crewli/api/app/Http/Controllers/Api/V1/LoginController.php

<?php

declare(strict_types=1);

namespace App\Http\Controllers\Api\V1;

use App\Enums\MfaMethod;
use App\Http\Controllers\Api\V1\Traits\SetAuthCookie;
use App\Http\Controllers\Controller;
use App\Http\Requests\Api\V1\LoginRequest;
use App\Http\Resources\Api\V1\MeResource;
use App\Models\User;
use App\Services\MfaService;
use Illuminate\Http\JsonResponse;
use Illuminate\Support\Facades\Auth;
use Illuminate\Support\Facades\Log;

final class LoginController extends Controller
{
    use SetAuthCookie;

    public function __construct(
        private MfaService $mfaService,
    ) {}

    public function __invoke(LoginRequest $request): JsonResponse
    {
        if (! Auth::attempt($request->only('email', 'password'))) {
            Log::warning('Failed login attempt', [
                'email' => $request->validated('email'),
                'ip' => $request->ip(),
                'user_agent' => $request->userAgent(),
            ]);

            return $this->unauthorized('Invalid credentials');
        }

        $user = Auth::user();

        // MFA enabled and confirmed — check trusted device or require MFA
        if ($user->mfa_enabled && $user->mfa_confirmed_at) {
            $fingerprint = $request->header('X-Device-Fingerprint');
            if ($fingerprint && $this->mfaService->isDeviceTrusted($user, $fingerprint)) {
                return $this->issueToken($user, $request);
            }

            // MFA required — return session token instead of auth token
            Auth::guard('web')->logout();
            $mfaSession = $this->mfaService->createMfaSession($user, $request->ip());

            // Auto-send email code if email is the preferred method
            if ($user->mfa_method === MfaMethod::EMAIL->value) {
                try {
                    $this->mfaService->sendEmailCode($user);
                } catch (\DomainException) {
                    // Rate limited — code was already sent recently
                }
            }

            return response()->json([
                'success' => true,
                'mfa_required' => true,
                ...$mfaSession,
            ]);
        }

        // MFA required by policy but not yet set up — issue token with flag
        if ($this->mfaService->isMfaRequired($user) && ! $user->mfa_enabled) {
            $response = $this->issueToken($user, $request);
            $data = $response->getData(true);
            $data['mfa_setup_required'] = true;

            $cookieName = $this->resolveCookieName($request);
            $token = $user->createToken('auth-token')->plainTextToken;

            return response()->json($data)
                ->withCookie($this->makeAuthCookie($cookieName, $token));
        }

        // No MFA — issue token as normal
        return $this->issueToken($user, $request);
    }

    private function issueToken(User $user, LoginRequest $request): JsonResponse
    {
        $user->load([
            'organisations',
            'roles',
            'permissions',
            'persons' => fn ($q) => $q->with(['event:id,name,slug,start_date,end_date,organisation_id', 'event.organisation:id,name']),
        ]);

        $token = $user->createToken('auth-token')->plainTextToken;
        $cookieName = $this->resolveCookieName($request);

        return $this->success([
            'user' => new MeResource($user),
        ], 'Login successful')
            ->withCookie($this->makeAuthCookie($cookieName, $token));
    }
}