bert.hausmans
513ca519b2
Backend: - CookieBearerToken middleware reads httpOnly cookie and injects Authorization header before Sanctum validates (prepended to API middleware group) - SetAuthCookie trait provides cookie creation/expiry helpers with per-app cookie names (crewli_admin_token, crewli_app_token, crewli_portal_token) - LoginController sets token via Set-Cookie, removes it from JSON body - LogoutController expires the auth cookie on logout - AuthRefreshController (POST /auth/refresh) rotates tokens with new cookie - InvitationController accept also sets token via cookie, not JSON body - All cookies: httpOnly, SameSite=Strict, Secure (in production) Frontend (all three SPAs): - Removed all localStorage token storage (apps/app, apps/portal) - Removed all JS-readable cookie token storage (apps/admin) - Removed Authorization: Bearer header interceptors from axios - Auth stores now rely on GET /auth/me to validate httpOnly cookie - Admin app: new Pinia auth store replaces useCookie-based auth pattern - withCredentials: true ensures browser sends cookies automatically Fixes security findings A13-1 (localStorage tokens) and A13-2 (admin cookie flags). Tokens are now invisible to JavaScript. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
56 lines
1.5 KiB
PHP
56 lines
1.5 KiB
PHP
<?php
|
|
|
|
declare(strict_types=1);
|
|
|
|
namespace Tests\Feature\Auth;
|
|
|
|
use App\Models\User;
|
|
use Illuminate\Foundation\Testing\RefreshDatabase;
|
|
use Tests\TestCase;
|
|
|
|
class LoginTest extends TestCase
|
|
{
|
|
use RefreshDatabase;
|
|
|
|
public function test_user_can_login_with_valid_credentials(): void
|
|
{
|
|
$user = User::factory()->create();
|
|
|
|
$response = $this->postJson('/api/v1/auth/login', [
|
|
'email' => $user->email,
|
|
'password' => 'password',
|
|
]);
|
|
|
|
$response->assertOk()
|
|
->assertJsonStructure([
|
|
'success',
|
|
'data' => ['user' => ['id', 'first_name', 'last_name', 'full_name', 'email']],
|
|
'message',
|
|
])
|
|
->assertJson(['success' => true]);
|
|
|
|
// Token must NOT be in response body (set via httpOnly cookie)
|
|
$this->assertArrayNotHasKey('token', $response->json('data'));
|
|
}
|
|
|
|
public function test_login_fails_with_invalid_credentials(): void
|
|
{
|
|
$user = User::factory()->create();
|
|
|
|
$response = $this->postJson('/api/v1/auth/login', [
|
|
'email' => $user->email,
|
|
'password' => 'wrong-password',
|
|
]);
|
|
|
|
$response->assertUnauthorized();
|
|
}
|
|
|
|
public function test_login_requires_email_and_password(): void
|
|
{
|
|
$response = $this->postJson('/api/v1/auth/login', []);
|
|
|
|
$response->assertUnprocessable()
|
|
->assertJsonValidationErrors(['email', 'password']);
|
|
}
|
|
}
|