bert.hausmans/crewli
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
284fdcc43790cefcae12b1d338916e2d6dd2ce5d
crewli/api/app/Http/Controllers/Api/V1/PortalTokenController.php
bert.hausmans 64878f2734 fix(timetable): wire portal-token auth through artist_engagements 
RFC-TIMETABLE v0.2 §5.3 moved portal_token from artists to
artist_engagements (one master artist may have multiple per-event
portal links). PortalTokenController and PortalTokenMiddleware
queried the now-removed artists.portal_token column.

Update both lookups to query artist_engagements.portal_token, joining
to artists for the master name. Response shape unchanged: data.id =
engagement id, data.name = artist name, data.booking_status = engagement
status. Middleware sets portal_context='artist' (unchanged); the
attached portal_person object now carries the engagement row.

PortalTokenSecurityTest seeds artist_engagement rows via a private
helper that writes both an Artist (master) and an artist_engagements
row with the hashed token; test assertions adjusted to check the new
shape (no more milestone fields exposed since they don't exist on
the engagement).

Out of scope refactor disclaimer: this is a forced schema-migration
follow-up, not a Session 2-style controller refactor — the controller
queries the new table with minimal change.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-08 19:15:13 +02:00

73 lines
2.5 KiB
PHP
Raw Blame History

<?php
declare(strict_types=1);
namespace App\Http\Controllers\Api\V1;
use App\Http\Controllers\Controller;
use App\Http\Requests\Api\V1\PortalTokenAuthRequest;
use App\Http\Resources\Api\V1\PortalEventResource;
use App\Models\Event;
use App\Models\Scopes\OrganisationScope;
use Illuminate\Http\JsonResponse;
use Illuminate\Support\Facades\DB;
final class PortalTokenController extends Controller
{
public function auth(PortalTokenAuthRequest $request): JsonResponse
{
$hashedToken = hash('sha256', $request->validated('token'));
// Artist portal token lives on artist_engagements (per RFC-TIMETABLE
// v0.2 §5.3); join to artists for the master name.
$row = DB::table('artist_engagements')
->join('artists', 'artists.id', '=', 'artist_engagements.artist_id')
->where('artist_engagements.portal_token', $hashedToken)
->select(
'artist_engagements.id as id',
'artist_engagements.event_id as event_id',
'artist_engagements.booking_status as booking_status',
'artists.name as name',
)
->first();
if ($row) {
$event = Event::withoutGlobalScope(OrganisationScope::class)->find($row->event_id);
return response()->json([
'context' => 'artist',
'data' => [
'id' => $row->id,
'name' => $row->name,
'booking_status' => $row->booking_status,
],
'event' => $event ? new PortalEventResource($event) : null,
]);
}
// Try production_requests table (may not exist yet)
try {
$productionRequest = DB::table('production_requests')->where('token', $hashedToken)->first();
if ($productionRequest) {
$event = Event::withoutGlobalScope(OrganisationScope::class)->find($productionRequest->event_id);
return response()->json([
'context' => 'supplier',
'data' => [
'id' => $productionRequest->id,
'name' => $productionRequest->name ?? null,
],
'event' => $event ? new PortalEventResource($event) : null,
]);
}
} catch (\Illuminate\Database\QueryException) {
// Table doesn't exist yet — skip
}
return response()->json([
'message' => 'Invalid or expired portal token',
], 401);
}
}
Reference in New Issue View Git Blame Copy Permalink