einundzwanzig/einundzwanzig-app
1
0
Fork 0
mirror of https://github.com/HolgerHatGarKeineNode/einundzwanzig-app.git synced 2026-05-18 20:34:52 +00:00
Code Issues Packages Projects Releases Wiki Activity

🔄 **Refactor and extend meetup membership-based authorization**

Browse Source 
- Updated `authorizeAccess` to restrict `meetups.edit` views and updates to users in "My-Meetups".
- Attached creators to `meetup_user` pivot for default membership.
- Adjusted related tests to validate membership-based edit permissions.

📱 **Improve sidebar and mobile navigation accessibility**
- Added `aria-labels` to improve screen reader support for sidebar and mobile header elements.
- Updated desktop and mobile user menus alignment for consistency.

 **Enhance Lightning login flow**
- Introduced `lightningLoginInProgress` for smoother polling synchronization with the redirect flow.
- Updated logic to dispatch `lightning-login-ready` event instead of immediate redirect, avoiding race conditions.
This commit is contained in:
HolgerHatGarKeineNode
2026-05-17 17:28:17 +02:00
parent 9582880dbf
commit bf9654de87
9 changed files with 183 additions and 107 deletions
Download Patch File Download Diff File Expand all files Collapse all files
resources/views/components/layouts/app/sidebar.blade.php
+17 -57
View File
@@ -7,11 +7,18 @@
<flux:toast.group>
<flux:toast/>
</flux:toast.group>
<flux:sidebar sticky stashable class="border-e border-zinc-200 bg-zinc-50 dark:border-zinc-700 dark:bg-zinc-900">
<flux:sidebar.toggle class="lg:hidden" icon="x-mark"/>
<flux:sidebar
sticky
stashable
aria-label="{{ __('Hauptnavigation') }}"
class="border-e border-zinc-200 bg-zinc-50 pb-[max(1rem,calc(env(safe-area-inset-bottom)+1rem))] dark:border-zinc-700 dark:bg-zinc-900"
>
<flux:sidebar.toggle class="lg:hidden" icon="x-mark" aria-label="{{ __('Menü schließen') }}"/>
<a href="{{ route('welcome') }}" class="me-5 flex items-center space-x-2 rtl:space-x-reverse"
wire:navigate>
<a href="{{ route('welcome') }}"
class="me-5 flex items-center space-x-2 rtl:space-x-reverse"
wire:navigate
aria-label="{{ __('Zur Startseite') }}">
<x-app-logo/>
</a>
@@ -148,14 +155,15 @@
</flux:navlist.group>
</flux:navlist>
<!-- Desktop User Menu -->
<!-- User Menu (Desktop + Mobile in sidebar) -->
@auth
<flux:dropdown class="hidden lg:block" position="bottom" align="start">
<flux:dropdown position="top" align="start">
<flux:profile
:name="auth()->user()->name"
:avatar="auth()->user()->profile_photo_url"
:initials="auth()->user()->initials()"
icon:trailing="chevrons-up-down"
aria-label="{{ __('Benutzermenü') }}"
/>
<flux:menu class="w-[220px]">
@@ -201,66 +209,18 @@
@endauth
</flux:sidebar>
<!-- Mobile User Menu -->
<!-- Mobile Header (Toggle + Quick Country Chooser) -->
@auth
<flux:header class="lg:hidden">
<flux:sidebar.toggle class="lg:hidden" icon="bars-2" inset="left"/>
<flux:sidebar.toggle class="lg:hidden" icon="bars-2" inset="left" aria-label="{{ __('Menü öffnen') }}"/>
<flux:spacer/>
<flux:navlist variant="outline" class="mr-6">
<flux:navlist variant="outline" class="me-1">
<flux:navlist.group class="grid">
<livewire:country.chooser/>
</flux:navlist.group>
</flux:navlist>
<flux:dropdown position="top" align="end">
<flux:profile
:avatar="auth()->user()->profile_photo_url"
:initials="auth()->user()->initials()"
icon-trailing="chevron-down"
/>
<flux:menu>
<flux:menu.radio.group>
<div class="p-0 text-sm font-normal">
<div class="flex items-center gap-2 px-1 py-1.5 text-start text-sm">
<flux:avatar :src="auth()->user()->profile_photo_url" size="sm" class="shrink-0"/>
<div class="grid flex-1 text-start text-sm leading-tight">
<span class="truncate font-semibold">{{ auth()->user()?->name }}</span>
<span class="truncate text-xs">
@if(strlen(auth()->user()?->name) > 12)
{{ Str::substr(auth()->user()?->name, 0, 4) }}
...{{ Str::substr(auth()->user()?->name, -4) }}
@else
{{ auth()->user()?->name }}
@endif
</span>
</div>
</div>
</div>
</flux:menu.radio.group>
<flux:menu.separator/>
<flux:menu.radio.group>
<flux:menu.item
:href="route('settings.profile', ['country' => str(session('lang_country', 'de'))->after('-')->lower()])"
icon="cog"
wire:navigate>{{ __('Settings') }}</flux:menu.item>
</flux:menu.radio.group>
<flux:menu.separator/>
<form method="POST" action="{{ route('logout') }}" class="w-full">
@csrf
<flux:menu.item as="button" type="submit" icon="arrow-right-start-on-rectangle" class="w-full">
{{ __('Log Out') }}
</flux:menu.item>
</form>
</flux:menu>
</flux:dropdown>
</flux:header>
@endauth
resources/views/livewire/auth/login.blade.php
+29 -30
View File
@@ -282,42 +282,35 @@ class extends Component {
return Str::transliterate(Str::lower($this->email).'|'.request()->ip());
}
public function checkAuth()
public function checkAuth(): void
{
$loginKey = LoginKey::query()
->where('k1', $this->k1)
->whereDate('created_at', '>=', now()->subMinutes(5))
->where('created_at', '>=', now()->subMinutes(5))
->first();
if ($loginKey) {
// Persist the locale choice before the auth round-trip — once we
// redirect, this component is unmounted and $currentLangCountry
// would otherwise be lost.
session(['lang_country' => $this->currentLangCountry]);
// Hand off to a dedicated controller via full-page redirect.
// Calling auth()->login() inside the wire:poll handler rotates
// the session id and CSRF token mid-flight. Any Livewire request
// that arrives in the same window — a parallel wire:poll tick,
// a sibling component update, a click on the Nostr button —
// would then 419 (TokenMismatch). The controller performs the
// login on a clean, non-Livewire request before redirecting on
// to the dashboard.
return $this->redirect(
route('auth.ln.complete', ['k1' => $this->k1]),
navigate: false,
);
if (! $loginKey) {
return;
}
// Check if k1 has expired (older than 5 minutes)
$k1CreatedAt = now()->subMinutes(5);
if ($this->k1 && now()->diffInMinutes($k1CreatedAt) >= 5) {
$this->authError = 'Session expired. Please try again.';
// Persist the locale choice before the auth round-trip — once we
// navigate, this component is unmounted and $currentLangCountry
// would otherwise be lost.
session(['lang_country' => $this->currentLangCountry]);
return true;
}
return true;
// Hand the full-page navigation off to the client: returning a
// Livewire redirect from inside wire:poll has shown races with
// subsequent poll ticks (visible as a "request loop without
// redirect" for the user). Dispatching an event lets Alpine pause
// wire:poll via lightningLoginInProgress and run a clean
// window.location navigation. The dedicated /auth/complete-lightning
// controller then performs auth()->login() on a non-Livewire
// request, avoiding the session-id/CSRF rotation race that
// previously yielded 419s.
$this->dispatch(
'lightning-login-ready',
url: route('auth.ln.complete', ['k1' => $this->k1]),
);
}
/**
@@ -345,7 +338,8 @@ class extends Component {
<div class="flex min-h-screen" x-data="nostrLogin"
x-init="initErrorPolling"
x-effect="document.body.style.overflow = nostrLoginInProgress ? 'hidden' : ''"
x-effect="document.body.style.overflow = (nostrLoginInProgress || lightningLoginInProgress) ? 'hidden' : ''"
@lightning-login-ready.window="lightningLoginInProgress = true; window.location.href = $event.detail.url"
data-nostr-challenge="{{ $nostrChallenge ?? '' }}">
<div class="flex-1 flex justify-center items-center">
<div class="w-80 max-w-80 space-y-6">
@@ -447,7 +441,12 @@ class extends Component {
flight. Otherwise wire:poll can fire a parallel /livewire/update
request that races with auth()->login()'s session migration and
lands on an invalidated session id, producing 419 TokenMismatch. --}}
<template x-if="!nostrLoginInProgress">
{{-- Pause Livewire polling while either login flow is mid-flight.
Otherwise wire:poll can fire a parallel /livewire/update request
that races with the navigation handled in nostrLogin.js for Nostr
or the controller-driven Lightning flow, yielding the "request loop
without redirect" symptom seen in production. --}}
<template x-if="!nostrLoginInProgress && !lightningLoginInProgress">
<div wire:poll.4s="checkAuth" wire:key="checkAuth"></div>
</template>
resources/views/livewire/meetups/create.blade.php
+6 -1
View File
@@ -83,7 +83,12 @@ class extends Component {
'visible_on_map' => ['boolean'],
]);
$meetup = Meetup::create($validated);
$meetup = Meetup::create($validated + ['created_by' => auth()->id()]);
// Attach the creator to meetup_user so they appear under "My-Meetups"
// and pass the new edit-permission check (which is based on this pivot,
// not on created_by).
$meetup->users()->attach(auth()->id());
if ($this->logo) {
$meetup
resources/views/livewire/meetups/edit.blade.php
+14 -4
View File
@@ -84,13 +84,23 @@ class extends Component {
}
/**
* Enforce that only the meetup's creator may load or update this view.
* Mirrors services/edit and lecturer-edit. Removing this guard reopens
* the IDOR closed by 90835f8 (security: critical fixes / edit authz).
* Enforce that only users who have added the meetup to their personal
* "My-Meetups" list (the meetup_user pivot) may load or update this view.
* Editing is intentionally not restricted to the original `created_by`
* any member of the meetup's user list is treated as an editor.
*/
protected function authorizeAccess(): void
{
if (! is_null($this->meetup->created_by) && auth()->id() !== $this->meetup->created_by) {
if (! auth()->check()) {
abort(403);
}
$isMember = $this->meetup
->users()
->whereKey(auth()->id())
->exists();
if (! $isMember) {
abort(403);
}
}