Backend PR-1: Sanctum SPA Configuration & CORS Setup

[kevalyq]

📦 Sub-Issue of Epic #208

Part of: #208 (httpOnly Cookie Authentication Migration)
Priority: High
Area: Backend, Authentication, Security
Repository: api

Goal

Configure Laravel Sanctum for SPA authentication mode and set up CORS to allow credential-based requests from the frontend domain.

Acceptance Criteria

• config/sanctum.php configured with SANCTUM_STATEFUL_DOMAINS
• .env.example updated with required Sanctum variables
• config/cors.php allows credentials (supports_credentials: true)
• CORS configuration allows frontend domain (localhost:5173 for dev, secpal.app for prod)
• API routes use auth:sanctum middleware
• Tests verify Sanctum middleware works
• PHPStan passes
• Pint passes
• All existing tests pass

Implementation Details

Files to modify:

• config/sanctum.php
• config/cors.php
• .env.example
• routes/api.php (verify middleware)

Environment variables:

SANCTUM_STATEFUL_DOMAINS=localhost:5173,secpal.app,www.secpal.app
SESSION_DOMAIN=localhost
SESSION_SECURE_COOKIE=false  # true in production

CORS Configuration:

// config/cors.php
'supports_credentials' => true,
'allowed_origins' => [
    'http://localhost:5173',
    'https://secpal.app',
    'https://www.secpal.app',
],

Dependencies

• Blocks: Frontend PR-1 (Frontend needs backend configured first)
• Depends on: None (first step)

Testing

ddev exec php artisan test --filter=Auth
ddev exec vendor/bin/phpstan analyze
ddev exec vendor/bin/pint --test --dirty

References

• Laravel Sanctum SPA Authentication
• Epic: Backend PR-3: Tests & API Documentation Update #208

[github-actions]

✅ This issue has been added to the SecPal Feature Roadmap with status: 💡 Ideas

New idea - needs discussion and evaluation

Status Flow:
💡 Ideas → 💬 Discussion → 📥 Backlog → 📋 Planned → 🚧 In Progress → 👀 In Review → ✅ Done

Note: Ideas that won't be implemented should be moved to 🚫 Won't Do with a reason.