bert.hausmans
513ca519b2
Backend: - CookieBearerToken middleware reads httpOnly cookie and injects Authorization header before Sanctum validates (prepended to API middleware group) - SetAuthCookie trait provides cookie creation/expiry helpers with per-app cookie names (crewli_admin_token, crewli_app_token, crewli_portal_token) - LoginController sets token via Set-Cookie, removes it from JSON body - LogoutController expires the auth cookie on logout - AuthRefreshController (POST /auth/refresh) rotates tokens with new cookie - InvitationController accept also sets token via cookie, not JSON body - All cookies: httpOnly, SameSite=Strict, Secure (in production) Frontend (all three SPAs): - Removed all localStorage token storage (apps/app, apps/portal) - Removed all JS-readable cookie token storage (apps/admin) - Removed Authorization: Bearer header interceptors from axios - Auth stores now rely on GET /auth/me to validate httpOnly cookie - Admin app: new Pinia auth store replaces useCookie-based auth pattern - withCredentials: true ensures browser sends cookies automatically Fixes security findings A13-1 (localStorage tokens) and A13-2 (admin cookie flags). Tokens are now invisible to JavaScript. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
69 lines
1.7 KiB
Plaintext
69 lines
1.7 KiB
Plaintext
APP_NAME="Crewli"
|
|
APP_ENV=local
|
|
APP_KEY=
|
|
# Set to true only in local development
|
|
APP_DEBUG=false
|
|
# Local API origin (no path suffix). Production: https://api.crewli.app
|
|
APP_URL=http://localhost:8000
|
|
|
|
APP_LOCALE=en
|
|
APP_FALLBACK_LOCALE=en
|
|
APP_FAKER_LOCALE=en_US
|
|
|
|
APP_MAINTENANCE_DRIVER=file
|
|
|
|
BCRYPT_ROUNDS=12
|
|
|
|
LOG_CHANNEL=stack
|
|
LOG_STACK=single
|
|
LOG_DEPRECATIONS_CHANNEL=null
|
|
LOG_LEVEL=debug
|
|
|
|
DB_CONNECTION=mysql
|
|
DB_HOST=127.0.0.1
|
|
DB_PORT=3306
|
|
DB_DATABASE=crewli
|
|
DB_USERNAME=crewli
|
|
DB_PASSWORD=secret
|
|
|
|
SESSION_DRIVER=database
|
|
SESSION_LIFETIME=120
|
|
SESSION_ENCRYPT=false
|
|
SESSION_PATH=/
|
|
# In production, use: SESSION_DOMAIN=.crewli.app
|
|
SESSION_DOMAIN=localhost
|
|
|
|
BROADCAST_CONNECTION=log
|
|
FILESYSTEM_DISK=local
|
|
QUEUE_CONNECTION=database
|
|
|
|
CACHE_STORE=redis
|
|
|
|
REDIS_CLIENT=phpredis
|
|
REDIS_HOST=127.0.0.1
|
|
REDIS_PASSWORD=null
|
|
REDIS_PORT=6379
|
|
|
|
MAIL_MAILER=smtp
|
|
MAIL_HOST=127.0.0.1
|
|
MAIL_PORT=1025
|
|
MAIL_USERNAME=null
|
|
MAIL_PASSWORD=null
|
|
MAIL_ENCRYPTION=null
|
|
# App / transactional mail: use crewli.app. (crewli.nl = future marketing site only, not this stack.)
|
|
MAIL_FROM_ADDRESS="noreply@crewli.app"
|
|
MAIL_FROM_NAME="${APP_NAME}"
|
|
|
|
# CORS + Sanctum — SPA origins (no trailing slash; must match the browser URL)
|
|
FRONTEND_ADMIN_URL=http://localhost:5173
|
|
FRONTEND_APP_URL=http://localhost:5174
|
|
FRONTEND_PORTAL_URL=http://localhost:5175
|
|
SANCTUM_STATEFUL_DOMAINS=localhost:5173,localhost:5174,localhost:5175
|
|
|
|
# --- Production (crewli.app) — uncomment and adjust hostnames if you use this layout:
|
|
# APP_URL=https://api.crewli.app
|
|
# FRONTEND_ADMIN_URL=https://admin.crewli.app
|
|
# FRONTEND_APP_URL=https://app.crewli.app
|
|
# FRONTEND_PORTAL_URL=https://portal.crewli.app
|
|
# SANCTUM_STATEFUL_DOMAINS=admin.crewli.app,app.crewli.app,portal.crewli.app
|