🔄 **Refactor and extend meetup membership-based authorization**

- Updated `authorizeAccess` to restrict `meetups.edit` views and updates to users in "My-Meetups".
- Attached creators to `meetup_user` pivot for default membership.
- Adjusted related tests to validate membership-based edit permissions.

📱 **Improve sidebar and mobile navigation accessibility**
- Added `aria-labels` to improve screen reader support for sidebar and mobile header elements.
- Updated desktop and mobile user menus alignment for consistency.

⚡ **Enhance Lightning login flow**
- Introduced `lightningLoginInProgress` for smoother polling synchronization with the redirect flow.
- Updated logic to dispatch `lightning-login-ready` event instead of immediate redirect, avoiding race conditions.

resources/views/livewire/auth/login.blade.php

@@ -282,42 +282,35 @@ class extends Component {
         return Str::transliterate(Str::lower($this->email).'|'.request()->ip());
     }
 
-    public function checkAuth()
+    public function checkAuth(): void
     {
         $loginKey = LoginKey::query()
             ->where('k1', $this->k1)
-            ->whereDate('created_at', '>=', now()->subMinutes(5))
+            ->where('created_at', '>=', now()->subMinutes(5))
             ->first();
 
-        if ($loginKey) {
-            // Persist the locale choice before the auth round-trip — once we
-            // redirect, this component is unmounted and $currentLangCountry
-            // would otherwise be lost.
-            session(['lang_country' => $this->currentLangCountry]);
-
-            // Hand off to a dedicated controller via full-page redirect.
-            // Calling auth()->login() inside the wire:poll handler rotates
-            // the session id and CSRF token mid-flight. Any Livewire request
-            // that arrives in the same window — a parallel wire:poll tick,
-            // a sibling component update, a click on the Nostr button —
-            // would then 419 (TokenMismatch). The controller performs the
-            // login on a clean, non-Livewire request before redirecting on
-            // to the dashboard.
-            return $this->redirect(
-                route('auth.ln.complete', ['k1' => $this->k1]),
-                navigate: false,
-            );
+        if (! $loginKey) {
+            return;
         }
 
-        // Check if k1 has expired (older than 5 minutes)
-        $k1CreatedAt = now()->subMinutes(5);
-        if ($this->k1 && now()->diffInMinutes($k1CreatedAt) >= 5) {
-            $this->authError = 'Session expired. Please try again.';
+        // Persist the locale choice before the auth round-trip — once we
+        // navigate, this component is unmounted and $currentLangCountry
+        // would otherwise be lost.
+        session(['lang_country' => $this->currentLangCountry]);
 
-            return true;
-        }
-
-        return true;
+        // Hand the full-page navigation off to the client: returning a
+        // Livewire redirect from inside wire:poll has shown races with
+        // subsequent poll ticks (visible as a "request loop without
+        // redirect" for the user). Dispatching an event lets Alpine pause
+        // wire:poll via lightningLoginInProgress and run a clean
+        // window.location navigation. The dedicated /auth/complete-lightning
+        // controller then performs auth()->login() on a non-Livewire
+        // request, avoiding the session-id/CSRF rotation race that
+        // previously yielded 419s.
+        $this->dispatch(
+            'lightning-login-ready',
+            url: route('auth.ln.complete', ['k1' => $this->k1]),
+        );
     }
 
     /**
@@ -345,7 +338,8 @@ class extends Component {
 
 <div class="flex min-h-screen" x-data="nostrLogin"
      x-init="initErrorPolling"
-     x-effect="document.body.style.overflow = nostrLoginInProgress ? 'hidden' : ''"
+     x-effect="document.body.style.overflow = (nostrLoginInProgress || lightningLoginInProgress) ? 'hidden' : ''"
+     @lightning-login-ready.window="lightningLoginInProgress = true; window.location.href = $event.detail.url"
      data-nostr-challenge="{{ $nostrChallenge ?? '' }}">
     <div class="flex-1 flex justify-center items-center">
         <div class="w-80 max-w-80 space-y-6">
@@ -447,7 +441,12 @@ class extends Component {
          flight. Otherwise wire:poll can fire a parallel /livewire/update
          request that races with auth()->login()'s session migration and
          lands on an invalidated session id, producing 419 TokenMismatch. --}}
-    <template x-if="!nostrLoginInProgress">
+    {{-- Pause Livewire polling while either login flow is mid-flight.
+         Otherwise wire:poll can fire a parallel /livewire/update request
+         that races with the navigation handled in nostrLogin.js for Nostr
+         or the controller-driven Lightning flow, yielding the "request loop
+         without redirect" symptom seen in production. --}}
+    <template x-if="!nostrLoginInProgress && !lightningLoginInProgress">
         <div wire:poll.4s="checkAuth" wire:key="checkAuth"></div>
     </template>
 

resources/views/livewire/meetups/create.blade.php

@@ -83,7 +83,12 @@ class extends Component {
             'visible_on_map' => ['boolean'],
         ]);
 
-        $meetup = Meetup::create($validated);
+        $meetup = Meetup::create($validated + ['created_by' => auth()->id()]);
+
+        // Attach the creator to meetup_user so they appear under "My-Meetups"
+        // and pass the new edit-permission check (which is based on this pivot,
+        // not on created_by).
+        $meetup->users()->attach(auth()->id());
 
         if ($this->logo) {
             $meetup

resources/views/livewire/meetups/edit.blade.php

@@ -84,13 +84,23 @@ class extends Component {
     }
 
     /**
-     * Enforce that only the meetup's creator may load or update this view.
-     * Mirrors services/edit and lecturer-edit. Removing this guard reopens
-     * the IDOR closed by 90835f8 (security: critical fixes / edit authz).
+     * Enforce that only users who have added the meetup to their personal
+     * "My-Meetups" list (the meetup_user pivot) may load or update this view.
+     * Editing is intentionally not restricted to the original `created_by`
+     * — any member of the meetup's user list is treated as an editor.
      */
     protected function authorizeAccess(): void
     {
-        if (! is_null($this->meetup->created_by) && auth()->id() !== $this->meetup->created_by) {
+        if (! auth()->check()) {
+            abort(403);
+        }
+
+        $isMember = $this->meetup
+            ->users()
+            ->whereKey(auth()->id())
+            ->exists();
+
+        if (! $isMember) {
             abort(403);
         }
     }