fix: validate invitation token format before database lookup #58

Open

Charon wants to merge 5 commits from feat/validate-invitation-token-format into dev

pull from: feat/validate-invitation-token-format

merge into: core:dev

core:dev

core:feat/test-workspace-controller

core:feat/workspace-ownership-transfer

core:feat/ide-helper-annotations

core:feat/test-namespace-service

core:feat/artisan-provision-command

core:feat/workspace-activity-audit-log

core:feat/bulk-workspace-invitations

core:feat/openapi-docs

core:feat/add-infection-mutation-testing

core:feat/fix-readme-namespaces

core:feat/test-entitlement-webhook-service

core:feat/invitation-and-role-improvements

core:feat/workspace-lazy-loading

core:feat/invitation-soft-deletes

core:feat/totp-edge-case-tests

core:feat/standardise-error-responses

core:feat/entitlement-exception-hierarchy

core:feat/consolidate-user-relationships-v2

core:feat/clarify-workspace-scope-architecture

core:feat/constrain-feature-code-fk

core:feat/fix-usage-race-condition

core:feat/fix-token-timing-attack

core:feat/add-workspace-role-index

core:feat/add-phpstan-larastan

core:feat/complete-user-stats-stubs

core:feat/fix-namespace-n-plus-1

core:feat/fix-parent-feature-cascade

core:feat/namespace-cascade-delete

core:feat/pin-core-dependency

core:feat/remove-hardcoded-domain

core:feat/test-workspace-team-service

core:feat/workspace-return-types

core:main

Conversation 0 Commits 5 Files changed 6 +153 -6

Charon commented 2026-03-24 13:13:02 +00:00

Member

Copy link

Summary

• Add where("token", "[a-zA-Z0-9]{64}") route constraints to all three token-based routes in Routes/web.php
• Malformed tokens (path traversal attempts, overly long strings, special characters) now receive a 404 at the routing layer
• Prevents unnecessary database lookups — especially important for WorkspaceInvitation::findByToken() which iterates up to 1000 rows doing Hash::check()

Fixes #43

Test plan

• Verify /workspace/invitation/<valid-64-char-token> still reaches the controller
• Verify /workspace/invitation/../../etc/passwd returns 404
• Verify /workspace/invitation/short returns 404
• Verify /account/delete/<valid-token> and cancel routes still work
• Verify tokens with special characters are rejected at routing level

## Summary - Add `where("token", "[a-zA-Z0-9]{64}")` route constraints to all three token-based routes in `Routes/web.php` - Malformed tokens (path traversal attempts, overly long strings, special characters) now receive a 404 at the routing layer - Prevents unnecessary database lookups — especially important for `WorkspaceInvitation::findByToken()` which iterates up to 1000 rows doing `Hash::check()` Fixes #43 ## Test plan - [ ] Verify `/workspace/invitation/<valid-64-char-token>` still reaches the controller - [ ] Verify `/workspace/invitation/../../etc/passwd` returns 404 - [ ] Verify `/workspace/invitation/short` returns 404 - [ ] Verify `/account/delete/<valid-token>` and cancel routes still work - [ ] Verify tokens with special characters are rejected at routing level

Charon added 5 commits 2026-03-24 13:13:02 +00:00

fix: cascade delete namespaces when workspace is removed ... 8b05b8a76d

Change namespaces.workspace_id FK from nullOnDelete to cascadeOnDelete
so that namespaces are properly cleaned up when their parent workspace
is deleted, instead of being orphaned with a null workspace_id.

Fixes #10

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

fix: add FK constraints on feature_code columns to entitlement_features ... 70ad94d66d

Add foreign key constraints from usage_alert_history.feature_code,
entitlement_boosts.feature_code, and entitlement_usage_records.feature_code
to entitlement_features.code to prevent orphaned records.

Uses cascadeOnUpdate (code renames propagate) and restrictOnDelete
(cannot delete a feature that has usage/alert/boost records).

Fixes #12

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

fix: cascade delete child features when parent is removed ... d2548f7a62

The self-referential FK on entitlement_features.parent_feature_id used
nullOnDelete(), which orphaned child features when a parent was deleted.
Children that belong to a pool have no meaning without their parent, so
cascade deletion is the correct behaviour.

Adds a migration that drops and re-creates the FK with cascadeOnDelete().

Fixes #40

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

fix: remove hardcoded hub.host.uk.com domain from controllers ... 74b81589c1

Replace hardcoded 'hub.host.uk.com' with config('app.base_domain')
to match the existing pattern used in middleware and Blade views.

Fixes #7
Fixes #8

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

fix: validate invitation token format before database lookup ... 1434c7e9d8

Add route-level regex constraints to all token route parameters,
requiring exactly 64 alphanumeric characters. Malformed tokens
(path traversal attempts, overly long strings, special characters)
now receive a 404 at the routing layer before reaching controllers
or triggering database lookups.

Fixes #43

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

This pull request can be merged automatically.

You are not authorized to merge this pull request.

View command line instructions

Checkout

From your project repository, check out a new branch and test the changes.

git fetch -u origin feat/validate-invitation-token-format:feat/validate-invitation-token-format

git checkout feat/validate-invitation-token-format

Merge

Merge the changes and update on Forgejo.

Warning: The "Autodetect manual merge" setting is not enabled for this repository, you will have to mark this pull request as manually merged afterwards.

git checkout dev

git merge --no-ff feat/validate-invitation-token-format

git checkout feat/validate-invitation-token-format

git rebase dev

git checkout dev

git merge --ff-only feat/validate-invitation-token-format

git checkout feat/validate-invitation-token-format

git rebase dev

git checkout dev

git merge --no-ff feat/validate-invitation-token-format

git checkout dev

git merge --squash feat/validate-invitation-token-format

git checkout dev

git merge --ff-only feat/validate-invitation-token-format

git checkout dev

git merge feat/validate-invitation-token-format

git push origin dev

Sign in to join this conversation.

Reviewers

No reviewers

Labels

Clear labels   

P1

Priority 1 - Critical

  

P2

Priority 2 - Important

  

P3

Priority 3 - Nice to have

  

PHP

PHP codebase

  

agent-ready

  

bug

Bug fix

  

clotho

Assigned to Clotho AI agent

  

discovery

Auto-discovered by agent

  

docs

Documentation

  

epic

  

refactor

Code quality refactoring

  

review

Needs human review

  

security

Security hardening

  

testing

Test coverage

  

athena

Assign to Athena AI agent (M3 Ultra)

  

athena-gemini

Dispatch to Gemini CLI on M3 Ultra

  

audit

Code audit task

  

clotho

Assign to Clotho AI agent for processing

  

clotho-gemini

Dispatch to Gemini CLI on darbs (AU)

  

codex

Dispatch to Codex CLI on gateway for analysis

  

darbs-claude

Dispatch to Claude on darbs (AU)

  

security

Security review task

  

wiki

Documentation/wiki update

No labels

P1

P2

P3

PHP

agent-ready

bug

clotho

discovery

docs

epic

refactor

review

security

testing

athena

athena-gemini

audit

clotho

clotho-gemini

codex

darbs-claude

security

wiki

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: core/php-tenant#58

No description provided.