bert.hausmans
52f6380ac0
Token generation: - Replace Str::ulid() with bin2hex(random_bytes(32)) for 256-bit entropy - Store SHA-256 hash in database, never plaintext tokens - Hash input before lookup on all token endpoints Invitation tokens: - InvitationService: generate crypto random, store hash, pass plain token transiently for email URL via UserInvitation::$plainToken - InvitationController show/accept: hash input before DB lookup - AcceptInvitationRequest: hash token before invitation lookup - Migration: widen user_invitations.token and artists.portal_token from char(26) to char(64) for SHA-256 hex digests Portal token auth: - PortalTokenController: remove Schema::hasTable() runtime checks, hash token before lookup, return shaped response via PortalEventResource instead of raw model data - Create PortalEventResource (name, dates, status only — no internals) - Handle missing production_requests table gracefully via try/catch Portal token middleware: - Implement full token validation: extract from Bearer header or ?token= query param, hash, look up in artists/production_requests, verify event exists and is not draft/closed, set portal context on request - Return generic 401 on any failure (no information leakage) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
88 lines
2.6 KiB
PHP
88 lines
2.6 KiB
PHP
<?php
|
|
|
|
declare(strict_types=1);
|
|
|
|
namespace App\Http\Middleware;
|
|
|
|
use App\Models\Event;
|
|
use App\Models\Scopes\OrganisationScope;
|
|
use Closure;
|
|
use Illuminate\Http\Request;
|
|
use Illuminate\Support\Facades\DB;
|
|
use Symfony\Component\HttpFoundation\Response;
|
|
|
|
final class PortalTokenMiddleware
|
|
{
|
|
public function handle(Request $request, Closure $next): Response
|
|
{
|
|
$plainToken = $this->extractToken($request);
|
|
|
|
if ($plainToken === null) {
|
|
return response()->json(['message' => 'Portal token required.'], 401);
|
|
}
|
|
|
|
$hashedToken = hash('sha256', $plainToken);
|
|
|
|
// Try artists table
|
|
$artist = DB::table('artists')->where('portal_token', $hashedToken)->first();
|
|
|
|
if ($artist) {
|
|
$event = Event::withoutGlobalScope(OrganisationScope::class)->find($artist->event_id);
|
|
|
|
if (! $event || in_array($event->status, ['draft', 'closed'], true)) {
|
|
return response()->json(['message' => 'Portal token required.'], 401);
|
|
}
|
|
|
|
$request->merge([
|
|
'portal_context' => 'artist',
|
|
'portal_person' => $artist,
|
|
'portal_event' => $event,
|
|
]);
|
|
|
|
return $next($request);
|
|
}
|
|
|
|
// Try production_requests table (may not exist yet)
|
|
try {
|
|
$productionRequest = DB::table('production_requests')->where('token', $hashedToken)->first();
|
|
|
|
if ($productionRequest) {
|
|
$event = Event::withoutGlobalScope(OrganisationScope::class)->find($productionRequest->event_id);
|
|
|
|
if (! $event || in_array($event->status, ['draft', 'closed'], true)) {
|
|
return response()->json(['message' => 'Portal token required.'], 401);
|
|
}
|
|
|
|
$request->merge([
|
|
'portal_context' => 'supplier',
|
|
'portal_person' => $productionRequest,
|
|
'portal_event' => $event,
|
|
]);
|
|
|
|
return $next($request);
|
|
}
|
|
} catch (\Illuminate\Database\QueryException) {
|
|
// Table doesn't exist yet — skip
|
|
}
|
|
|
|
return response()->json(['message' => 'Portal token required.'], 401);
|
|
}
|
|
|
|
private function extractToken(Request $request): ?string
|
|
{
|
|
// Check Authorization: Bearer header
|
|
$bearer = $request->bearerToken();
|
|
if ($bearer !== null && $bearer !== '') {
|
|
return $bearer;
|
|
}
|
|
|
|
// Check query parameter
|
|
$queryToken = $request->query('token');
|
|
if (is_string($queryToken) && $queryToken !== '') {
|
|
return $queryToken;
|
|
}
|
|
|
|
return null;
|
|
}
|
|
}
|