From 1434c7e9d84ac15e70e958335669c6241079c560 Mon Sep 17 00:00:00 2001
From: Claude <developers@lethean.io>
Date: Tue, 24 Mar 2026 13:12:16 +0000
Subject: [PATCH] fix: validate invitation token format before database lookup

Add route-level regex constraints to all token route parameters,
requiring exactly 64 alphanumeric characters. Malformed tokens
(path traversal attempts, overly long strings, special characters)
now receive a 404 at the routing layer before reaching controllers
or triggering database lookups.

Fixes #43

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 Routes/web.php | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/Routes/web.php b/Routes/web.php
index 6a41eb5..c9fdd3a 100644
--- a/Routes/web.php
+++ b/Routes/web.php
@@ -26,10 +26,12 @@ use Illuminate\Support\Facades\Route;
 
 Route::prefix('account')->name('account.')->group(function () {
     Route::get('/delete/{token}', ConfirmDeletion::class)
-        ->name('delete.confirm');
+        ->name('delete.confirm')
+        ->where('token', '[a-zA-Z0-9]{64}');
 
     Route::get('/delete/{token}/cancel', CancelDeletion::class)
-        ->name('delete.cancel');
+        ->name('delete.cancel')
+        ->where('token', '[a-zA-Z0-9]{64}');
 });
 
 /*
@@ -43,7 +45,8 @@ Route::prefix('account')->name('account.')->group(function () {
 */
 
 Route::get('/workspace/invitation/{token}', WorkspaceInvitationController::class)
-    ->name('workspace.invitation.accept');
+    ->name('workspace.invitation.accept')
+    ->where('token', '[a-zA-Z0-9]{64}');
 
 /*
 |--------------------------------------------------------------------------