bert.hausmans
513ca519b2
Backend: - CookieBearerToken middleware reads httpOnly cookie and injects Authorization header before Sanctum validates (prepended to API middleware group) - SetAuthCookie trait provides cookie creation/expiry helpers with per-app cookie names (crewli_admin_token, crewli_app_token, crewli_portal_token) - LoginController sets token via Set-Cookie, removes it from JSON body - LogoutController expires the auth cookie on logout - AuthRefreshController (POST /auth/refresh) rotates tokens with new cookie - InvitationController accept also sets token via cookie, not JSON body - All cookies: httpOnly, SameSite=Strict, Secure (in production) Frontend (all three SPAs): - Removed all localStorage token storage (apps/app, apps/portal) - Removed all JS-readable cookie token storage (apps/admin) - Removed Authorization: Bearer header interceptors from axios - Auth stores now rely on GET /auth/me to validate httpOnly cookie - Admin app: new Pinia auth store replaces useCookie-based auth pattern - withCredentials: true ensures browser sends cookies automatically Fixes security findings A13-1 (localStorage tokens) and A13-2 (admin cookie flags). Tokens are now invisible to JavaScript. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Admin Dashboard
This folder will contain the Admin SPA using Vuexy Vue.
Setup
- Copy Vuexy Vue full-version (TypeScript) here:
cp -r /path/to/vuexy/typescript-version/full-version/* .
- Install dependencies:
pnpm install
- Create
.env.local:
VITE_API_URL=http://localhost:8000/api/v1
VITE_APP_NAME="Crewli Admin"
- Start development:
pnpm dev
Port
Runs on http://localhost:5173 (Vite default).
Production: point VITE_API_URL at your API, e.g. https://api.crewli.app/api/v1, with DNS/TLS for admin.crewli.app (and matching Laravel FRONTEND_ADMIN_URL / CORS / Sanctum settings — see repo README.md and api/.env.example).