Deploy 2: 2FA (App + Email) + REST API + CSV import-export + auto backup
- Filament v5 multiFactorAuthentication enabled on both panels (App + Email) - HasAppAuthentication + HasEmailAuthentication on User and SuperAdmin - Migration: app_authentication_secret + recovery_codes + email_authentication_at - Sanctum REST API: /api/v1/login, /me, clients, vehicles, work-orders - EnsureTokenMatchesTenant middleware blocks cross-tenant token usage - CsvImportExport service: clients + vehicles bulk via plain CSV - Import/Export buttons on Client + Vehicle list pages - ApiTokens page in tenant panel (generate/revoke + last-used) - BackupAllTenantsCommand + scheduler (daily 03:00, retain 14 days) - Background scheduler in entrypoint.sh
This commit is contained in:
@@ -0,0 +1,83 @@
|
||||
<?php
|
||||
|
||||
namespace App\Http\Controllers\Api;
|
||||
|
||||
use App\Models\Tenant\User;
|
||||
use App\Tenancy\TenantManager;
|
||||
use Illuminate\Http\JsonResponse;
|
||||
use Illuminate\Http\Request;
|
||||
use Illuminate\Support\Facades\Hash;
|
||||
use Illuminate\Validation\ValidationException;
|
||||
|
||||
class ApiAuthController
|
||||
{
|
||||
public function login(Request $request): JsonResponse
|
||||
{
|
||||
$request->validate([
|
||||
'email' => 'required|email',
|
||||
'password' => 'required',
|
||||
'device' => 'sometimes|string|max:80',
|
||||
]);
|
||||
|
||||
$tenant = app(TenantManager::class)->current();
|
||||
if (! $tenant) {
|
||||
throw ValidationException::withMessages([
|
||||
'email' => 'Tenant subdomain required.',
|
||||
]);
|
||||
}
|
||||
|
||||
$user = User::where('email', $request->email)->first();
|
||||
|
||||
if (! $user || ! Hash::check($request->password, $user->password)) {
|
||||
throw ValidationException::withMessages([
|
||||
'email' => 'Invalid credentials.',
|
||||
]);
|
||||
}
|
||||
|
||||
if ($user->company_id !== $tenant->id) {
|
||||
throw ValidationException::withMessages([
|
||||
'email' => 'User does not belong to this tenant.',
|
||||
]);
|
||||
}
|
||||
|
||||
if ($user->status !== 'active') {
|
||||
throw ValidationException::withMessages([
|
||||
'email' => 'Account inactive.',
|
||||
]);
|
||||
}
|
||||
|
||||
$token = $user->createToken($request->input('device', 'api'))->plainTextToken;
|
||||
|
||||
return response()->json([
|
||||
'token' => $token,
|
||||
'user' => [
|
||||
'id' => $user->id,
|
||||
'name' => $user->name,
|
||||
'email' => $user->email,
|
||||
'role' => $user->role,
|
||||
],
|
||||
'tenant' => [
|
||||
'slug' => $tenant->slug,
|
||||
'name' => $tenant->display_name ?? $tenant->name,
|
||||
],
|
||||
]);
|
||||
}
|
||||
|
||||
public function me(Request $request): JsonResponse
|
||||
{
|
||||
$u = $request->user();
|
||||
return response()->json([
|
||||
'id' => $u->id,
|
||||
'name' => $u->name,
|
||||
'email' => $u->email,
|
||||
'role' => $u->role,
|
||||
'tenant_slug' => app(TenantManager::class)->current()?->slug,
|
||||
]);
|
||||
}
|
||||
|
||||
public function logout(Request $request): JsonResponse
|
||||
{
|
||||
$request->user()->currentAccessToken()->delete();
|
||||
return response()->json(['ok' => true]);
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,67 @@
|
||||
<?php
|
||||
|
||||
namespace App\Http\Controllers\Api;
|
||||
|
||||
use App\Models\Tenant\Client;
|
||||
use Illuminate\Http\JsonResponse;
|
||||
use Illuminate\Http\Request;
|
||||
|
||||
class ClientApiController
|
||||
{
|
||||
public function index(Request $request): JsonResponse
|
||||
{
|
||||
$q = Client::query();
|
||||
if ($s = $request->query('search')) {
|
||||
$q->where(function ($qq) use ($s) {
|
||||
$qq->where('name', 'like', "%{$s}%")
|
||||
->orWhere('phone', 'like', "%{$s}%")
|
||||
->orWhere('email', 'like', "%{$s}%");
|
||||
});
|
||||
}
|
||||
return response()->json($q->orderBy('name')->paginate(min((int) $request->query('per_page', 25), 100)));
|
||||
}
|
||||
|
||||
public function show(Client $client): JsonResponse
|
||||
{
|
||||
return response()->json($client->load('vehicles'));
|
||||
}
|
||||
|
||||
public function store(Request $request): JsonResponse
|
||||
{
|
||||
$data = $request->validate([
|
||||
'name' => 'required|string|max:120',
|
||||
'phone' => 'required|string|max:40',
|
||||
'phone_alt' => 'nullable|string|max:40',
|
||||
'email' => 'nullable|email|max:120',
|
||||
'company_name' => 'nullable|string|max:160',
|
||||
'type' => 'in:individual,company',
|
||||
'status' => 'in:new,active,vip,debtor,blocked,lost',
|
||||
'discount_pct' => 'nullable|numeric|min:0|max:100',
|
||||
'notes' => 'nullable|string',
|
||||
]);
|
||||
$client = Client::create($data + ['type' => 'individual', 'status' => 'active']);
|
||||
return response()->json($client, 201);
|
||||
}
|
||||
|
||||
public function update(Request $request, Client $client): JsonResponse
|
||||
{
|
||||
$data = $request->validate([
|
||||
'name' => 'sometimes|string|max:120',
|
||||
'phone' => 'sometimes|string|max:40',
|
||||
'phone_alt' => 'nullable|string|max:40',
|
||||
'email' => 'nullable|email|max:120',
|
||||
'company_name' => 'nullable|string|max:160',
|
||||
'status' => 'in:new,active,vip,debtor,blocked,lost',
|
||||
'discount_pct' => 'nullable|numeric|min:0|max:100',
|
||||
'notes' => 'nullable|string',
|
||||
]);
|
||||
$client->update($data);
|
||||
return response()->json($client);
|
||||
}
|
||||
|
||||
public function destroy(Client $client): JsonResponse
|
||||
{
|
||||
$client->delete();
|
||||
return response()->json(['ok' => true]);
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,66 @@
|
||||
<?php
|
||||
|
||||
namespace App\Http\Controllers\Api;
|
||||
|
||||
use App\Models\Tenant\Vehicle;
|
||||
use Illuminate\Http\JsonResponse;
|
||||
use Illuminate\Http\Request;
|
||||
|
||||
class VehicleApiController
|
||||
{
|
||||
public function index(Request $request): JsonResponse
|
||||
{
|
||||
$q = Vehicle::query()->with('client:id,name,phone');
|
||||
if ($s = $request->query('search')) {
|
||||
$q->where(function ($qq) use ($s) {
|
||||
$qq->where('plate', 'like', "%{$s}%")
|
||||
->orWhere('vin', 'like', "%{$s}%")
|
||||
->orWhere('brand', 'like', "%{$s}%")
|
||||
->orWhere('model', 'like', "%{$s}%");
|
||||
});
|
||||
}
|
||||
return response()->json($q->orderBy('plate')->paginate(min((int) $request->query('per_page', 25), 100)));
|
||||
}
|
||||
|
||||
public function show(Vehicle $vehicle): JsonResponse
|
||||
{
|
||||
return response()->json($vehicle->load(['client', 'workOrders' => fn ($q) => $q->latest()->limit(10)]));
|
||||
}
|
||||
|
||||
public function store(Request $request): JsonResponse
|
||||
{
|
||||
$data = $request->validate([
|
||||
'client_id' => 'required|exists:clients,id',
|
||||
'plate' => 'required|string|max:30',
|
||||
'vin' => 'nullable|string|max:30',
|
||||
'brand' => 'nullable|string|max:60',
|
||||
'model' => 'nullable|string|max:60',
|
||||
'year' => 'nullable|integer|min:1900|max:2100',
|
||||
'mileage' => 'nullable|integer|min:0',
|
||||
'fuel' => 'nullable|string|max:30',
|
||||
'engine' => 'nullable|string|max:60',
|
||||
'gearbox' => 'nullable|string|max:30',
|
||||
'color' => 'nullable|string|max:30',
|
||||
'notes' => 'nullable|string',
|
||||
]);
|
||||
$v = Vehicle::create($data);
|
||||
return response()->json($v, 201);
|
||||
}
|
||||
|
||||
public function update(Request $request, Vehicle $vehicle): JsonResponse
|
||||
{
|
||||
$data = $request->validate([
|
||||
'plate' => 'sometimes|string|max:30',
|
||||
'mileage' => 'nullable|integer|min:0',
|
||||
'notes' => 'nullable|string',
|
||||
]);
|
||||
$vehicle->update($data);
|
||||
return response()->json($vehicle);
|
||||
}
|
||||
|
||||
public function destroy(Vehicle $vehicle): JsonResponse
|
||||
{
|
||||
$vehicle->delete();
|
||||
return response()->json(['ok' => true]);
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,73 @@
|
||||
<?php
|
||||
|
||||
namespace App\Http\Controllers\Api;
|
||||
|
||||
use App\Models\Tenant\WorkOrder;
|
||||
use App\Tenancy\TenantManager;
|
||||
use Illuminate\Http\JsonResponse;
|
||||
use Illuminate\Http\Request;
|
||||
|
||||
class WorkOrderApiController
|
||||
{
|
||||
public function index(Request $request): JsonResponse
|
||||
{
|
||||
$q = WorkOrder::query()->with(['client:id,name,phone', 'vehicle:id,plate,brand,model']);
|
||||
if ($status = $request->query('status')) {
|
||||
$q->where('status', $status);
|
||||
}
|
||||
if ($s = $request->query('search')) {
|
||||
$q->where(function ($qq) use ($s) {
|
||||
$qq->where('number', 'like', "%{$s}%")
|
||||
->orWhereHas('vehicle', fn ($v) => $v->where('plate', 'like', "%{$s}%"));
|
||||
});
|
||||
}
|
||||
return response()->json($q->latest()->paginate(min((int) $request->query('per_page', 25), 100)));
|
||||
}
|
||||
|
||||
public function show(WorkOrder $workOrder): JsonResponse
|
||||
{
|
||||
return response()->json($workOrder->load(['client', 'vehicle', 'master', 'works', 'parts', 'payments']));
|
||||
}
|
||||
|
||||
public function store(Request $request): JsonResponse
|
||||
{
|
||||
$data = $request->validate([
|
||||
'client_id' => 'required|exists:clients,id',
|
||||
'vehicle_id' => 'required|exists:vehicles,id',
|
||||
'master_id' => 'nullable|exists:users,id',
|
||||
'opened_at' => 'nullable|date',
|
||||
'mileage_in' => 'nullable|integer|min:0',
|
||||
'complaint' => 'nullable|string',
|
||||
'status' => 'in:new,diagnosis,agreement,approved,in_work,awaiting_parts,ready,done,cancelled',
|
||||
]);
|
||||
$tenantId = app(TenantManager::class)->currentId();
|
||||
$data['number'] = WorkOrder::generateNumber($tenantId);
|
||||
$data['opened_at'] ??= now();
|
||||
$data['status'] ??= 'new';
|
||||
$data['pay_status'] = 'unpaid';
|
||||
$data['discount_pct'] = 0;
|
||||
$data['total'] = 0;
|
||||
$wo = WorkOrder::create($data);
|
||||
return response()->json($wo, 201);
|
||||
}
|
||||
|
||||
public function update(Request $request, WorkOrder $workOrder): JsonResponse
|
||||
{
|
||||
$data = $request->validate([
|
||||
'status' => 'sometimes|in:new,diagnosis,agreement,approved,in_work,awaiting_parts,ready,done,cancelled',
|
||||
'mileage_out' => 'nullable|integer|min:0',
|
||||
'diagnosis' => 'nullable|string',
|
||||
'recommendations' => 'nullable|string',
|
||||
'discount_pct' => 'nullable|numeric|min:0|max:100',
|
||||
]);
|
||||
$workOrder->update($data);
|
||||
$workOrder->recalcTotal();
|
||||
return response()->json($workOrder->fresh());
|
||||
}
|
||||
|
||||
public function destroy(WorkOrder $workOrder): JsonResponse
|
||||
{
|
||||
$workOrder->delete();
|
||||
return response()->json(['ok' => true]);
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,34 @@
|
||||
<?php
|
||||
|
||||
namespace App\Http\Middleware;
|
||||
|
||||
use App\Tenancy\TenantManager;
|
||||
use Closure;
|
||||
use Illuminate\Http\Request;
|
||||
use Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException;
|
||||
|
||||
/**
|
||||
* Defense in depth: even though Sanctum auth + TenantScope should isolate
|
||||
* tenants, this middleware EXPLICITLY rejects any request where the
|
||||
* authenticated user's company_id does not match the resolved tenant.
|
||||
*
|
||||
* Stops the entire class of "stolen token used on wrong subdomain" attacks.
|
||||
*/
|
||||
class EnsureTokenMatchesTenant
|
||||
{
|
||||
public function handle(Request $request, Closure $next)
|
||||
{
|
||||
$user = $request->user();
|
||||
$tenant = app(TenantManager::class)->current();
|
||||
|
||||
if (! $user || ! $tenant) {
|
||||
throw new AccessDeniedHttpException('Tenant context required.');
|
||||
}
|
||||
|
||||
if ($user->company_id !== $tenant->id) {
|
||||
throw new AccessDeniedHttpException('Token does not belong to this tenant.');
|
||||
}
|
||||
|
||||
return $next($request);
|
||||
}
|
||||
}
|
||||
Reference in New Issue
Block a user