fix api security issues and update pages issue

This commit is contained in:
root
2026-06-04 16:41:19 -04:00
parent feb6be0610
commit 5e5fe3794a
32 changed files with 1628 additions and 37 deletions
+13 -8
View File
@@ -126,8 +126,8 @@ use App\Http\Controllers\Api\Staff\TimeOffNotificationController;
use App\Http\Controllers\Api\System\AccessDeniedController;
use App\Http\Controllers\Api\Certificates\CertificateController;
// Public auth aliases without the `/v1` prefix.
Route::post('login', [AuthController::class, 'login']);
Route::post('register', [RegisterController::class, 'store']);
Route::post('login', [AuthController::class, 'login'])->middleware('throttle:10,1');
Route::post('register', [RegisterController::class, 'store'])->middleware('throttle:5,1');
/*
| LanguageTool proxy for legacy and current clients.
@@ -160,12 +160,15 @@ Route::prefix('winners/competitions')->group(function () {
});
Route::get('confirm_authorized_user', [AuthorizedUserInviteController::class, 'confirm'])
->middleware('throttle:20,1')
->name('api.invite.confirm');
Route::get('set_authorized_user_password/{authorizedUserId}', [AuthorizedUserInviteController::class, 'setPasswordForm'])
->whereNumber('authorizedUserId')
->middleware('throttle:20,1')
->name('api.invite.set-password-form');
Route::post('set_authorized_user_password/{authorizedUserId}', [AuthorizedUserInviteController::class, 'savePassword'])
->whereNumber('authorizedUserId')
->middleware('throttle:10,1')
->name('api.invite.set-password');
/*
@@ -184,13 +187,13 @@ Route::permanentRedirect('administrator/attendance-templates', '/api/v1/administ
Route::prefix('v1')->group(function () {
// Public auth aliases without the `/auth` prefix.
Route::post('login', [AuthController::class, 'login']);
Route::post('register', [RegisterController::class, 'store']);
Route::post('login', [AuthController::class, 'login'])->middleware('throttle:10,1');
Route::post('register', [RegisterController::class, 'store'])->middleware('throttle:5,1');
Route::prefix('auth')->group(function () {
Route::get('register/captcha', [RegisterController::class, 'captcha']);
Route::post('register', [RegisterController::class, 'store']);
Route::post('login', [AuthController::class, 'login']);
Route::get('register/captcha', [RegisterController::class, 'captcha'])->middleware('throttle:30,1');
Route::post('register', [RegisterController::class, 'store'])->middleware('throttle:5,1');
Route::post('login', [AuthController::class, 'login'])->middleware('throttle:10,1');
Route::post('refresh', [AuthController::class, 'refresh'])->middleware('jwt.auth');
Route::post('logout', [AuthController::class, 'logout'])->middleware('auth:api');
Route::get('me', [AuthController::class, 'me'])->middleware('auth:api');
@@ -208,7 +211,7 @@ Route::prefix('v1')->group(function () {
Route::post('contact', [PageController::class, 'submitContact']);
});
Route::post('contact', [SupportContactController::class, 'send']);
Route::post('contact', [SupportContactController::class, 'send'])->middleware('throttle:5,1');
/*
| Badge scan kiosk (public, throttled). Logs: authenticated staff.
@@ -1151,6 +1154,8 @@ Route::prefix('v1')->group(function () {
Route::prefix('grading')->group(function () {
Route::get('overview', [GradingApiController::class, 'overview']);
Route::get('decisions', [GradingApiController::class, 'allDecisions']);
Route::post('decisions/generate', [GradingApiController::class, 'generateAllDecisions']);
Route::get('scores/{type}/{classSectionId}/{studentId}', [GradingApiController::class, 'show']);
Route::put('scores', [GradingApiController::class, 'update']);