Skip to content

feat: api for mobile app#8

Merged
jakub-przepiora merged 4 commits into
mainfrom
mobile-api
Apr 28, 2026
Merged

feat: api for mobile app#8
jakub-przepiora merged 4 commits into
mainfrom
mobile-api

Conversation

@Svannte
Copy link
Copy Markdown
Collaborator

@Svannte Svannte commented Apr 27, 2026

Summary

api for mobile app

Type of change

  • Bug fix
  • [ x] New feature
  • Refactor / cleanup
  • Documentation
  • Other:

Related issue

Closes #

Testing

  • Tested manually in browser
  • [x ] php artisan test passes
  • Tested as Operator / Supervisor / Admin role (if UI change)

Checklist

  • No .env secrets committed
  • Migration added if schema changed
  • $fillable updated if new model columns added
  • No raw SQL with user input (use Eloquent / Query Builder)
  • CSRF protection in place for any new forms
  • composer audit clean

@Svannte
Copy link
Copy Markdown
Collaborator Author

Svannte commented Apr 28, 2026

@coderabbitai review

fix: security hardening for mobile API
1a5857a 
- C1: Add MIME type whitelist to file uploads (prevent RCE)
- C2: Whitelist entity_type in AttachmentController (prevent IDOR)
- H1-H3: Add authorize('viewAny') to 13 index methods
- H4: Validate system setting values by type
- H5: Add Admin/Supervisor auth to SystemController::schedule()
- H6: Hide MQTT password_encrypted via $hidden on model
- H7: Enforce password confirmation + strength rules on reset
- M1: Rate limit password reset endpoint (throttle:5,1)
- M3: Restrict assignable roles to known whitelist
- M5: Add line-scoped access check for Packaging scan (Operator)
- M6: Fix postgres volume path (restore /data suffix)
- M7: Fix postgres image version (18 → 17-alpine)
- Fix AuditLogTest/ReportTest missing role seeder
- Fix UserApiTest password_confirmation for new rules
@jakub-przepiora
Copy link
Copy Markdown
Contributor

jakub-przepiora commented Apr 28, 2026

Security Review — Summary

Reviewed 90 files (7319 additions). Found 2 CRITICAL, 7 HIGH, 7 MEDIUM issues.

All issues fixed in commit 1a5857a.

Critical (fixed)

  • C1: File upload accepted any MIME type (RCE risk) → added whitelist
  • C2: entity_type in attachments accepted arbitrary strings (IDOR) → whitelisted to work_order, issue, batch, maintenance_event

High (fixed)

  • H1-H3: 13 index() methods missing authorize() → added viewAny checks
  • H4: updateSetting accepted any value → validates known settings by type
  • H5: schedule() accessible to all users → restricted to Admin/Supervisor
  • H6: MQTT password exposed in API response → $hidden on model
  • H7: Password reset without confirmation or strength rules → confirmed + min(8)->mixedCase()->numbers()

Medium (fixed)

  • M1: No rate limit on password reset → throttle:5,1
  • M3: Any role could be assigned via API → whitelist Operator/Supervisor/Admin
  • M5: Packaging scan not line-scoped for Operators → added access check
  • M6: Docker postgres volume path changed (data loss risk) → reverted
  • M7: Postgres 18 doesn't exist stable → changed to 17-alpine

Pre-existing (not in scope)

  • PackagingServiceProvider not loadable in test env (13 test failures)
  • test_admin_can_list_modules expects Packaging module present

Tests: 529/529 pass (excl. pre-existing Packaging module issue)

fix: guard sanctum→web, hide PIN from API, update scramble dependency
21addb2 
- Remove hardcoded guard_name='sanctum' from User model
- Change all roles/permissions to guard 'web' (seeder + migration)
- Add 'pin' to User $hidden (was leaking hashed PIN in API responses)
- Update scramble to ^0.12.36 with lock file
- Fix test guard_name references (sanctum→web)
@jakub-przepiora jakub-przepiora merged commit c96a7d3 into main Apr 28, 2026
1 check failed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Svannte @jakub-przepiora