bert.hausmans/crewli
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
4a8bb97764c31998f2e87bf6f38bd8b1bc04a596
crewli/api/bootstrap/app.php
bert.hausmans 4a8bb97764 feat: BindRequestLogContext middleware + X-Request-Id round-trip 
WS-7 PR-2 commit 3. RFC §3.13.

- app/Http/Middleware/BindRequestLogContext.php: tags every Laravel log
  line written during the request with request_id, organisation_id,
  user_id, and route name. Sets X-Request-Id on the response so the
  SPA can correlate to backend log lines via one click.
- Client-supplied X-Request-Id is honoured only if it parses as a ULID
  via Str::isUlid. Junk input (empty, non-ULID) is rejected and a
  fresh ULID is generated server-side.
- Registered as a global api-group middleware via the prepend list so
  it runs before authentication. Unauthenticated 4xx responses still
  carry the X-Request-Id header.
- Test count: 1523 to 1532. Larastan clean.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-06 09:28:50 +02:00

153 lines
6.1 KiB
PHP
Raw Blame History

<?php
declare(strict_types=1);
use Illuminate\Auth\Access\AuthorizationException;
use Illuminate\Auth\AuthenticationException;
use Illuminate\Database\QueryException;
use Illuminate\Foundation\Application;
use Illuminate\Foundation\Configuration\Exceptions;
use Illuminate\Foundation\Configuration\Middleware;
use Illuminate\Http\Request;
use Illuminate\Support\Facades\Log;
use Illuminate\Validation\ValidationException;
use Symfony\Component\HttpKernel\Exception\HttpException;
use Symfony\Component\HttpKernel\Exception\NotFoundHttpException;
return Application::configure(basePath: dirname(__DIR__))
->withRouting(
web: __DIR__.'/../routes/web.php',
api: __DIR__.'/../routes/api.php',
commands: __DIR__.'/../routes/console.php',
health: '/up',
apiPrefix: 'api/v1',
)
->withMiddleware(function (Middleware $middleware): void {
// API uses token-based auth, no CSRF needed
$middleware->append(\App\Http\Middleware\SecurityHeaders::class);
// Read httpOnly auth cookie and inject as Authorization header (before Sanctum)
$middleware->api(prepend: [
\App\Http\Middleware\CookieBearerToken::class,
// RFC-WS-7 §3.13 — structured logging context + X-Request-Id
// round-trip. Runs early so unauthenticated 4xx responses
// still carry a request_id header.
\App\Http\Middleware\BindRequestLogContext::class,
]);
$middleware->alias([
'portal.token' => \App\Http\Middleware\PortalTokenMiddleware::class,
'role' => \Spatie\Permission\Middleware\RoleMiddleware::class,
'impersonation' => \App\Http\Middleware\HandleImpersonation::class,
// RFC-WS-7 §3.6 — applied inside auth:sanctum groups so it runs
// after authentication and can read $request->user(). Cannot live
// on the api group because route-level auth middleware runs after
// group middleware in Laravel.
'sentry.context' => \App\Http\Middleware\BindSentryContext::class,
]);
})
->withExceptions(function (Exceptions $exceptions): void {
// Public Form Builder standardised error envelope (S2c D6).
$exceptions->render(function (\App\Exceptions\FormBuilder\PublicFormApiException $e, Request $request) {
$body = [
'message' => $e->getMessage(),
'code' => $e->publicCode,
];
if ($e->fieldErrors !== null) {
$body['errors'] = $e->fieldErrors;
}
return response()->json($body, $e->status, $e->headers);
});
// FormRequest validation on /api/v1/public/forms/* → rewrap into
// the D6 envelope so every public endpoint error looks identical
// regardless of which layer surfaced it.
$exceptions->render(function (ValidationException $e, Request $request) {
if (! $request->is('api/v1/public/forms/*')) {
return null;
}
return response()->json([
'message' => $e->getMessage(),
'code' => 'VALIDATION_FAILED',
'errors' => $e->errors(),
], $e->status);
});
// Database connection / query errors → 503
$exceptions->render(function (QueryException|PDOException $e, Request $request) {
if ($request->expectsJson() || $request->is('api/*')) {
Log::error('Database error', [
'exception' => get_class($e),
'message' => $e->getMessage(),
'trace' => $e->getTraceAsString(),
]);
$response = ['message' => 'Service temporarily unavailable. Please try again later.'];
if (config('app.debug')) {
$response['debug'] = [
'exception' => get_class($e),
'message' => $e->getMessage(),
];
}
return response()->json($response, 503);
}
});
// 404 Not Found → friendly message
$exceptions->render(function (NotFoundHttpException $e, Request $request) {
if ($request->expectsJson() || $request->is('api/*')) {
return response()->json([
'message' => 'Resource not found.',
], 404);
}
});
// Authorization failures → log with user context
$exceptions->render(function (AuthorizationException $e, Request $request) {
if ($request->expectsJson() || $request->is('api/*')) {
Log::warning('Authorization denied', [
'user_id' => auth()->id(),
'ip' => $request->ip(),
'path' => $request->path(),
'method' => $request->method(),
]);
}
return null; // Let Laravel handle the 403 response normally
});
// All other unhandled exceptions → 500
// (ValidationException, AuthenticationException, and HttpException are handled by Laravel)
$exceptions->render(function (Throwable $e, Request $request) {
if ($request->expectsJson() || $request->is('api/*')) {
if ($e instanceof ValidationException
|| $e instanceof AuthenticationException
|| $e instanceof HttpException) {
return null; // Let Laravel handle these normally
}
Log::error('Unhandled exception', [
'exception' => get_class($e),
'message' => $e->getMessage(),
'trace' => $e->getTraceAsString(),
]);
$response = ['message' => 'An unexpected error occurred.'];
if (config('app.debug')) {
$response['debug'] = [
'exception' => get_class($e),
'message' => $e->getMessage(),
];
}
return response()->json($response, 500);
}
});
})->create();
Reference in New Issue View Git Blame Copy Permalink