentry events carried only route-scope tags (app,
route_name, http.method) — auth-scope tags (user_id, actor_type,
actor_scope) were absent on every request.
Root cause: Sanctum's Guard fires Laravel\Sanctum\Events\TokenAuthenticated
(vendor/laravel/sanctum/src/Guard.php:77) on bearer-token resolution,
NOT Illuminate\Auth\Events\Authenticated. The Authenticated event only
fires from SessionGuard
(vendor/laravel/framework/src/Illuminate/Auth/SessionGuard.php:833),
which Crewli does not use — CookieBearerToken middleware injects the
httpOnly cookie as Authorization: Bearer, then auth:sanctum invokes
Sanctum's Guard. So the listener never ran on Crewli's HTTP path.
Offline tests in AuthScopeContextListenerTest passed because they
dispatch event(new Authenticated(...)) directly, bypassing the Guard
layer. Sanctum::actingAs() in tests has the same blind spot — it
short-circuits the Guard via guard('sanctum')->setUser() and fires
neither event.
Fix:
- New handleTokenAuthenticated(TokenAuthenticated $event) method on
AuthScopeContextListener extracts the user via $event->token->tokenable
and delegates to a private bindForUser() shared with handle().
- AppServiceProvider registers the listener for both Authenticated
(covers SessionGuard / login flow / future authenticators) and
TokenAuthenticated (covers Crewli's bearer-token Sanctum flow).
Regression coverage: AuthScopeBindingHttpFlowTest exercises the real
Sanctum Guard via $user->createToken() + Authorization: Bearer header.
Three cases:
- super_admin on a user-scope route: actor_scope=user, all auth tags
present.
- super_admin on an admin.* route: actor_scope=platform, no
organisation_id (correct platform-mode behaviour).
- org_admin on a route with {organisation} param: actor_scope=
organisation, organisation_id valid ULID.
Test count 1541 to 1544. Larastan clean. Pint clean.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
@@ -11,25 +11,34 @@ use App\Models\User;
|
||||
use Illuminate\Auth\Events\Authenticated;
|
||||
use Illuminate\Http\Request;
|
||||
use Illuminate\Support\Facades\Log;
|
||||
use Laravel\Sanctum\Events\TokenAuthenticated;
|
||||
use Sentry\State\Scope;
|
||||
|
||||
use function Sentry\configureScope;
|
||||
|
||||
/**
|
||||
* Binds auth-scope context to Sentry and Laravel log context on every
|
||||
* successful authentication (Sanctum, portal-token, future authenticators).
|
||||
* successful authentication.
|
||||
*
|
||||
* Auth-scope tags (user_id, actor_type, organisation_id, actor_scope) are
|
||||
* decoupled from route-scope tags (which live in BindSentryRouteContext)
|
||||
* so that authentication-mechanism additions don't require touching every
|
||||
* route-group's middleware stack.
|
||||
* Listens to TWO events:
|
||||
* - {@see Authenticated} fires from SessionGuard (login flow / future
|
||||
* cookie-session authenticators).
|
||||
* - {@see TokenAuthenticated} fires from {@see \Laravel\Sanctum\Guard}
|
||||
* on every bearer-token resolution. Crewli's HTTP flow is
|
||||
* bearer-token (CookieBearerToken middleware reads the httpOnly
|
||||
* cookie and injects Authorization: Bearer); without listening to
|
||||
* TokenAuthenticated, no auth-scope tags would ever bind on live
|
||||
* requests — a regression the offline tests miss because they
|
||||
* dispatch Authenticated directly.
|
||||
*
|
||||
* Lifecycle nuance for impersonation: Sanctum's auth resolves to the
|
||||
* admin user and fires Authenticated → this listener tags the admin.
|
||||
* Then HandleImpersonation middleware swaps the auth user to the target
|
||||
* and re-binds Sentry scope itself (impersonation.active=true plus the
|
||||
* target's user_id/actor_type). That keeps impersonation-specific logic
|
||||
* co-located with the middleware that performs the swap.
|
||||
* Auth-scope tags (user_id, actor_type, organisation_id, actor_scope)
|
||||
* are decoupled from route-scope tags (BindSentryRouteContext middleware)
|
||||
* so that authentication-mechanism additions don't require touching
|
||||
* every route-group's middleware stack.
|
||||
*
|
||||
* Impersonation re-binding (target user_id + impersonation.* tags) is
|
||||
* co-located in HandleImpersonation middleware and runs after the user
|
||||
* swap.
|
||||
*
|
||||
* RFC-WS-7 §3.6, §3.13 (Log::withContext OBS-2 fix).
|
||||
*/
|
||||
@@ -43,6 +52,22 @@ final class AuthScopeContextListener
|
||||
return;
|
||||
}
|
||||
|
||||
$this->bindForUser($user);
|
||||
}
|
||||
|
||||
public function handleTokenAuthenticated(TokenAuthenticated $event): void
|
||||
{
|
||||
$tokenable = $event->token->tokenable ?? null;
|
||||
|
||||
if (! $tokenable instanceof User) {
|
||||
return;
|
||||
}
|
||||
|
||||
$this->bindForUser($tokenable);
|
||||
}
|
||||
|
||||
private function bindForUser(User $user): void
|
||||
{
|
||||
$request = request();
|
||||
$actorType = ActorType::resolve($user, $request);
|
||||
[$organisationId, $actorScope] = $this->resolveTenantContext($user, $request);
|
||||
|
||||
@@ -205,12 +205,20 @@ class AppServiceProvider extends ServiceProvider
|
||||
);
|
||||
|
||||
// RFC-WS-7 §3.6 — auth-scope Sentry tags + Log::withContext on
|
||||
// every successful authentication. Decoupled from middleware so
|
||||
// future authenticators (e.g. portal-token) only need to fire
|
||||
// the Authenticated event for tagging to work.
|
||||
// every successful authentication. Listens to two events:
|
||||
// - Authenticated covers SessionGuard flows (login etc.).
|
||||
// - TokenAuthenticated covers Sanctum bearer-token flows; this
|
||||
// is Crewli's actual SPA auth path because CookieBearerToken
|
||||
// middleware injects the cookie as an Authorization header.
|
||||
// Without this, live HTTP events would carry no auth-scope
|
||||
// tags even though the offline (event-dispatch) tests pass.
|
||||
\Illuminate\Support\Facades\Event::listen(
|
||||
\Illuminate\Auth\Events\Authenticated::class,
|
||||
\App\Listeners\Observability\AuthScopeContextListener::class,
|
||||
[\App\Listeners\Observability\AuthScopeContextListener::class, 'handle'],
|
||||
);
|
||||
\Illuminate\Support\Facades\Event::listen(
|
||||
\Laravel\Sanctum\Events\TokenAuthenticated::class,
|
||||
[\App\Listeners\Observability\AuthScopeContextListener::class, 'handleTokenAuthenticated'],
|
||||
);
|
||||
|
||||
ResetPassword::createUrlUsing(function ($user, string $token) {
|
||||
|
||||
Reference in New Issue
Block a user