bert.hausmans/crewli
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
10284987051e35fb664fca9dbf6c8ca91155b467
crewli/api/routes/web.php
bert.hausmans 1028498705 security: round 1 — quick wins (rate limiting, headers, mass assignment, logging) 
- Add throttle middleware to login (5/min), portal/token-auth (10/min),
  volunteer-register (5/min), and invitation routes (10/min)
- Set Sanctum token expiration to 7 days
- Remove billing_status from UpdateOrganisationRequest (super_admin only)
- Revoke all Sanctum tokens on password reset
- Strengthen password rules: min 8 chars, mixed case, numbers
- Create SecurityHeaders middleware (X-Content-Type-Options, X-Frame-Options,
  HSTS, Referrer-Policy, Permissions-Policy)
- Fix open redirect on all 3 login pages (validate ?to= starts with /)
- Set APP_DEBUG=false in .env.example
- Log failed login attempts with email, IP, user-agent
- Log authorization failures (403) with user, IP, path, method
- Harden mass assignment: remove user_id from Person, audit fields from
  ShiftAssignment, system fields from UserInvitation $fillable
- Replace real DB records with factory make() in mail preview routes

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-14 01:34:51 +02:00

49 lines
1.7 KiB
PHP
Raw Blame History

<?php
use App\Mail\InvitationMail;
use App\Mail\RegistrationApprovedMail;
use App\Mail\RegistrationConfirmationMail;
use App\Mail\RegistrationRejectedMail;
use App\Models\Event;
use App\Models\Organisation;
use App\Models\Person;
use App\Models\User;
use App\Models\UserInvitation;
use Illuminate\Support\Facades\Route;
if (app()->environment('local', 'staging')) {
Route::get('/mail-preview/{type}', function (string $type) {
$supportedTypes = [
'registration-confirmation',
'registration-approved',
'registration-rejected',
'invitation',
];
if (! in_array($type, $supportedTypes)) {
abort(404, "Unknown mail type '{$type}'. Supported types: " . implode(', ', $supportedTypes));
}
if ($type === 'invitation') {
$organisation = Organisation::factory()->make();
$invitation = UserInvitation::factory()->make();
$invitation->setRelation('organisation', $organisation);
$invitation->setRelation('invitedBy', User::factory()->make());
$invitation->token ??= 'preview-token';
$invitation->role ??= 'org_member';
$invitation->expires_at ??= now()->addDays(7);
return new InvitationMail($invitation);
}
$event = Event::factory()->make();
$person = Person::factory()->make();
return match ($type) {
'registration-confirmation' => new RegistrationConfirmationMail($person, $event),
'registration-approved' => new RegistrationApprovedMail($person, $event),
'registration-rejected' => new RegistrationRejectedMail($person, $event, 'Helaas geen plek meer.'),
};
});
}
Reference in New Issue View Git Blame Copy Permalink