php-tenant

core/php-tenant

Fork 0

Commit graph

Author	SHA1	Message	Date
Claude	dede803632	security: fix O(n) timing attack in findByToken (#9 ) Add a SHA-256 token_hash lookup column to workspace_invitations so that findByToken and findPendingByToken can locate the candidate row with a single indexed SQL query instead of loading up to 1000 rows and running bcrypt against each one sequentially. The bcrypt hash in the token column is still verified after the O(1) lookup, preserving the existing security guarantee while eliminating both the timing side-channel and the performance bottleneck. Changes: - Migration to add nullable indexed token_hash column - Model booted() creating/updating events compute SHA-256 alongside bcrypt - findByToken/findPendingByToken rewritten to WHERE token_hash then Hash::check - HashInvitationTokens command updated to populate token_hash for existing rows Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-03-24 13:06:01 +00:00
Snider	67b5b14b8e	perf: add database indexes for common queries (P2-024) Add migration with performance indexes for frequently queried columns: - users.tier for tier-based queries - namespaces.slug for slug lookups - workspaces.is_active, type, domain for common filters - user_workspace.team_id foreign key - entitlement_usage_records.user_id foreign key - entitlement_logs.user_id foreign key Resolves PERF-002 from TODO.md. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>	2026-01-29 16:17:06 +00:00
Snider	86dbf4e763	fix: namespace to Core\Mod\Tenant, restructure package - Changed namespace from Core\Core\Tenant to Core\Mod\Tenant - Moved src/ contents to root - Removed Host UK extension files (admin.php, MemberManager, TeamManager) - Fixed composer.json autoload paths	2026-01-27 00:58:42 +00:00

Author

SHA1

Message

Date

Claude

dede803632

security: fix O(n) timing attack in findByToken (#9 )

Add a SHA-256 token_hash lookup column to workspace_invitations so that
findByToken and findPendingByToken can locate the candidate row with a
single indexed SQL query instead of loading up to 1000 rows and running
bcrypt against each one sequentially.

The bcrypt hash in the token column is still verified after the O(1)
lookup, preserving the existing security guarantee while eliminating
both the timing side-channel and the performance bottleneck.

Changes:
- Migration to add nullable indexed token_hash column
- Model booted() creating/updating events compute SHA-256 alongside bcrypt
- findByToken/findPendingByToken rewritten to WHERE token_hash then Hash::check
- HashInvitationTokens command updated to populate token_hash for existing rows

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

2026-03-24 13:06:01 +00:00

Snider

67b5b14b8e

perf: add database indexes for common queries (P2-024)

Add migration with performance indexes for frequently queried columns:
- users.tier for tier-based queries
- namespaces.slug for slug lookups
- workspaces.is_active, type, domain for common filters
- user_workspace.team_id foreign key
- entitlement_usage_records.user_id foreign key
- entitlement_logs.user_id foreign key

Resolves PERF-002 from TODO.md.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

2026-01-29 16:17:06 +00:00

Snider

86dbf4e763

fix: namespace to Core\Mod\Tenant, restructure package

- Changed namespace from Core\Core\Tenant to Core\Mod\Tenant
- Moved src/ contents to root
- Removed Host UK extension files (admin.php, MemberManager, TeamManager)
- Fixed composer.json autoload paths

2026-01-27 00:58:42 +00:00

3 commits