bert.hausmans
948687f27e
Three verification methods (TOTP authenticator, email code, backup codes), trusted device management with 30-day expiry, role-based enforcement for super_admin and org_admin, admin reset capability, and full test coverage (46 tests). Modifies login flow to support MFA challenge/response with temporary session tokens stored in cache. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
124 lines
3.0 KiB
PHP
124 lines
3.0 KiB
PHP
<?php
|
|
|
|
declare(strict_types=1);
|
|
|
|
namespace App\Models;
|
|
|
|
use Illuminate\Database\Eloquent\Concerns\HasUlids;
|
|
use Illuminate\Database\Eloquent\Factories\HasFactory;
|
|
use Illuminate\Database\Eloquent\Relations\BelongsToMany;
|
|
use Illuminate\Database\Eloquent\Relations\HasMany;
|
|
use Illuminate\Database\Eloquent\SoftDeletes;
|
|
use Illuminate\Foundation\Auth\User as Authenticatable;
|
|
use Illuminate\Notifications\Notifiable;
|
|
use Laravel\Sanctum\HasApiTokens;
|
|
use Spatie\Permission\Traits\HasRoles;
|
|
|
|
final class User extends Authenticatable
|
|
{
|
|
use HasApiTokens;
|
|
use HasFactory;
|
|
use HasRoles;
|
|
use HasUlids;
|
|
use Notifiable;
|
|
use SoftDeletes;
|
|
|
|
protected $fillable = [
|
|
'first_name',
|
|
'last_name',
|
|
'date_of_birth',
|
|
'email',
|
|
'password',
|
|
'timezone',
|
|
'locale',
|
|
'avatar',
|
|
'mfa_enabled',
|
|
'mfa_method',
|
|
'mfa_secret',
|
|
'mfa_confirmed_at',
|
|
'mfa_enforced',
|
|
];
|
|
|
|
public function getFullNameAttribute(): string
|
|
{
|
|
return trim("{$this->first_name} {$this->last_name}");
|
|
}
|
|
|
|
public function getNameAttribute(): string
|
|
{
|
|
return $this->full_name;
|
|
}
|
|
|
|
protected $hidden = [
|
|
'password',
|
|
'remember_token',
|
|
'mfa_secret',
|
|
];
|
|
|
|
protected function casts(): array
|
|
{
|
|
return [
|
|
'date_of_birth' => 'date',
|
|
'email_verified_at' => 'datetime',
|
|
'password' => 'hashed',
|
|
'mfa_enabled' => 'boolean',
|
|
'mfa_confirmed_at' => 'datetime',
|
|
'mfa_enforced' => 'boolean',
|
|
];
|
|
}
|
|
|
|
public function organisations(): BelongsToMany
|
|
{
|
|
return $this->belongsToMany(Organisation::class, 'organisation_user')
|
|
->withPivot('role')
|
|
->withTimestamps();
|
|
}
|
|
|
|
public function events(): BelongsToMany
|
|
{
|
|
return $this->belongsToMany(Event::class, 'event_user_roles')
|
|
->withPivot('role')
|
|
->withTimestamps();
|
|
}
|
|
|
|
public function invitations(): HasMany
|
|
{
|
|
return $this->hasMany(UserInvitation::class, 'invited_by_user_id');
|
|
}
|
|
|
|
public function identityMatches(): HasMany
|
|
{
|
|
return $this->hasMany(PersonIdentityMatch::class, 'matched_user_id');
|
|
}
|
|
|
|
public function persons(): HasMany
|
|
{
|
|
return $this->hasMany(Person::class, 'user_id');
|
|
}
|
|
|
|
public function organisationTags(): HasMany
|
|
{
|
|
return $this->hasMany(UserOrganisationTag::class);
|
|
}
|
|
|
|
public function mfaBackupCodes(): HasMany
|
|
{
|
|
return $this->hasMany(MfaBackupCode::class);
|
|
}
|
|
|
|
public function mfaEmailCodes(): HasMany
|
|
{
|
|
return $this->hasMany(MfaEmailCode::class);
|
|
}
|
|
|
|
public function trustedDevices(): HasMany
|
|
{
|
|
return $this->hasMany(TrustedDevice::class);
|
|
}
|
|
|
|
public function tagsForOrganisation(string $organisationId): HasMany
|
|
{
|
|
return $this->organisationTags()->where('organisation_id', $organisationId);
|
|
}
|
|
}
|