eaa05d68c1
- Filament v5 multiFactorAuthentication enabled on both panels (App + Email) - HasAppAuthentication + HasEmailAuthentication on User and SuperAdmin - Migration: app_authentication_secret + recovery_codes + email_authentication_at - Sanctum REST API: /api/v1/login, /me, clients, vehicles, work-orders - EnsureTokenMatchesTenant middleware blocks cross-tenant token usage - CsvImportExport service: clients + vehicles bulk via plain CSV - Import/Export buttons on Client + Vehicle list pages - ApiTokens page in tenant panel (generate/revoke + last-used) - BackupAllTenantsCommand + scheduler (daily 03:00, retain 14 days) - Background scheduler in entrypoint.sh
103 lines
3.1 KiB
PHP
103 lines
3.1 KiB
PHP
<?php
|
|
|
|
namespace App\Models\Tenant;
|
|
|
|
use App\Models\Concerns\BelongsToTenant;
|
|
use Filament\Auth\MultiFactor\App\Contracts\HasAppAuthentication;
|
|
use Filament\Auth\MultiFactor\App\Contracts\HasAppAuthenticationRecovery;
|
|
use Filament\Auth\MultiFactor\Email\Contracts\HasEmailAuthentication;
|
|
use Filament\Models\Contracts\FilamentUser;
|
|
use Filament\Panel;
|
|
use Illuminate\Database\Eloquent\Factories\HasFactory;
|
|
use Illuminate\Database\Eloquent\SoftDeletes;
|
|
use Illuminate\Foundation\Auth\User as Authenticatable;
|
|
use Illuminate\Notifications\Notifiable;
|
|
use Laravel\Sanctum\HasApiTokens;
|
|
use Spatie\Permission\Traits\HasRoles;
|
|
|
|
/**
|
|
* Tenant-bound user. Belongs to exactly one Company.
|
|
* UNIQUE(company_id, email) — same email can exist in different tenants
|
|
* as completely separate accounts.
|
|
*/
|
|
class User extends Authenticatable implements FilamentUser, HasAppAuthentication, HasAppAuthenticationRecovery, HasEmailAuthentication
|
|
{
|
|
use BelongsToTenant, HasApiTokens, HasFactory, HasRoles, Notifiable, SoftDeletes;
|
|
|
|
/** Spatie Permission scope key matches the team_foreign_key (company_id). */
|
|
protected $guard_name = 'web';
|
|
|
|
protected $fillable = [
|
|
'company_id', 'name', 'email', 'phone', 'avatar_url',
|
|
'role', 'status', 'locale',
|
|
'specialization', 'color', 'hourly_rate',
|
|
'email_verified_at', 'password', 'last_login_at',
|
|
'email_authentication_at',
|
|
'app_authentication_secret', 'app_authentication_recovery_codes',
|
|
];
|
|
|
|
protected $hidden = [
|
|
'password', 'remember_token',
|
|
];
|
|
|
|
protected function casts(): array
|
|
{
|
|
return [
|
|
'email_verified_at' => 'datetime',
|
|
'last_login_at' => 'datetime',
|
|
'email_authentication_at' => 'datetime',
|
|
'password' => 'hashed',
|
|
'app_authentication_secret' => 'encrypted',
|
|
'app_authentication_recovery_codes' => 'encrypted:array',
|
|
];
|
|
}
|
|
|
|
public function canAccessPanel(Panel $panel): bool
|
|
{
|
|
return $panel->getId() === 'tenant'
|
|
&& $this->status === 'active';
|
|
}
|
|
|
|
public function isAdmin(): bool
|
|
{
|
|
return $this->role === 'admin';
|
|
}
|
|
|
|
public function hasEmailAuthentication(): bool
|
|
{
|
|
return $this->email_authentication_at !== null;
|
|
}
|
|
|
|
public function toggleEmailAuthentication(bool $condition): void
|
|
{
|
|
$this->forceFill([
|
|
'email_authentication_at' => $condition ? now() : null,
|
|
])->saveQuietly();
|
|
}
|
|
|
|
public function getAppAuthenticationSecret(): ?string
|
|
{
|
|
return $this->app_authentication_secret;
|
|
}
|
|
|
|
public function saveAppAuthenticationSecret(?string $secret): void
|
|
{
|
|
$this->forceFill(['app_authentication_secret' => $secret])->saveQuietly();
|
|
}
|
|
|
|
public function getAppAuthenticationHolderName(): string
|
|
{
|
|
return $this->email;
|
|
}
|
|
|
|
public function getAppAuthenticationRecoveryCodes(): ?array
|
|
{
|
|
return $this->app_authentication_recovery_codes;
|
|
}
|
|
|
|
public function saveAppAuthenticationRecoveryCodes(?array $codes): void
|
|
{
|
|
$this->forceFill(['app_authentication_recovery_codes' => $codes])->saveQuietly();
|
|
}
|
|
}
|