archetecture security fix

This commit is contained in:
root
2026-06-11 03:22:12 -04:00
parent 6def9993da
commit 9483750161
3126 changed files with 177194 additions and 37211 deletions
@@ -12,6 +12,7 @@ use App\Services\Auth\AuthSessionService;
use Illuminate\Http\JsonResponse;
use Illuminate\Http\Request;
use Illuminate\Support\Facades\Auth;
use Illuminate\Support\Facades\Log;
use PHPOpenSourceSaver\JWTAuth\Facades\JWTAuth;
/**
@@ -89,6 +90,11 @@ class AuthSessionController extends Controller
$ip = (string) $request->ip();
if ($this->security->isIpBlocked($ip)) {
Log::notice('session_login: ip blocked', [
'ip' => $ip,
'email' => $this->maskEmail($email),
]);
return response()->json([
'status' => false,
'message' => 'Too many failed attempts from your IP. Please try again later.',
@@ -99,6 +105,24 @@ class AuthSessionController extends Controller
if (! $user) {
$this->security->logIpAttempt($ip);
Log::notice('session_login: unknown email', [
'ip' => $ip,
'email' => $this->maskEmail($email),
]);
return response()->json([
'status' => false,
'message' => 'The email and password combination you entered is invalid. Please try again.',
], 401);
}
if (blank($user->password)) {
$this->security->logIpAttempt($ip);
Log::notice('session_login: password missing', [
'ip' => $ip,
'email' => $this->maskEmail($email),
'user_id' => (int) $user->id,
]);
return response()->json([
'status' => false,
@@ -107,6 +131,12 @@ class AuthSessionController extends Controller
}
if ($user->is_suspended) {
Log::notice('session_login: suspended account', [
'ip' => $ip,
'email' => $this->maskEmail($email),
'user_id' => (int) $user->id,
]);
return response()->json([
'status' => false,
'message' => 'Account suspended. Please check your email to reset your password.',
@@ -115,6 +145,12 @@ class AuthSessionController extends Controller
if (! verify_stored_password($password, (string) $user->password)) {
$this->security->handleFailedLogin($user, $email, $ip);
Log::notice('session_login: password mismatch', [
'ip' => $ip,
'email' => $this->maskEmail($email),
'user_id' => (int) $user->id,
'failed_attempts' => (int) ($user->fresh()?->failed_attempts ?? 0),
]);
return response()->json([
'status' => false,
@@ -124,6 +160,12 @@ class AuthSessionController extends Controller
$fresh = $user->fresh();
if (! $fresh) {
Log::warning('session_login: fresh user reload failed after successful verification', [
'ip' => $ip,
'email' => $this->maskEmail($email),
'user_id' => (int) $user->id,
]);
return response()->json([
'status' => false,
'message' => 'The email and password combination you entered is invalid. Please try again.',
@@ -151,6 +193,19 @@ class AuthSessionController extends Controller
]));
}
private function maskEmail(string $email): string
{
$email = trim(strtolower($email));
if ($email === '' || ! str_contains($email, '@')) {
return $email;
}
[$local, $domain] = explode('@', $email, 2);
$localPrefix = substr($local, 0, min(2, strlen($local)));
return $localPrefix . str_repeat('*', max(strlen($local) - strlen($localPrefix), 0)) . '@' . $domain;
}
/** Closes the current web session. */
public function logout(Request $request): JsonResponse
{