bert.hausmans/crewli
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
724 Commits 3 Branches 0 Tags
6e5c5bbec374934cd7a1fa2d7e5b5007c446ad83
Commit Graph

4 Commits

Author SHA1 Message Date
bert.hausmans
64878f2734 fix(timetable): wire portal-token auth through artist_engagements 
RFC-TIMETABLE v0.2 §5.3 moved portal_token from artists to
artist_engagements (one master artist may have multiple per-event
portal links). PortalTokenController and PortalTokenMiddleware
queried the now-removed artists.portal_token column.

Update both lookups to query artist_engagements.portal_token, joining
to artists for the master name. Response shape unchanged: data.id =
engagement id, data.name = artist name, data.booking_status = engagement
status. Middleware sets portal_context='artist' (unchanged); the
attached portal_person object now carries the engagement row.

PortalTokenSecurityTest seeds artist_engagement rows via a private
helper that writes both an Artist (master) and an artist_engagements
row with the hashed token; test assertions adjusted to check the new
shape (no more milestone fields exposed since they don't exist on
the engagement).

Out of scope refactor disclaimer: this is a forced schema-migration
follow-up, not a Session 2-style controller refactor — the controller
queries the new table with minimal change.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
 2026-05-08 19:15:13 +02:00
bert.hausmans
51e5dd6fcb security: comprehensive security regression test suite 
61 tests across 4 test files covering all OWASP categories:

MultiTenancyIsolationTest (19 tests):
- Cross-org event, person, shift, section, time-slot, location,
  registration field, shift assignment, crowd list access
- Cross-org FK references (crowd_type, company, parent_event)
- Bulk operation isolation, invitation revocation
- Portal cross-event access prevention

AuthenticationSecurityTest (15 tests):
- Rate limiting: login (5/min), portal token-auth (10/min),
  invitation show (10/min)
- Account enumeration prevention: generic error on failed login,
  200 response on password reset for unknown email
- Token lifecycle: logout revokes token, password reset revokes
  all tokens, expired tokens rejected (7-day config verified)
- Password strength: weak/no-uppercase/no-numbers rejected
- Security headers present on all responses
- Protected routes require authentication

PortalTokenSecurityTest (10 tests):
- Invalid/empty/missing token handling
- Response shape: only safe fields (no milestones, no portal_token,
  no organisation_id, no internal event fields)
- Hash-based lookup: plain token works, hash does not
- Error messages: no schema/table info leakage
- Middleware: rejects without token, rejects invalid, accepts valid,
  rejects draft event status

InputValidationSecurityTest (17 tests):
- XSS payloads stored safely in person name, event name, section name
- Oversized inputs rejected (name >255, remarks >5000)
- Invalid enum values rejected (status, event_type)
- Cross-org FK references rejected (crowd_type, company, location,
  parent_event, person assignment)
- Invalid/nonexistent ULID format rejected
- SQL injection payloads harmless (PDO binding verified)

Also fixes PortalTokenMiddleware to use request->attributes->set()
instead of request->merge() for stdClass objects.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 2026-04-14 07:25:47 +02:00
bert.hausmans
52f6380ac0 security: round 3 — token security (crypto random, hashed storage, portal middleware) 
Token generation:
- Replace Str::ulid() with bin2hex(random_bytes(32)) for 256-bit entropy
- Store SHA-256 hash in database, never plaintext tokens
- Hash input before lookup on all token endpoints

Invitation tokens:
- InvitationService: generate crypto random, store hash, pass plain
  token transiently for email URL via UserInvitation::$plainToken
- InvitationController show/accept: hash input before DB lookup
- AcceptInvitationRequest: hash token before invitation lookup
- Migration: widen user_invitations.token and artists.portal_token
  from char(26) to char(64) for SHA-256 hex digests

Portal token auth:
- PortalTokenController: remove Schema::hasTable() runtime checks,
  hash token before lookup, return shaped response via PortalEventResource
  instead of raw model data
- Create PortalEventResource (name, dates, status only — no internals)
- Handle missing production_requests table gracefully via try/catch

Portal token middleware:
- Implement full token validation: extract from Bearer header or ?token=
  query param, hash, look up in artists/production_requests, verify
  event exists and is not draft/closed, set portal context on request
- Return generic 401 on any failure (no information leakage)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 2026-04-14 06:52:54 +02:00
bert.hausmans
1cb7674d52 refactor: align codebase with EventCrew domain and trim legacy band stack 
- Update API: events, users, policies, routes, resources, migrations
- Remove deprecated models/resources (customers, setlists, invitations, etc.)
- Refresh admin app and docs; remove apps/band

Made-with: Cursor
 2026-03-29 23:19:06 +02:00