Phase 3: Secret Sharing & Access Control (RBAC Integration) #185
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Implements full REST API for password manager Secret CRUD and Sharing functionality.
## Secret CRUD API (5 endpoints)
- GET /v1/secrets - List user's secrets with pagination
- POST /v1/secrets - Create secret with encrypted fields
- GET /v1/secrets/{id} - View secret details
- PATCH /v1/secrets/{id} - Update secret with version increment
- DELETE /v1/secrets/{id} - Soft delete secret
## Secret Sharing API (3 endpoints)
- POST /v1/secrets/{id}/shares - Grant read/write/admin access
- GET /v1/secrets/{id}/shares - List all shares
- DELETE /v1/secrets/{id}/shares/{shareId} - Revoke access
## Implementation Details
- XOR constraint: share with user OR role (not both)
- Permission hierarchy: admin > write > read
- Optional expiration dates for time-limited access
- Owner-based authorization via SecretPolicy and SecretSharePolicy
- Validation via StoreSecretRequest, UpdateSecretRequest, GrantShareRequest
- Automatic version incrementing on updates
## Test Coverage
- 17 SecretController tests (all passing)
- 18 SecretShareController tests (all passing)
- Total: 390 tests passing (107 Secret-related)
## Known Issues
- PHPStan: 14 type warnings in SecretController (tracked in #184)
- Tenant resolution uses temporary TenantKey::first() pattern (TODO: TenantMiddleware)
## Breaking Changes
None - all new functionality
Closes #182
Related: #184 (non-blocking PHPStan warnings)
kevalyq
added
the
large-pr-approved
Codecov Report❌ Patch coverage is 📢 Thoughts on this report? Let us know! |
Contributor
There was a problem hiding this comment.
Pull Request Overview
This PR implements the Secret CRUD and Sharing REST API endpoints (Phase 3), adding full password manager functionality with role-based access control. The implementation includes 8 new API endpoints for creating, reading, updating, deleting, and sharing secrets, with comprehensive validation and authorization.
Key changes:
- Secret CRUD API with 5 endpoints supporting encrypted storage, pagination, and soft deletes
- Secret Sharing API with 3 endpoints for granting/revoking access with XOR constraint enforcement
- Authorization policies for owner-based and share-based access control
Reviewed Changes
Copilot reviewed 14 out of 14 changed files in this pull request and generated 12 comments.
Show a summary per file
| File | Description |
|---|---|
| app/Http/Controllers/Api/V1/SecretController.php | Implements 5 CRUD endpoints for secrets with owner authorization |
| app/Http/Controllers/Api/V1/SecretShareController.php | Implements 3 sharing endpoints with XOR validation and permission hierarchy |
| app/Http/Requests/StoreSecretRequest.php | Validation rules for secret creation |
| app/Http/Requests/UpdateSecretRequest.php | Validation rules for secret updates |
| app/Http/Requests/GrantShareRequest.php | XOR constraint validation for sharing |
| app/Policies/SecretPolicy.php | Authorization policy for secret access (owner-only currently) |
| app/Policies/SecretSharePolicy.php | Authorization policy for share management |
| app/Providers/AppServiceProvider.php | Registers new policies |
| app/Http/Controllers/Controller.php | Adds AuthorizesRequests trait |
| routes/api.php | Registers 8 new v1 API routes |
| tests/Pest.php | Enhanced helper with additional secret field support |
| tests/Feature/Controllers/Api/V1/SecretControllerTest.php | 17 comprehensive CRUD tests |
| tests/Feature/Controllers/Api/V1/SecretShareControllerTest.php | 18 comprehensive sharing tests |
| CHANGELOG.md | Documents new API features |
- SecretPolicy: Implement userHasPermission() calls (CRITICAL) - SecretController: Add viewAny authorization, fix error handling - Tests: Add 6 share-based access tests (read/write/admin permissions) - Tests: Remove duplicate code - SecretController: Fix DocBlock accuracy, improve error messages Fixes all 11 Copilot review comments (8 functional, 3 nitpicks addressed). All 23 SecretController tests + 18 SecretShare tests passing.
- Add missing create authorization in store() - Use active() scope in SecretShareController - Remove useless filter test (filter=owned not implemented) - Fix route ordering (nested routes before parameterized) - Fix version inflation (only increment if modified) - Refactor field assignment to private helper method - Reduce code duplication in store() and update() All 53 Secret/SecretShare tests passing (211 assertions).
This was referenced Nov 16, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
📌 Related Issues
Fixes #182
Part of: #173
📝 Summary
Implements full REST API for Secret CRUD and Sharing functionality with RBAC integration, completing Phase 3 of the Secret Management System Epic.
🎯 What This PR Does
Secret CRUD API (5 endpoints)
GET /v1/secrets- List user's secrets with paginationPOST /v1/secrets- Create secret with encrypted fieldsGET /v1/secrets/{id}- View secret detailsPATCH /v1/secrets/{id}- Update secret with version incrementDELETE /v1/secrets/{id}- Soft delete secretSecret Sharing API (3 endpoints)
POST /v1/secrets/{id}/shares- Grant read/write/admin accessGET /v1/secrets/{id}/shares- List all sharesDELETE /v1/secrets/{id}/shares/{shareId}- Revoke accessKey Features
🔧 Implementation Details
Files Created
app/Http/Controllers/Api/V1/SecretController.php- CRUD controller (5 methods)app/Http/Controllers/Api/V1/SecretShareController.php- Sharing controller (3 methods)app/Http/Requests/StoreSecretRequest.php- Create validationapp/Http/Requests/UpdateSecretRequest.php- Update validationapp/Http/Requests/GrantShareRequest.php- Share validation with XOR enforcementapp/Policies/SecretPolicy.php- CRUD authorizationapp/Policies/SecretSharePolicy.php- Sharing authorizationFiles Modified
routes/api.php- Added 8 new routes under/v1/prefixapp/Providers/AppServiceProvider.php- Policy registrationapp/Http/Controllers/Controller.php- AddedAuthorizesRequeststraittests/Pest.php- EnhancedcreateTestSecret()helperCHANGELOG.md- Comprehensive feature documentationTest Coverage
✅ Quality Gates
@varDocBlocksTenant Resolution: Uses temporary
TenantKey::first()patternTODO: Implement TenantMiddleware to inject
tenant_idinto requestsAdmin Permission: SecretSharePolicy currently owner-only
TODO: Add support for users with 'admin' permission to grant/revoke shares
🚫 Breaking Changes
None - all new functionality
🧪 Testing
📚 Documentation
See
CHANGELOG.mdfor comprehensive API documentation including:🔐 Security Considerations
📝 Checklist
Estimated LOC: ~1520 lines (14 files changed)
Test Coverage: 35 Controller tests, 13 Model tests
Related: Issue #184 (PHPStan type warnings - now resolved)