fix: validate invitation token format before database lookup

Add route-level regex constraints to all token route parameters, requiring exactly 64 alphanumeric characters. Malformed tokens (path traversal attempts, overly long strings, special characters) now receive a 404 at the routing layer before reaching controllers or triggering database lookups. Fixes #43 Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
fix: remove hardcoded hub.host.uk.com domain from controllers
2026-03-24 13:12:16 +00:00 · 2026-03-24 13:11:55 +00:00 · 2026-03-24 13:11:34 +00:00 · 2026-03-24 13:11:34 +00:00 · 2026-03-24 13:11:29 +00:00
6 changed files with 153 additions and 6 deletions
--- a/Controllers/EntitlementApiController.php
+++ b/Controllers/EntitlementApiController.php
@ -102,7 +102,7 @@ class EntitlementApiController extends Controller
            $workspace = Workspace::create([
                'name' => $user->name."'s Workspace",
                'slug' => Str::slug($user->name).'-'.Str::random(6),
-                'domain' => 'hub.host.uk.com',
+                'domain' => 'hub.'.config('app.base_domain', 'host.uk.com'),
                'type' => 'custom',
            ]);

--- a/Controllers/WorkspaceController.php
+++ b/Controllers/WorkspaceController.php
@ -139,7 +139,7 @@ class WorkspaceController extends Controller
        }

        // Set default domain
-        $validated['domain'] = 'hub.host.uk.com';
+        $validated['domain'] = 'hub.'.config('app.base_domain', 'host.uk.com');
        $validated['type'] = $validated['type'] ?? 'custom';

        $workspace = Workspace::create($validated);
@ -261,7 +261,7 @@ class WorkspaceController extends Controller
                ->whereIn('workspace_id', function ($query) {
                    $query->select('id')
                        ->from('workspaces')
-                        ->where('domain', 'hub.host.uk.com');
+                        ->where('domain', 'hub.'.config('app.base_domain', 'host.uk.com'));
                })
                ->update(['is_default' => false]);

--- a/Migrations/2026_03_24_000000_add_feature_code_foreign_keys.php
+++ b/Migrations/2026_03_24_000000_add_feature_code_foreign_keys.php
@ -0,0 +1,57 @@
+<?php
+
+declare(strict_types=1);
+
+use Illuminate\Database\Migrations\Migration;
+use Illuminate\Database\Schema\Blueprint;
+use Illuminate\Support\Facades\Schema;
+
+return new class extends Migration
+{
+    /**
+     * Add foreign key constraints on feature_code columns to prevent orphaned records.
+     *
+     * Fixes #12: feature_code in usage_alert_history not constrained to entitlement_features.
+     */
+    public function up(): void
+    {
+        Schema::table('entitlement_usage_alert_history', function (Blueprint $table) {
+            $table->foreign('feature_code', 'usage_alert_feature_code_fk')
+                ->references('code')
+                ->on('entitlement_features')
+                ->cascadeOnUpdate()
+                ->restrictOnDelete();
+        });
+
+        Schema::table('entitlement_boosts', function (Blueprint $table) {
+            $table->foreign('feature_code', 'boosts_feature_code_fk')
+                ->references('code')
+                ->on('entitlement_features')
+                ->cascadeOnUpdate()
+                ->restrictOnDelete();
+        });
+
+        Schema::table('entitlement_usage_records', function (Blueprint $table) {
+            $table->foreign('feature_code', 'usage_records_feature_code_fk')
+                ->references('code')
+                ->on('entitlement_features')
+                ->cascadeOnUpdate()
+                ->restrictOnDelete();
+        });
+    }
+
+    public function down(): void
+    {
+        Schema::table('entitlement_usage_alert_history', function (Blueprint $table) {
+            $table->dropForeign('usage_alert_feature_code_fk');
+        });
+
+        Schema::table('entitlement_boosts', function (Blueprint $table) {
+            $table->dropForeign('boosts_feature_code_fk');
+        });
+
+        Schema::table('entitlement_usage_records', function (Blueprint $table) {
+            $table->dropForeign('usage_records_feature_code_fk');
+        });
+    }
+};
--- a/Migrations/2026_03_24_000000_cascade_delete_namespaces_on_workspace_delete.php
+++ b/Migrations/2026_03_24_000000_cascade_delete_namespaces_on_workspace_delete.php
@ -0,0 +1,40 @@
+<?php
+
+declare(strict_types=1);
+
+use Illuminate\Database\Migrations\Migration;
+use Illuminate\Database\Schema\Blueprint;
+use Illuminate\Support\Facades\Schema;
+
+return new class extends Migration
+{
+    /**
+     * Change namespaces.workspace_id FK from nullOnDelete to cascadeOnDelete.
+     *
+     * Fixes #10 — namespaces were orphaned with null workspace_id when
+     * the parent workspace was deleted.
+     */
+    public function up(): void
+    {
+        Schema::table('namespaces', function (Blueprint $table) {
+            $table->dropForeign(['workspace_id']);
+
+            $table->foreign('workspace_id')
+                ->references('id')
+                ->on('workspaces')
+                ->cascadeOnDelete();
+        });
+    }
+
+    public function down(): void
+    {
+        Schema::table('namespaces', function (Blueprint $table) {
+            $table->dropForeign(['workspace_id']);
+
+            $table->foreign('workspace_id')
+                ->references('id')
+                ->on('workspaces')
+                ->nullOnDelete();
+        });
+    }
+};
--- a/Migrations/2026_03_24_000000_fix_parent_feature_cascade_delete.php
+++ b/Migrations/2026_03_24_000000_fix_parent_feature_cascade_delete.php
@ -0,0 +1,47 @@
+<?php
+
+declare(strict_types=1);
+
+use Illuminate\Database\Migrations\Migration;
+use Illuminate\Database\Schema\Blueprint;
+use Illuminate\Support\Facades\Schema;
+
+return new class extends Migration
+{
+    /**
+     * Change parent_feature_id FK from nullOnDelete to cascadeOnDelete.
+     *
+     * nullOnDelete orphans child features when a parent is removed — they lose
+     * their hierarchy but still exist with a null parent_feature_id.  Children
+     * that belong to a pool have no meaning without their parent, so cascade
+     * deletion is the correct behaviour.
+     *
+     * Fixes #40
+     */
+    public function up(): void
+    {
+        Schema::table('entitlement_features', function (Blueprint $table) {
+            $table->dropForeign(['parent_feature_id']);
+
+            $table->foreign('parent_feature_id')
+                ->references('id')
+                ->on('entitlement_features')
+                ->cascadeOnDelete();
+        });
+    }
+
+    /**
+     * Revert to the original nullOnDelete behaviour.
+     */
+    public function down(): void
+    {
+        Schema::table('entitlement_features', function (Blueprint $table) {
+            $table->dropForeign(['parent_feature_id']);
+
+            $table->foreign('parent_feature_id')
+                ->references('id')
+                ->on('entitlement_features')
+                ->nullOnDelete();
+        });
+    }
+};
--- a/Routes/web.php
+++ b/Routes/web.php
@ -26,10 +26,12 @@ use Illuminate\Support\Facades\Route;

 Route::prefix('account')->name('account.')->group(function () {
    Route::get('/delete/{token}', ConfirmDeletion::class)
-        ->name('delete.confirm');
+        ->name('delete.confirm')
+        ->where('token', '[a-zA-Z0-9]{64}');

    Route::get('/delete/{token}/cancel', CancelDeletion::class)
-        ->name('delete.cancel');
+        ->name('delete.cancel')
+        ->where('token', '[a-zA-Z0-9]{64}');
 });

 /*
@ -43,7 +45,8 @@ Route::prefix('account')->name('account.')->group(function () {
 */

 Route::get('/workspace/invitation/{token}', WorkspaceInvitationController::class)
-    ->name('workspace.invitation.accept');
+    ->name('workspace.invitation.accept')
+    ->where('token', '[a-zA-Z0-9]{64}');

 /*
 |--------------------------------------------------------------------------
Author	SHA1	Message	Date
Claude	1434c7e9d8	fix: validate invitation token format before database lookup Add route-level regex constraints to all token route parameters, requiring exactly 64 alphanumeric characters. Malformed tokens (path traversal attempts, overly long strings, special characters) now receive a 404 at the routing layer before reaching controllers or triggering database lookups. Fixes #43 Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-03-24 13:12:16 +00:00
Claude	74b81589c1	fix: remove hardcoded hub.host.uk.com domain from controllers Replace hardcoded 'hub.host.uk.com' with config('app.base_domain') to match the existing pattern used in middleware and Blade views. Fixes #7 Fixes #8 Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-03-24 13:11:55 +00:00
Claude	d2548f7a62	fix: cascade delete child features when parent is removed The self-referential FK on entitlement_features.parent_feature_id used nullOnDelete(), which orphaned child features when a parent was deleted. Children that belong to a pool have no meaning without their parent, so cascade deletion is the correct behaviour. Adds a migration that drops and re-creates the FK with cascadeOnDelete(). Fixes #40 Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-03-24 13:11:34 +00:00
Claude	70ad94d66d	fix: add FK constraints on feature_code columns to entitlement_features Add foreign key constraints from usage_alert_history.feature_code, entitlement_boosts.feature_code, and entitlement_usage_records.feature_code to entitlement_features.code to prevent orphaned records. Uses cascadeOnUpdate (code renames propagate) and restrictOnDelete (cannot delete a feature that has usage/alert/boost records). Fixes #12 Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-03-24 13:11:34 +00:00
Claude	8b05b8a76d	fix: cascade delete namespaces when workspace is removed Change namespaces.workspace_id FK from nullOnDelete to cascadeOnDelete so that namespaces are properly cleaned up when their parent workspace is deleted, instead of being orphaned with a null workspace_id. Fixes #10 Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-03-24 13:11:29 +00:00