bert.hausmans/crewli
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
4df668b5b84d4dc0021454946746da55c8b3a450
crewli/api/tests/Feature
History
bert.hausmans 4df668b5b8 feat: replace token-based impersonation with enterprise-grade header-based system 
Replaces the insecure token-in-localStorage approach with a header-based
impersonation system backed by cache sessions and MFA verification.

Key changes:
- New impersonation_sessions audit table (immutable, ULID PK)
- MFA verification required to start impersonation (TOTP/email/backup)
- X-Impersonate-User header + HandleImpersonation middleware
- Per-request auth context swap (admin session never modified)
- IP pinning, sensitive route blocking, no nesting, sliding 60-min TTL
- Activity log auto-tagged with impersonated_by during sessions
- Frontend: sessionStorage, BroadcastChannel sync, countdown timer
- ImpersonateDialog with reason + MFA verification flow
- 26 comprehensive tests covering core, middleware, audit, lifecycle

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-16 02:42:53 +02:00
..
Api/V1
feat: replace token-based impersonation with enterprise-grade header-based system
2026-04-16 02:42:53 +02:00
Auth
fix: critical MFA bypass — old auth tokens survive MFA challenge
2026-04-15 23:49:51 +02:00
Company
feat: split name into first_name + last_name across users, persons, and companies
2026-04-10 23:04:55 +02:00
CrowdList
security: A01-13 — nest all event routes under organisation prefix
2026-04-14 08:16:36 +02:00
CrowdType
feat: crowd types management UI with create/edit/deactivate
2026-04-10 11:15:51 +02:00
Email
feat: complete email infrastructure with queue, templates, logging, and API
2026-04-15 20:12:21 +02:00
Event
feat: edit event type label in dialog, drop non-functional status field
2026-04-14 21:48:07 +02:00
FestivalSection
security: A01-13 — nest all event routes under organisation prefix
2026-04-14 08:16:36 +02:00
Invitation
feat: complete email infrastructure with queue, templates, logging, and API
2026-04-15 20:12:21 +02:00
Location
security: A01-13 — nest all event routes under organisation prefix
2026-04-14 08:16:36 +02:00
Mail
feat(api): organisation email branding and shared mail layout
2026-04-13 00:44:34 +02:00
Member
feat: fase 2 backend — crowd types, persons, sections, shifts, invite flow
2026-04-08 01:34:46 +02:00
Organisation
feat(api): organisation email branding and shared mail layout
2026-04-13 00:44:34 +02:00
Person
feat: add "Lid toevoegen als deelnemer" shortcut for org members
2026-04-14 18:38:53 +02:00
PersonFieldValue
security: A01-13 — nest all event routes under organisation prefix
2026-04-14 08:16:36 +02:00
PersonIdentity
feat: complete person identity matching system with fuzzy detection, revert, and manual link
2026-04-14 08:44:24 +02:00
PersonSectionPreference
security: A01-13 — nest all event routes under organisation prefix
2026-04-14 08:16:36 +02:00
PersonTag
security: A01-13 — nest all event routes under organisation prefix
2026-04-14 08:16:36 +02:00
RegistrationFieldTemplate
security: A01-13 — nest all event routes under organisation prefix
2026-04-14 08:16:36 +02:00
RegistrationFormField
security: A01-13 — nest all event routes under organisation prefix
2026-04-14 08:16:36 +02:00
Security
feat: complete email infrastructure with queue, templates, logging, and API
2026-04-15 20:12:21 +02:00
Shift
feat: fix time slot hierarchy — seeder, API include_children, frontend dropdown, navigation
2026-04-14 22:07:37 +02:00
TagSync
feat: registration form fields, section preferences, tag sync & schema updates
2026-04-12 22:10:16 +02:00
TimeSlot
feat: fix time slot hierarchy — seeder, API include_children, frontend dropdown, navigation
2026-04-14 22:07:37 +02:00
ExampleTest.php
refactor: align codebase with EventCrew domain and trim legacy band stack
2026-03-29 23:19:06 +02:00