bert.hausmans
1028498705
- Add throttle middleware to login (5/min), portal/token-auth (10/min), volunteer-register (5/min), and invitation routes (10/min) - Set Sanctum token expiration to 7 days - Remove billing_status from UpdateOrganisationRequest (super_admin only) - Revoke all Sanctum tokens on password reset - Strengthen password rules: min 8 chars, mixed case, numbers - Create SecurityHeaders middleware (X-Content-Type-Options, X-Frame-Options, HSTS, Referrer-Policy, Permissions-Policy) - Fix open redirect on all 3 login pages (validate ?to= starts with /) - Set APP_DEBUG=false in .env.example - Log failed login attempts with email, IP, user-agent - Log authorization failures (403) with user, IP, path, method - Harden mass assignment: remove user_id from Person, audit fields from ShiftAssignment, system fields from UserInvitation $fillable - Replace real DB records with factory make() in mail preview routes Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
109 lines
4.1 KiB
PHP
109 lines
4.1 KiB
PHP
<?php
|
|
|
|
declare(strict_types=1);
|
|
|
|
use Illuminate\Auth\Access\AuthorizationException;
|
|
use Illuminate\Auth\AuthenticationException;
|
|
use Illuminate\Database\QueryException;
|
|
use Illuminate\Foundation\Application;
|
|
use Illuminate\Foundation\Configuration\Exceptions;
|
|
use Illuminate\Foundation\Configuration\Middleware;
|
|
use Illuminate\Http\Request;
|
|
use Illuminate\Support\Facades\Log;
|
|
use Illuminate\Validation\ValidationException;
|
|
use Symfony\Component\HttpKernel\Exception\HttpException;
|
|
use Symfony\Component\HttpKernel\Exception\NotFoundHttpException;
|
|
|
|
return Application::configure(basePath: dirname(__DIR__))
|
|
->withRouting(
|
|
web: __DIR__.'/../routes/web.php',
|
|
api: __DIR__.'/../routes/api.php',
|
|
commands: __DIR__.'/../routes/console.php',
|
|
health: '/up',
|
|
apiPrefix: 'api/v1',
|
|
)
|
|
->withMiddleware(function (Middleware $middleware): void {
|
|
// API uses token-based auth, no CSRF needed
|
|
|
|
$middleware->append(\App\Http\Middleware\SecurityHeaders::class);
|
|
|
|
$middleware->alias([
|
|
'portal.token' => \App\Http\Middleware\PortalTokenMiddleware::class,
|
|
]);
|
|
})
|
|
->withExceptions(function (Exceptions $exceptions): void {
|
|
// Database connection / query errors → 503
|
|
$exceptions->render(function (QueryException|PDOException $e, Request $request) {
|
|
if ($request->expectsJson() || $request->is('api/*')) {
|
|
Log::error('Database error', [
|
|
'exception' => get_class($e),
|
|
'message' => $e->getMessage(),
|
|
'trace' => $e->getTraceAsString(),
|
|
]);
|
|
|
|
$response = ['message' => 'Service temporarily unavailable. Please try again later.'];
|
|
|
|
if (config('app.debug')) {
|
|
$response['debug'] = [
|
|
'exception' => get_class($e),
|
|
'message' => $e->getMessage(),
|
|
];
|
|
}
|
|
|
|
return response()->json($response, 503);
|
|
}
|
|
});
|
|
|
|
// 404 Not Found → friendly message
|
|
$exceptions->render(function (NotFoundHttpException $e, Request $request) {
|
|
if ($request->expectsJson() || $request->is('api/*')) {
|
|
return response()->json([
|
|
'message' => 'Resource not found.',
|
|
], 404);
|
|
}
|
|
});
|
|
|
|
// Authorization failures → log with user context
|
|
$exceptions->render(function (AuthorizationException $e, Request $request) {
|
|
if ($request->expectsJson() || $request->is('api/*')) {
|
|
Log::warning('Authorization denied', [
|
|
'user_id' => auth()->id(),
|
|
'ip' => $request->ip(),
|
|
'path' => $request->path(),
|
|
'method' => $request->method(),
|
|
]);
|
|
}
|
|
|
|
return null; // Let Laravel handle the 403 response normally
|
|
});
|
|
|
|
// All other unhandled exceptions → 500
|
|
// (ValidationException, AuthenticationException, and HttpException are handled by Laravel)
|
|
$exceptions->render(function (Throwable $e, Request $request) {
|
|
if ($request->expectsJson() || $request->is('api/*')) {
|
|
if ($e instanceof ValidationException
|
|
|| $e instanceof AuthenticationException
|
|
|| $e instanceof HttpException) {
|
|
return null; // Let Laravel handle these normally
|
|
}
|
|
|
|
Log::error('Unhandled exception', [
|
|
'exception' => get_class($e),
|
|
'message' => $e->getMessage(),
|
|
'trace' => $e->getTraceAsString(),
|
|
]);
|
|
|
|
$response = ['message' => 'An unexpected error occurred.'];
|
|
|
|
if (config('app.debug')) {
|
|
$response['debug'] = [
|
|
'exception' => get_class($e),
|
|
'message' => $e->getMessage(),
|
|
];
|
|
}
|
|
|
|
return response()->json($response, 500);
|
|
}
|
|
});
|
|
})->create();
|