Skip to content

Feat/security #40

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
josego85 merged 16 commits into from
Jan 16, 2026
Merged

Feat/security #40

josego85 merged 16 commits into from
Jan 16, 2026

Conversation

@josego85
Copy link
Owner

@josego85 josego85 commented Jan 5, 2026
edited
Loading

Added

  • Form Request validation classes for authentication endpoints (RegisterRequest, LoginRequest)
  • Rate limiting on authentication endpoints (3 registrations/hour, 5 login attempts/minute)
  • Security logging for authentication events (failed attempts, successful logins, registrations, logouts)
  • Logout endpoint with JWT token invalidation (POST /api/v1/user/logout)
  • CORS configuration environment variable (CORS_ALLOWED_ORIGINS)
  • Comprehensive test suite: 59 new tests covering authentication, JWT middleware, form requests, and resources
    • AuthApiTest: Authentication flows (register, login, logout)
    • JWTMiddlewareTest: JWT token validation and error handling
    • LoginRequestTest & RegisterRequestTest: Form validation rules and messages
    • TranslationCollectionTest: Resource collection pagination
    • Enhanced coverage for TranslationController, WordController exception handling

Changed

  • Refactored AuthController to use Form Request classes
  • Enhanced password validation (12+ chars, mixed case, numbers, symbols, uncompromised check)
  • Improved error handling with generic messages for security (prevent information leakage)
  • Updated CORS configuration to be restrictive (no wildcards, specific origins only)
  • Changed password confirmation field from c_password to password_confirmation (Laravel standard)
  • Test coverage increased from 63.2% to 91.9% (28.7% improvement, exceeding 74% target)
  • Updated Docker infrastructure dependencies:
    • PHP: 8.4.15 → 8.4.16
    • Redis: 7.4.5 → 7.4.7
    • NGINX: 1.29.3 → 1.29.4
  • Updated dependencies:
    • predis/predis: 3.0.1 → 3.3.0
    • nuwave/lighthouse: 6.63.2 → 6.64.0
    • webonyx/graphql-php: 15.29.3 → 15.29.4 (indirect dependency patch update)
  • Updated development dependencies:
    • rector/rector: 2.2.8 → 2.3.0
    • laravel/pint: 1.24.0 → 1.27.0
    • larastan/larastan: 3.5.0 → 3.8.1
  • Migrated validation rules from pipe-separated strings to array format (Laravel 12 best practice)
  • Updated Eloquent scopes visibility from public to protected (Laravel 11+ standard)
  • Replaced closures with arrow functions where applicable for cleaner code
  • Added #[Override] attributes to Form Request methods for type safety
  • Applied Laravel Pint code style fixes for arrow function spacing
  • Cleaned up PHPStan configuration (removed obsolete error suppressions)
  • CI workflow: Updated composer validation to suppress version constraint warnings (--no-check-all)
  • CI workflow: Added JWT secret generation in test environment to fix authentication tests
  • Enhanced SecurityHeaders middleware test coverage (6 comprehensive test cases)

Security

  • Implemented restrictive CORS policy (configurable allowed origins)
  • Added comprehensive rate limiting to prevent brute force attacks
  • Enhanced password complexity requirements (12+ characters, mixed case, numbers, symbols)
  • Sanitized error messages to prevent user enumeration and information disclosure
  • Added security event logging for audit trails
  • Implemented HTTP security headers middleware (HSTS, X-Frame-Options, X-Content-Type-Options, X-XSS-Protection, Referrer-Policy, Permissions-Policy)
  • Upgraded Spatie CSP from v2.10.3 to v3.21.0 with strict deny-by-default policy (default-src 'none')

Removed

  • Deleted tests/Feature/ExampleTest.php (replaced with production-ready test suite)

josego85 added 16 commits January 5, 2026 15:08
@josego85
feat(security): implement authentication hardening and clean code ref…
0398d61 
…actoring

- Add Form Request validation classes (RegisterRequest, LoginRequest) following SOLID principles
- Implement rate limiting on auth endpoints (3 reg/hour, 5 login/min) to prevent brute force
- Add comprehensive security logging for authentication events (login, register, logout)
- Enhance password validation (12+ chars, mixed case, numbers, symbols, haveibeenpwned check)
- Implement restrictive CORS policy with configurable allowed origins (no wildcards)
- Sanitize error messages to prevent user enumeration and information disclosure
- Add logout endpoint with JWT token invalidation
- Refactor AuthController reducing complexity

BREAKING CHANGE: Password confirmation field renamed from `c_password` to `password_confirmation` (Laravel standard). Clients must update registration requests accordingly.
@josego85
chore(deps): update Docker infrastructure dependencies
a71a285 
- Upgrade PHP from 8.4.15 to 8.4.16
- Upgrade Redis from 7.4.5 to 7.4.7
- Upgrade NGINX from 1.29.3 to 1.29.4
- Update version badges in documentation
@josego85
refactor: apply Laravel 12 code modernization and best practices
5dd7f34 
- Migrate validation rules to array format (pipe strings → arrays)
- Add #[Override] attributes to Form Request methods (PHP 8.3+)
- Change Eloquent scopes to protected visibility (Laravel 11+)
- Convert closures to arrow functions for brevity
- Use Env::get() instead of $_ENV superglobal
- Add explicit type casting for env() string values

All changes applied via Rector automated refactoring tool following Laravel 12 and PHP 8.3 standards.
@josego85
style: apply Pint code style fixes and cleanup PHPStan config
9f5e23b 
- Fix arrow function spacing (PSR-12 compliance)
- Remove obsolete PHPStan error suppressions for JWTAuth facade
- All CI checks passing (Pint, PHPStan, PHPUnit, Rector)
@josego85
feat(security): implement HTTP security headers and upgrade CSP
b9ac170 
Security improvements:
- Add SecurityHeaders middleware (HSTS, X-Frame-Options, X-Content-Type-Options, X-XSS-Protection, Referrer-Policy, Permissions-Policy)
- Upgrade spatie/laravel-csp from 2.10.3 to 3.21.0
- Implement strict CSP with deny-by-default (default-src 'none')
- Add 3 unit tests for SecurityHeaders middleware

Architecture:
- Single Responsibility: Spatie CSP handles CSP, SecurityHeaders handles other headers
- KISS: Reuse proven package instead of custom implementation
@josego85
chore(deps): upgrade rector to 2.3.0 and apply code improvements
ee88875 
Development dependencies:
- Upgrade rector/rector from 2.2.8 to 2.3.0

Code improvements:
- Modernize bootstrap cache files with Rector (array() → [], string → ::class)
- Apply LongArrayToShortArrayRector to packages.php and services.php
- Apply StringClassNameToClassConstantRector for type safety

Files:
- composer.json, composer.lock (rector upgrade)
- CHANGELOG.md (document update)
- bootstrap/cache/packages.php (modernized)
- bootstrap/cache/services.php (modernized)
@josego85
chore(deps): upgrade laravel/pint to 1.27.0
d4e2519 
Development dependencies:
- Upgrade laravel/pint from 1.24.0 to 1.27.0

Verification:
- Code style check passed (99 files)
- No formatting issues detected
@josego85
chore(deps): update webonyx/graphql-php to v15.29.4
32a6c0f 
- Indirect dependency patch update through composer.lock
- webonyx/graphql-php: 15.29.3 → 15.29.4
@josego85
chore(deps): update larastan to v3.8.1
1719b24 
- Static analysis tool for Laravel applications
- larastan/larastan: 3.5.0 → 3.8.1
@josego85
chore(deps): update predis and lighthouse
6399bf7 
- Redis client and GraphQL framework updates
- predis/predis: 3.0.1 → 3.3.0
- nuwave/lighthouse: 6.63.2 → 6.64.0
@josego85
docs: update CHANGELOG.md & README.md
82f77b1
@josego85
chore(ci): suppress composer validation warnings for exact version co…
cff4025 
…nstraints

Update composer validation flag from --no-check-publish to --no-check-all to suppress warnings about exact version constraints, which are intentionally used as a security best practice for production applications.
@josego85
build: update composer update
d485fa3
@josego85
test: add comprehensive test suite (91.9% coverage)
e0c09e7 
Add 59 new tests covering authentication, JWT, form requests, and resources:
- AuthApiTest (12): register, login, logout flows with validation
- JWTMiddlewareTest (8): token validation and error handling
- LoginRequestTest (9) & RegisterRequestTest (17): form validation rules
- TranslationCollectionTest (6): resource pagination (cursor/standard)
- Enhanced TranslationController & WordController exception coverage

Coverage increased from 63.2% to 91.9% (+28.7pp, exceeding 74% target)
@josego85
build: config in phpstan
63c0aa2
@josego85
ci: add JWT secret generation in test environment
8f781e5 
- Added `php artisan jwt:secret --force` command to GitHub Actions workflow
- Fixes authentication test failures caused by missing JWT_SECRET in CI
- Tests now properly initialize JWT configuration before running PHPUnit suite
@josego85 josego85 merged commit f85a348 into main Jan 16, 2026
12 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@josego85