crewli

bert.hausmans/crewli

Fork 0

Commit Graph

Author	SHA1	Message	Date
bert.hausmans	2e94a107e4	refactor(auth): consolidate to single cookie post single-SPA The dual-cookie machinery (crewli_app_token + crewli_portal_token, Origin-based resolution) was load-bearing only when the second SPA existed. apps/portal/ was deleted in WS-3 PR-B1; the resolver code has been carrying dead branches since then. Collapse to one cookie. Cookie name retained as crewli_app_token — no session breakage on deploy. crewli_portal_token is fully purged from the server-side. CookieBearerToken middleware: - COOKIE_NAMES array → single COOKIE_NAME constant - resolveCookieName method (Origin/Referer parsing, host+port matching against frontend_app_url/frontend_portal_url) → removed - Body collapses to: skip if Authorization header present; else read crewli_app_token cookie and inject Bearer header SetAuthCookie trait: - COOKIE_MAP / resolveCookieName / originMatches → removed - makeAuthCookie / forgetAuthCookie now take only $token; the cookie name is the trait's private constant Five callers updated to drop the resolveCookieName($request) line and the cookie-name argument: LoginController (3 sites), MfaVerifyController (1 site), AuthRefreshController (1 site), LogoutController (1 site), InvitationController (1 site — caller list in the prompt missed this one but the same pattern applies). frontend_portal_url config key retained (per Phase A directive Q1): EmailChangeController, PasswordResetController, PersonController are non-auth consumers that build per-app URL maps for outbound emails. The map structure is now functionally redundant (production resolves all FRONTEND_* env vars to the same host) but stays structurally intact. Refactor tracked as TECH-FRONTEND-URL-CONSOLIDATE in the upcoming docs commit. HttpOnlyCookieAuthTest: - Removed 4 dual-cookie tests (login_sets_portal_cookie_for_portal_origin, app_cookie_does_not_authenticate_portal_requests, portal_cookie_does_not_authenticate_app_requests, correct_cookie_authenticates_with_matching_origin) - Renamed login_sets_app_cookie_for_unknown_origin → login_sets_app_cookie_regardless_of_origin; expanded to four Origin variants (none, app, unknown, foreign) — pins the new origin-agnostic contract - Removed Origin headers from request calls in remaining tests (now meaningless) Backend test count: 1491 → 1487 (-4 deleted, dual-cookie tests encoding the obsolete contract). Pint clean. Larastan clean. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-06 00:24:01 +02:00
bert.hausmans	513ca519b2	security: migrate auth tokens to httpOnly cookies (hybrid bearer token approach) Backend: - CookieBearerToken middleware reads httpOnly cookie and injects Authorization header before Sanctum validates (prepended to API middleware group) - SetAuthCookie trait provides cookie creation/expiry helpers with per-app cookie names (crewli_admin_token, crewli_app_token, crewli_portal_token) - LoginController sets token via Set-Cookie, removes it from JSON body - LogoutController expires the auth cookie on logout - AuthRefreshController (POST /auth/refresh) rotates tokens with new cookie - InvitationController accept also sets token via cookie, not JSON body - All cookies: httpOnly, SameSite=Strict, Secure (in production) Frontend (all three SPAs): - Removed all localStorage token storage (apps/app, apps/portal) - Removed all JS-readable cookie token storage (apps/admin) - Removed Authorization: Bearer header interceptors from axios - Auth stores now rely on GET /auth/me to validate httpOnly cookie - Admin app: new Pinia auth store replaces useCookie-based auth pattern - withCredentials: true ensures browser sends cookies automatically Fixes security findings A13-1 (localStorage tokens) and A13-2 (admin cookie flags). Tokens are now invisible to JavaScript. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-04-14 16:06:44 +02:00

Author

SHA1

Message

Date

bert.hausmans

2e94a107e4

refactor(auth): consolidate to single cookie post single-SPA

The dual-cookie machinery (crewli_app_token + crewli_portal_token,
Origin-based resolution) was load-bearing only when the second SPA
existed. apps/portal/ was deleted in WS-3 PR-B1; the resolver code
has been carrying dead branches since then. Collapse to one cookie.

Cookie name retained as crewli_app_token — no session breakage on
deploy. crewli_portal_token is fully purged from the server-side.

CookieBearerToken middleware:
- COOKIE_NAMES array → single COOKIE_NAME constant
- resolveCookieName method (Origin/Referer parsing, host+port
  matching against frontend_app_url/frontend_portal_url) → removed
- Body collapses to: skip if Authorization header present; else
  read crewli_app_token cookie and inject Bearer header

SetAuthCookie trait:
- COOKIE_MAP / resolveCookieName / originMatches → removed
- makeAuthCookie / forgetAuthCookie now take only $token; the
  cookie name is the trait's private constant

Five callers updated to drop the resolveCookieName($request) line
and the cookie-name argument: LoginController (3 sites),
MfaVerifyController (1 site), AuthRefreshController (1 site),
LogoutController (1 site), InvitationController (1 site — caller
list in the prompt missed this one but the same pattern applies).

frontend_portal_url config key retained (per Phase A directive Q1):
EmailChangeController, PasswordResetController, PersonController are
non-auth consumers that build per-app URL maps for outbound emails.
The map structure is now functionally redundant (production resolves
all FRONTEND_* env vars to the same host) but stays structurally
intact. Refactor tracked as TECH-FRONTEND-URL-CONSOLIDATE in the
upcoming docs commit.

HttpOnlyCookieAuthTest:
- Removed 4 dual-cookie tests (login_sets_portal_cookie_for_portal_origin,
  app_cookie_does_not_authenticate_portal_requests,
  portal_cookie_does_not_authenticate_app_requests,
  correct_cookie_authenticates_with_matching_origin)
- Renamed login_sets_app_cookie_for_unknown_origin →
  login_sets_app_cookie_regardless_of_origin; expanded to four
  Origin variants (none, app, unknown, foreign) — pins the new
  origin-agnostic contract
- Removed Origin headers from request calls in remaining tests
  (now meaningless)

Backend test count: 1491 → 1487 (-4 deleted, dual-cookie tests
encoding the obsolete contract). Pint clean. Larastan clean.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

2026-05-06 00:24:01 +02:00

bert.hausmans

513ca519b2

security: migrate auth tokens to httpOnly cookies (hybrid bearer token approach)

Backend:
- CookieBearerToken middleware reads httpOnly cookie and injects Authorization
  header before Sanctum validates (prepended to API middleware group)
- SetAuthCookie trait provides cookie creation/expiry helpers with per-app
  cookie names (crewli_admin_token, crewli_app_token, crewli_portal_token)
- LoginController sets token via Set-Cookie, removes it from JSON body
- LogoutController expires the auth cookie on logout
- AuthRefreshController (POST /auth/refresh) rotates tokens with new cookie
- InvitationController accept also sets token via cookie, not JSON body
- All cookies: httpOnly, SameSite=Strict, Secure (in production)

Frontend (all three SPAs):
- Removed all localStorage token storage (apps/app, apps/portal)
- Removed all JS-readable cookie token storage (apps/admin)
- Removed Authorization: Bearer header interceptors from axios
- Auth stores now rely on GET /auth/me to validate httpOnly cookie
- Admin app: new Pinia auth store replaces useCookie-based auth pattern
- withCredentials: true ensures browser sends cookies automatically

Fixes security findings A13-1 (localStorage tokens) and A13-2 (admin
cookie flags). Tokens are now invisible to JavaScript.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

2026-04-14 16:06:44 +02:00

2 Commits