bert.hausmans
1028498705
- Add throttle middleware to login (5/min), portal/token-auth (10/min), volunteer-register (5/min), and invitation routes (10/min) - Set Sanctum token expiration to 7 days - Remove billing_status from UpdateOrganisationRequest (super_admin only) - Revoke all Sanctum tokens on password reset - Strengthen password rules: min 8 chars, mixed case, numbers - Create SecurityHeaders middleware (X-Content-Type-Options, X-Frame-Options, HSTS, Referrer-Policy, Permissions-Policy) - Fix open redirect on all 3 login pages (validate ?to= starts with /) - Set APP_DEBUG=false in .env.example - Log failed login attempts with email, IP, user-agent - Log authorization failures (403) with user, IP, path, method - Harden mass assignment: remove user_id from Person, audit fields from ShiftAssignment, system fields from UserInvitation $fillable - Replace real DB records with factory make() in mail preview routes Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Admin Dashboard
This folder will contain the Admin SPA using Vuexy Vue.
Setup
- Copy Vuexy Vue full-version (TypeScript) here:
cp -r /path/to/vuexy/typescript-version/full-version/* .
- Install dependencies:
pnpm install
- Create
.env.local:
VITE_API_URL=http://localhost:8000/api/v1
VITE_APP_NAME="Crewli Admin"
- Start development:
pnpm dev
Port
Runs on http://localhost:5173 (Vite default).
Production: point VITE_API_URL at your API, e.g. https://api.crewli.app/api/v1, with DNS/TLS for admin.crewli.app (and matching Laravel FRONTEND_ADMIN_URL / CORS / Sanctum settings — see repo README.md and api/.env.example).