feat: P2 RBAC defers — REST API + invitation workflow

Closes the P2 items from /tmp/service/new/01-TZ-rbac §4.1 §4.2.

== User invitation workflow ==

New columns on users: invited_at, invited_by_id (FK self), accepted_at,
invitation_token (sha256 hash, indexed). Migration is idempotent.

User::sendInvitation($invitedBy = auth()->user())
  - generates 64-char random token
  - stores sha256(token) in invitation_token column (never plaintext)
  - marks invited_at = now(), status = inactive
  - queues UserInvitationMail to the user's email with the signed accept URL
  - returns the raw token (for tests / API consumers)

User::findByInvitationToken($rawToken) hashes + lookups.
User::acceptInvitation($password) sets password (hashed cast), clears
invitation_token, marks accepted_at + email_verified_at, status = active.

Web routes (no auth — token IS the credential):
  GET  /invitations/{token}  → password-set form
  POST /invitations/{token}  → validates min:8 + confirmed, accepts

Tokens expire after 7 days (checked against invited_at). Expired and
invalid tokens render dedicated views (invitations/expired.blade.php,
invitations/invalid.blade.php) instead of generic 404 — so the user
knows to ask for a resend.

UserInvitationMail uses Filament's existing markdown layout; subject
includes the tenant display_name.

== REST API ==

Twenty new endpoints under /api/v1/ (Sanctum auth + tenant scoping
via the existing EnsureTokenMatchesTenant middleware). All gated by
ADMIN_USERS_* / ADMIN_ROLES_MANAGE permissions; mechanic-level token
gets 403.

Users:
  GET    /users                                  — paginated + role/status/q filters
  GET    /users/{u}                              — eager-loads roles + overrides + invitedBy
  POST   /users                                  — creates inactive user + sends invitation
  PATCH  /users/{u}                              — update name/email/role/status
  DELETE /users/{u}                              — soft delete
  POST   /users/{u}/activate
  POST   /users/{u}/deactivate                   — also revokes all sessions
  POST   /users/{u}/resend-invitation
  POST   /users/{u}/force-password-reset         — re-sends invitation
  GET    /users/{u}/sessions                     — list active sessions (from sessions table)
  DELETE /users/{u}/sessions                     — revoke all
  DELETE /users/{u}/sessions/{sessionId}         — revoke one
  GET    /users/{u}/roles                        — assigned roles
  POST   /users/{u}/roles                        — assign role
  DELETE /users/{u}/roles/{role}                 — remove role
  GET    /users/{u}/permissions                  — effective: role perms + grants - active denies
  POST   /users/{u}/permission-overrides         — add grant/deny (with optional expires_at)
  DELETE /users/{u}/permission-overrides/{perm}

Roles:
  apiResource roles                              — index/show/store/update/destroy
                                                   (system roles guarded against rename/delete)
  GET    /roles/{r}/permissions
  PUT    /roles/{r}/permissions                  — bulk sync
  GET    /permissions                            — catalog: flat list + grouped + labels + role labels

Authorization is uniform: every controller method calls $this->authorize()
which throws 403 if canDo(perm) is false. canDo() already honors the
overrides + admin bypass + audit log from earlier commits, so the API
behaves identically to the Filament UI.

== Tests ==

InvitationFlowTest (8): token generation + sha256 storage + queued mail,
findByInvitationToken happy/sad path, accept sets password + activates,
GET form renders, POST accepts + redirects, invalid token view,
backdated invited_at → expired view, password too short → validation error.

RbacApiTest (12): admin can list users, mechanic 403, create user
queues invitation, assign+remove role round-trip, effective permissions
endpoint subtracts active denies, add+remove override via API,
role index returns 7 system roles with permission counts (51 for owner),
role sync permissions, system role destroy rejected with 422,
permission catalog endpoint returns all 51 + grouped + labels,
revoke all sessions deletes only target user's rows.

Suite: 234 passed (659 assertions). Was 214.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
2026-06-04 22:36:44 +00:00
parent 1d4ac3db38
commit d9180e16b3
14 changed files with 987 additions and 0 deletions
+23
View File
@@ -2,6 +2,8 @@
use App\Http\Controllers\Api\ApiAuthController;
use App\Http\Controllers\Api\ClientApiController;
use App\Http\Controllers\Api\RoleApiController;
use App\Http\Controllers\Api\UserApiController;
use App\Http\Controllers\Api\VehicleApiController;
use App\Http\Controllers\Api\WorkOrderApiController;
use Illuminate\Support\Facades\Route;
@@ -17,5 +19,26 @@ Route::prefix('v1')->group(function () {
Route::apiResource('clients', ClientApiController::class);
Route::apiResource('vehicles', VehicleApiController::class);
Route::apiResource('work-orders', WorkOrderApiController::class);
// RBAC management — guarded by ADMIN_USERS_* / ADMIN_ROLES_MANAGE.
Route::apiResource('users', UserApiController::class);
Route::post('users/{user}/activate', [UserApiController::class, 'activate']);
Route::post('users/{user}/deactivate', [UserApiController::class, 'deactivate']);
Route::post('users/{user}/resend-invitation', [UserApiController::class, 'resendInvitation']);
Route::post('users/{user}/force-password-reset', [UserApiController::class, 'forcePasswordReset']);
Route::get('users/{user}/sessions', [UserApiController::class, 'sessions']);
Route::delete('users/{user}/sessions', [UserApiController::class, 'revokeAllSessions']);
Route::delete('users/{user}/sessions/{sessionId}', [UserApiController::class, 'revokeSession']);
Route::get('users/{user}/roles', [UserApiController::class, 'roles']);
Route::post('users/{user}/roles', [UserApiController::class, 'assignRole']);
Route::delete('users/{user}/roles/{role}', [UserApiController::class, 'removeRole']);
Route::get('users/{user}/permissions', [UserApiController::class, 'permissions']);
Route::post('users/{user}/permission-overrides', [UserApiController::class, 'addOverride']);
Route::delete('users/{user}/permission-overrides/{permission}', [UserApiController::class, 'removeOverride']);
Route::apiResource('roles', RoleApiController::class);
Route::get('roles/{role}/permissions', [RoleApiController::class, 'permissions']);
Route::put('roles/{role}/permissions', [RoleApiController::class, 'syncPermissions']);
Route::get('permissions', [RoleApiController::class, 'permissionCatalog']);
});
});
+6
View File
@@ -47,6 +47,12 @@ Route::post('/payments/paypal/webhook', [\App\Http\Controllers\PaymentController
Route::post('/payments/paynet/webhook', [\App\Http\Controllers\PaymentController::class, 'paynetWebhook'])
->withoutMiddleware([\Illuminate\Foundation\Http\Middleware\VerifyCsrfToken::class]);
// User invitation accept flow (no auth required — token is the credential).
Route::get('/invitations/{token}', [\App\Http\Controllers\InvitationController::class, 'show'])
->name('invitation.show');
Route::post('/invitations/{token}', [\App\Http\Controllers\InvitationController::class, 'accept'])
->name('invitation.accept');
// Stub `login` route — needed because Laravel's auth middleware tries to
// route('login') when redirecting unauthenticated requests. We don't have a
// global /login (panels use /admin/login and /app/login), so stub it.