Deploy 2: 2FA (App + Email) + REST API + CSV import-export + auto backup

- Filament v5 multiFactorAuthentication enabled on both panels (App + Email)
- HasAppAuthentication + HasEmailAuthentication on User and SuperAdmin
- Migration: app_authentication_secret + recovery_codes + email_authentication_at
- Sanctum REST API: /api/v1/login, /me, clients, vehicles, work-orders
- EnsureTokenMatchesTenant middleware blocks cross-tenant token usage
- CsvImportExport service: clients + vehicles bulk via plain CSV
- Import/Export buttons on Client + Vehicle list pages
- ApiTokens page in tenant panel (generate/revoke + last-used)
- BackupAllTenantsCommand + scheduler (daily 03:00, retain 14 days)
- Background scheduler in entrypoint.sh
This commit is contained in:
2026-05-07 19:25:27 +00:00
parent ce4e21220f
commit eaa05d68c1
22 changed files with 1068 additions and 6 deletions
+48 -2
View File
@@ -3,12 +3,16 @@
namespace App\Models\Tenant;
use App\Models\Concerns\BelongsToTenant;
use Filament\Auth\MultiFactor\App\Contracts\HasAppAuthentication;
use Filament\Auth\MultiFactor\App\Contracts\HasAppAuthenticationRecovery;
use Filament\Auth\MultiFactor\Email\Contracts\HasEmailAuthentication;
use Filament\Models\Contracts\FilamentUser;
use Filament\Panel;
use Illuminate\Database\Eloquent\Factories\HasFactory;
use Illuminate\Database\Eloquent\SoftDeletes;
use Illuminate\Foundation\Auth\User as Authenticatable;
use Illuminate\Notifications\Notifiable;
use Laravel\Sanctum\HasApiTokens;
use Spatie\Permission\Traits\HasRoles;
/**
@@ -16,9 +20,9 @@ use Spatie\Permission\Traits\HasRoles;
* UNIQUE(company_id, email) same email can exist in different tenants
* as completely separate accounts.
*/
class User extends Authenticatable implements FilamentUser
class User extends Authenticatable implements FilamentUser, HasAppAuthentication, HasAppAuthenticationRecovery, HasEmailAuthentication
{
use BelongsToTenant, HasFactory, HasRoles, Notifiable, SoftDeletes;
use BelongsToTenant, HasApiTokens, HasFactory, HasRoles, Notifiable, SoftDeletes;
/** Spatie Permission scope key matches the team_foreign_key (company_id). */
protected $guard_name = 'web';
@@ -28,6 +32,8 @@ class User extends Authenticatable implements FilamentUser
'role', 'status', 'locale',
'specialization', 'color', 'hourly_rate',
'email_verified_at', 'password', 'last_login_at',
'email_authentication_at',
'app_authentication_secret', 'app_authentication_recovery_codes',
];
protected $hidden = [
@@ -39,7 +45,10 @@ class User extends Authenticatable implements FilamentUser
return [
'email_verified_at' => 'datetime',
'last_login_at' => 'datetime',
'email_authentication_at' => 'datetime',
'password' => 'hashed',
'app_authentication_secret' => 'encrypted',
'app_authentication_recovery_codes' => 'encrypted:array',
];
}
@@ -53,4 +62,41 @@ class User extends Authenticatable implements FilamentUser
{
return $this->role === 'admin';
}
public function hasEmailAuthentication(): bool
{
return $this->email_authentication_at !== null;
}
public function toggleEmailAuthentication(bool $condition): void
{
$this->forceFill([
'email_authentication_at' => $condition ? now() : null,
])->saveQuietly();
}
public function getAppAuthenticationSecret(): ?string
{
return $this->app_authentication_secret;
}
public function saveAppAuthenticationSecret(?string $secret): void
{
$this->forceFill(['app_authentication_secret' => $secret])->saveQuietly();
}
public function getAppAuthenticationHolderName(): string
{
return $this->email;
}
public function getAppAuthenticationRecoveryCodes(): ?array
{
return $this->app_authentication_recovery_codes;
}
public function saveAppAuthenticationRecoveryCodes(?array $codes): void
{
$this->forceFill(['app_authentication_recovery_codes' => $codes])->saveQuietly();
}
}