bert.hausmans
d5fb15e5fe
Adds the ability for users to change their preferred/primary MFA method when both TOTP and email are available. Backend: - Add PUT /auth/mfa/preferred-method endpoint with validation (method must be totp/email, MFA must be enabled, TOTP must be configured if selecting totp) - Add totp_configured and email_configured fields to MFA status endpoint (totp = has secret + enabled, email = always when enabled) - Fix setupEmail() to preserve mfa_secret so TOTP config survives when email is set up as a second method Frontend (organizer + portal): - Add useSetPreferredMethod() composable to useMfa.ts - Add totp_configured/email_configured to MfaStatus type - SecurityTab method cards now show "Primaire methode" chip on the preferred method and "Als primair instellen" button on the other - Portal security section shows per-method rows with status chips and primary switching Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
311 lines
17 KiB
PHP
311 lines
17 KiB
PHP
<?php
|
|
|
|
declare(strict_types=1);
|
|
|
|
use App\Http\Controllers\Api\V1\CheckEmailController;
|
|
use App\Http\Controllers\Api\V1\CompanyController;
|
|
use App\Http\Controllers\Api\V1\EmailLogController;
|
|
use App\Http\Controllers\Api\V1\CrowdListController;
|
|
use App\Http\Controllers\Api\V1\CrowdTypeController;
|
|
use App\Http\Controllers\Api\V1\EventController;
|
|
use App\Http\Controllers\Api\V1\FestivalSectionController;
|
|
use App\Http\Controllers\Api\V1\InvitationController;
|
|
use App\Http\Controllers\Api\V1\LocationController;
|
|
use App\Http\Controllers\Api\V1\LoginController;
|
|
use App\Http\Controllers\Api\V1\LogoutController;
|
|
use App\Http\Controllers\Api\V1\MeController;
|
|
use App\Http\Controllers\Api\V1\MemberController;
|
|
use App\Http\Controllers\Api\V1\OrganisationController;
|
|
use App\Http\Controllers\Api\V1\OrganisationEmailSettingsController;
|
|
use App\Http\Controllers\Api\V1\OrganisationEmailTemplateController;
|
|
use App\Http\Controllers\Api\V1\PersonController;
|
|
use App\Http\Controllers\Api\V1\PersonFieldValueController;
|
|
use App\Http\Controllers\Api\V1\PersonIdentityMatchController;
|
|
use App\Http\Controllers\Api\V1\PersonSectionPreferenceController;
|
|
use App\Http\Controllers\Api\V1\PersonTagController;
|
|
use App\Http\Controllers\Api\V1\RegistrationFieldTemplateController;
|
|
use App\Http\Controllers\Api\V1\RegistrationFormFieldController;
|
|
use App\Http\Controllers\Api\V1\ShiftAssignmentController;
|
|
use App\Http\Controllers\Api\V1\ShiftController;
|
|
use App\Http\Controllers\Api\V1\TimeSlotController;
|
|
use App\Http\Controllers\Api\V1\VolunteerAvailabilityController;
|
|
use App\Http\Controllers\Api\V1\VolunteerRegistrationController;
|
|
use App\Http\Controllers\Api\V1\PublicRegistrationDataController;
|
|
use App\Http\Controllers\Api\V1\PortalTokenController;
|
|
use App\Http\Controllers\Api\V1\AccountController;
|
|
use App\Http\Controllers\Api\V1\AuthRefreshController;
|
|
use App\Http\Controllers\Api\V1\EmailChangeController;
|
|
use App\Http\Controllers\Api\V1\PasswordResetController;
|
|
use App\Http\Controllers\Api\V1\PortalMeController;
|
|
use App\Http\Controllers\Api\V1\Portal\PortalShiftController;
|
|
use App\Http\Controllers\Api\V1\UserOrganisationTagController;
|
|
use App\Http\Controllers\Api\V1\Admin\AdminOrganisationController;
|
|
use App\Http\Controllers\Api\V1\Admin\AdminUserController;
|
|
use App\Http\Controllers\Api\V1\Admin\AdminStatsController;
|
|
use App\Http\Controllers\Api\V1\Admin\AdminActivityLogController;
|
|
use App\Http\Controllers\Api\V1\Admin\AdminImpersonationController;
|
|
use App\Http\Controllers\Api\V1\Auth\MfaSetupController;
|
|
use App\Http\Controllers\Api\V1\Auth\MfaVerifyController;
|
|
use App\Http\Controllers\Api\V1\Auth\TrustedDeviceController;
|
|
use App\Models\FestivalSection;
|
|
use App\Models\Organisation;
|
|
use Illuminate\Support\Facades\Gate;
|
|
use Illuminate\Support\Facades\Route;
|
|
|
|
/*
|
|
|--------------------------------------------------------------------------
|
|
| API Routes
|
|
|--------------------------------------------------------------------------
|
|
|
|
|
| All routes are automatically prefixed with /api/v1
|
|
|
|
|
*/
|
|
|
|
// Health check
|
|
Route::get('/', fn () => response()->json([
|
|
'success' => true,
|
|
'message' => 'Crewli API v1',
|
|
'timestamp' => now()->toIso8601String(),
|
|
]));
|
|
|
|
// Public auth routes
|
|
Route::post('auth/login', LoginController::class)->middleware('throttle:5,1');
|
|
|
|
// MFA verification during login (NO auth middleware — uses session token)
|
|
Route::post('auth/mfa/verify', [MfaVerifyController::class, 'verify'])->middleware('throttle:10,1');
|
|
Route::post('auth/mfa/email/send', [MfaVerifyController::class, 'sendEmailCode'])->middleware('throttle:5,1');
|
|
|
|
// Public invitation routes (no auth required)
|
|
Route::get('invitations/{token}', [InvitationController::class, 'show'])->middleware('throttle:10,1');
|
|
Route::post('invitations/{token}/accept', [InvitationController::class, 'accept'])->middleware('throttle:10,1');
|
|
|
|
// Password reset
|
|
Route::post('auth/forgot-password', [PasswordResetController::class, 'sendResetLink'])
|
|
->middleware('throttle:5,1');
|
|
Route::post('auth/reset-password', [PasswordResetController::class, 'resetPassword']);
|
|
|
|
// Email change verification (public — token from email link)
|
|
Route::post('verify-email-change', [EmailChangeController::class, 'verify']);
|
|
|
|
// Public portal routes
|
|
Route::get('public/events/{slug}/registration-data', PublicRegistrationDataController::class);
|
|
Route::post('public/check-email', CheckEmailController::class)->middleware('throttle:10,1');
|
|
Route::post('events/{event}/volunteer-register', VolunteerRegistrationController::class)->middleware('throttle:5,1');
|
|
Route::post('portal/token-auth', [PortalTokenController::class, 'auth'])->middleware('throttle:10,1');
|
|
|
|
// Platform Admin routes
|
|
Route::prefix('admin')
|
|
->middleware(['auth:sanctum', 'role:super_admin'])
|
|
->name('admin.')
|
|
->group(function () {
|
|
// Organisations
|
|
Route::apiResource('organisations', AdminOrganisationController::class);
|
|
Route::post('organisations/{organisation}/invite', [AdminOrganisationController::class, 'invite']);
|
|
Route::put('organisations/{organisation}/members/{user}', [AdminOrganisationController::class, 'updateMemberRole']);
|
|
Route::delete('organisations/{organisation}/members/{user}', [AdminOrganisationController::class, 'removeMember']);
|
|
|
|
// Users
|
|
Route::apiResource('users', AdminUserController::class)
|
|
->except(['store']);
|
|
Route::post('users/{user}/reset-mfa', [AdminUserController::class, 'resetMfa']);
|
|
|
|
// Platform statistics
|
|
Route::get('stats', [AdminStatsController::class, 'index']);
|
|
|
|
// Activity log
|
|
Route::get('activity-log', [AdminActivityLogController::class, 'index']);
|
|
|
|
// Impersonation (start)
|
|
Route::post('impersonate/{user}', [AdminImpersonationController::class, 'start']);
|
|
});
|
|
|
|
// Protected routes
|
|
Route::middleware('auth:sanctum')->group(function () {
|
|
// Impersonation (stop — accessible by impersonated user, not just super_admin)
|
|
Route::post('admin/stop-impersonation', [AdminImpersonationController::class, 'stop']);
|
|
|
|
// Auth
|
|
Route::get('auth/me', MeController::class);
|
|
Route::post('auth/logout', LogoutController::class);
|
|
Route::post('auth/refresh', AuthRefreshController::class);
|
|
|
|
// MFA setup and management (authenticated)
|
|
Route::post('auth/mfa/setup/totp', [MfaSetupController::class, 'setupTotp']);
|
|
Route::post('auth/mfa/setup/totp/confirm', [MfaSetupController::class, 'confirmTotp']);
|
|
Route::post('auth/mfa/setup/email', [MfaSetupController::class, 'setupEmail']);
|
|
Route::post('auth/mfa/setup/email/confirm', [MfaSetupController::class, 'confirmEmail']);
|
|
Route::post('auth/mfa/disable', [MfaSetupController::class, 'disable']);
|
|
Route::post('auth/mfa/backup-codes', [MfaSetupController::class, 'regenerateBackupCodes']);
|
|
Route::get('auth/mfa/status', [MfaSetupController::class, 'status']);
|
|
Route::put('auth/mfa/preferred-method', [MfaSetupController::class, 'setPreferredMethod']);
|
|
|
|
// Trusted devices
|
|
Route::get('auth/trusted-devices', [TrustedDeviceController::class, 'index']);
|
|
Route::delete('auth/trusted-devices/{device}', [TrustedDeviceController::class, 'destroy']);
|
|
Route::delete('auth/trusted-devices', [TrustedDeviceController::class, 'destroyAll']);
|
|
|
|
// Account management (self-service)
|
|
Route::put('me/profile', [AccountController::class, 'updateProfile']);
|
|
Route::post('me/change-password', [AccountController::class, 'changePassword']);
|
|
Route::post('me/change-email', [EmailChangeController::class, 'request']);
|
|
|
|
// Portal (authenticated)
|
|
Route::get('portal/me', [PortalMeController::class, 'index']);
|
|
Route::put('portal/profile', [PortalMeController::class, 'updateProfile']);
|
|
Route::put('portal/password', [PortalMeController::class, 'updatePassword']);
|
|
Route::get('portal/my-shifts', [PortalShiftController::class, 'allMyShifts']);
|
|
Route::get('portal/events/{event}/available-shifts', [PortalShiftController::class, 'availableShifts']);
|
|
Route::get('portal/events/{event}/my-shifts', [PortalShiftController::class, 'myShifts']);
|
|
Route::post('portal/events/{event}/shifts/{shift}/claim', [PortalShiftController::class, 'claim']);
|
|
Route::post('portal/events/{event}/assignments/{shiftAssignment}/cancel', [PortalShiftController::class, 'cancel']);
|
|
|
|
// Organisations
|
|
Route::apiResource('organisations', OrganisationController::class)
|
|
->only(['index', 'show', 'store', 'update']);
|
|
|
|
// Events (nested under organisations)
|
|
Route::apiResource('organisations.events', EventController::class)
|
|
->only(['index', 'show', 'store', 'update', 'destroy']);
|
|
Route::get('organisations/{organisation}/events/{event}/children', [EventController::class, 'children']);
|
|
Route::post('organisations/{organisation}/events/{event}/transition', [EventController::class, 'transition']);
|
|
Route::post('organisations/{organisation}/events/{event}/upload-image', [EventController::class, 'uploadImage']);
|
|
|
|
// Organisation-scoped resources
|
|
Route::prefix('organisations/{organisation}')->group(function () {
|
|
Route::apiResource('crowd-types', CrowdTypeController::class)
|
|
->except(['show']);
|
|
Route::apiResource('companies', CompanyController::class);
|
|
|
|
// Section categories (autocomplete)
|
|
Route::get('section-categories', function (Organisation $organisation) {
|
|
Gate::authorize('view', $organisation);
|
|
|
|
$categories = FestivalSection::query()
|
|
->whereIn('event_id', $organisation->events()->select('id'))
|
|
->whereNotNull('category')
|
|
->distinct()
|
|
->orderBy('category')
|
|
->pluck('category');
|
|
|
|
return response()->json(['data' => $categories]);
|
|
});
|
|
|
|
// Email settings & templates
|
|
Route::get('email-settings', [OrganisationEmailSettingsController::class, 'show']);
|
|
Route::put('email-settings', [OrganisationEmailSettingsController::class, 'update']);
|
|
|
|
Route::get('email-templates', [OrganisationEmailTemplateController::class, 'index']);
|
|
Route::get('email-templates/{type}', [OrganisationEmailTemplateController::class, 'show']);
|
|
Route::put('email-templates/{type}', [OrganisationEmailTemplateController::class, 'update']);
|
|
Route::delete('email-templates/{type}', [OrganisationEmailTemplateController::class, 'destroy']);
|
|
Route::post('email-templates/{type}/preview', [OrganisationEmailTemplateController::class, 'preview']);
|
|
Route::post('email-templates/{type}/send-test', [OrganisationEmailTemplateController::class, 'sendTest']);
|
|
|
|
// Email logs (read-only)
|
|
Route::get('email-logs', [EmailLogController::class, 'index']);
|
|
|
|
// Person tags (organisation settings)
|
|
Route::apiResource('person-tags', PersonTagController::class)
|
|
->except(['show']);
|
|
Route::get('person-tag-categories', [PersonTagController::class, 'categories']);
|
|
|
|
// Registration field templates (organisation settings)
|
|
Route::apiResource('registration-field-templates', RegistrationFieldTemplateController::class)
|
|
->except(['show']);
|
|
|
|
// User tag assignments
|
|
Route::get('users/{user}/tags', [UserOrganisationTagController::class, 'index']);
|
|
Route::post('users/{user}/tags', [UserOrganisationTagController::class, 'store']);
|
|
Route::put('users/{user}/tags/sync', [UserOrganisationTagController::class, 'sync']);
|
|
Route::delete('users/{user}/tags/{userOrganisationTag}', [UserOrganisationTagController::class, 'destroy']);
|
|
|
|
// Identity matches
|
|
Route::get('identity-matches', [PersonIdentityMatchController::class, 'index']);
|
|
Route::get('persons/{person}/identity-match', [PersonIdentityMatchController::class, 'showForPerson']);
|
|
Route::post('identity-matches/{personIdentityMatch}/confirm', [PersonIdentityMatchController::class, 'confirm']);
|
|
Route::post('identity-matches/{personIdentityMatch}/dismiss', [PersonIdentityMatchController::class, 'dismiss']);
|
|
Route::post('identity-matches/{personIdentityMatch}/revert', [PersonIdentityMatchController::class, 'revert']);
|
|
Route::post('identity-matches/bulk-confirm', [PersonIdentityMatchController::class, 'bulkConfirm']);
|
|
|
|
// Invitations & Members
|
|
Route::post('invite', [InvitationController::class, 'invite']);
|
|
Route::delete('invitations/{invitation}', [InvitationController::class, 'revoke']);
|
|
Route::get('members', [MemberController::class, 'index']);
|
|
Route::put('members/{user}', [MemberController::class, 'update']);
|
|
Route::delete('members/{user}', [MemberController::class, 'destroy']);
|
|
Route::post('members/{user}/change-email', [MemberController::class, 'changeEmail']);
|
|
Route::get('members/available-for-event/{event}', [MemberController::class, 'availableForEvent']);
|
|
|
|
// Event sub-resources (all nested under organisation prefix — A01-13)
|
|
Route::prefix('events/{event}')->group(function () {
|
|
// Stats
|
|
Route::get('stats', [EventController::class, 'stats']);
|
|
|
|
// Locations
|
|
Route::apiResource('locations', LocationController::class)
|
|
->except(['show']);
|
|
|
|
// Festival sections
|
|
Route::get('sections/registration-settings', [FestivalSectionController::class, 'registrationSettings']);
|
|
Route::put('sections/registration-settings', [FestivalSectionController::class, 'updateRegistrationSettings']);
|
|
Route::apiResource('sections', FestivalSectionController::class)
|
|
->except(['show']);
|
|
Route::post('sections/reorder', [FestivalSectionController::class, 'reorder']);
|
|
|
|
// Time slots
|
|
Route::apiResource('time-slots', TimeSlotController::class)
|
|
->except(['show']);
|
|
|
|
// Shifts nested under sections
|
|
Route::prefix('sections/{section}')->group(function () {
|
|
Route::apiResource('shifts', ShiftController::class)
|
|
->except(['show']);
|
|
Route::post('shifts/{shift}/assign', [ShiftController::class, 'assign']);
|
|
Route::post('shifts/{shift}/claim', [ShiftController::class, 'claim']);
|
|
});
|
|
|
|
// Shift assignments (event-level)
|
|
Route::get('shift-assignments', [ShiftAssignmentController::class, 'index']);
|
|
Route::get('shifts/{shift}/assignable-persons', [ShiftAssignmentController::class, 'assignablePersons']);
|
|
Route::post('shift-assignments/{shiftAssignment}/approve', [ShiftAssignmentController::class, 'approve']);
|
|
Route::post('shift-assignments/{shiftAssignment}/reject', [ShiftAssignmentController::class, 'reject']);
|
|
Route::post('shift-assignments/{shiftAssignment}/cancel', [ShiftAssignmentController::class, 'cancel']);
|
|
Route::post('shift-assignments/bulk-approve', [ShiftAssignmentController::class, 'bulkApprove']);
|
|
|
|
// Persons
|
|
Route::apiResource('persons', PersonController::class);
|
|
Route::post('persons/from-member', [PersonController::class, 'createFromMember']);
|
|
Route::post('persons/{person}/approve', [PersonController::class, 'approve']);
|
|
Route::post('persons/{person}/reject', [PersonController::class, 'reject']);
|
|
Route::post('persons/{person}/manual-link', [PersonIdentityMatchController::class, 'manualLink']);
|
|
Route::post('persons/{person}/unlink', [PersonIdentityMatchController::class, 'unlink']);
|
|
|
|
// Volunteer availabilities
|
|
Route::get('persons/{person}/availabilities', [VolunteerAvailabilityController::class, 'index']);
|
|
Route::post('persons/{person}/availabilities/sync', [VolunteerAvailabilityController::class, 'sync']);
|
|
|
|
// Person field values
|
|
Route::get('persons/{person}/field-values', [PersonFieldValueController::class, 'index']);
|
|
Route::put('persons/{person}/field-values', [PersonFieldValueController::class, 'upsert']);
|
|
|
|
// Person section preferences
|
|
Route::get('persons/{person}/section-preferences', [PersonSectionPreferenceController::class, 'index']);
|
|
Route::put('persons/{person}/section-preferences', [PersonSectionPreferenceController::class, 'replace']);
|
|
|
|
// Registration form fields (event settings)
|
|
Route::apiResource('registration-fields', RegistrationFormFieldController::class)
|
|
->except(['show']);
|
|
Route::post('registration-fields/reorder', [RegistrationFormFieldController::class, 'reorder']);
|
|
Route::post('registration-fields/from-template', [RegistrationFormFieldController::class, 'fromTemplate']);
|
|
Route::post('registration-fields/import-from-event', [RegistrationFormFieldController::class, 'importFromEvent']);
|
|
|
|
// Crowd lists
|
|
Route::apiResource('crowd-lists', CrowdListController::class)
|
|
->except(['show']);
|
|
Route::get('crowd-lists/{crowdList}/persons', [CrowdListController::class, 'persons']);
|
|
Route::post('crowd-lists/{crowdList}/persons', [CrowdListController::class, 'addPerson']);
|
|
Route::delete('crowd-lists/{crowdList}/persons/{person}', [CrowdListController::class, 'removePerson']);
|
|
});
|
|
});
|
|
});
|