refactor: improve security, split routes, add API resources and FormRequests

- Fix timing attack vulnerability in AuthController - Split web.php (316 lines) into 7 focused route files - Add 8 API Resources for consistent response formatting - Add 8 FormRequest classes for centralized validation - Use Resources instead of manual array mapping in controllers
2026-05-20 23:03:16 +02:00
parent 2f30a058a4
commit 75b78c17fa
26 changed files with 745 additions and 404 deletions
@@ -0,0 +1,61 @@
+<?php
+
+use App\Http\Controllers\Auth\SocialAuthController;
+use Illuminate\Support\Facades\Route;
+use Laravel\Fortify\Features;
+use Laravel\Fortify\Http\Controllers\RegisteredUserController;
+use App\Actions\Fortify\Controllers\TwoFactorAuthenticatedSessionController;
+use App\Http\Controllers\User\ForgotPasswordController;
+use App\Http\Controllers\User\UserReferralController;
+
+// Social Login routes
+Route::prefix('auth')->group(function () {
+    Route::get('/google', [SocialAuthController::class, 'redirect'])->name('auth.google');
+    Route::get('/google/callback', [SocialAuthController::class, 'callback'])->name('auth.google.callback');
+
+    Route::get('/discord', [SocialAuthController::class, 'redirect'])->name('auth.discord');
+    Route::get('/discord/callback', [SocialAuthController::class, 'callback'])->name('auth.discord.callback');
+
+    Route::get('/github', [SocialAuthController::class, 'redirect'])->name('auth.github');
+    Route::get('/github/callback', [SocialAuthController::class, 'callback'])->name('auth.github.callback');
+
+    Route::delete('/unlink/{provider}', [SocialAuthController::class, 'unlink'])->name('auth.unlink')->middleware('auth');
+});
+
+// Registration
+Route::middleware(['guest', 'throttle:60,1'])->group(function () {
+    Route::get('/register', [RegisteredUserController::class, 'create']);
+    Route::post('/register', [RegisteredUserController::class, 'store'])->name('register');
+    Route::get('/register/{referral_code}', UserReferralController::class)->name('register.referral');
+});
+
+// Password reset
+Route::middleware(['guest', 'throttle:60,1'])->group(function () {
+    Route::get('forgot-password', ForgotPasswordController::class)->name('forgot.password.get');
+    Route::post('forgot-password', [ForgotPasswordController::class, 'submitForgetPassword'])->name('forgot.password.post');
+    Route::get('reset-password/{token}', [ForgotPasswordController::class, 'showResetPassword'])->name('reset.password.get');
+    Route::post('reset-password/{token}', [ForgotPasswordController::class, 'submitResetPassword'])->name('reset.password.post');
+});
+
+// Two factor challenge login
+Route::get('/two-factor-challenge', static fn () => view('auth.two-factor-challenge'))->name('two-factor.login');
+
+// Email verification resend
+Route::post('/email/verification-notification', static function () {
+    request()->user()->sendEmailVerificationNotification();
+
+    return back()->with('status', 'verification-link-sent');
+})->middleware(['auth', 'throttle:6,1'])->name('verification.send');
+
+// Two factor challenge with throttle
+if (Features::enabled(Features::twoFactorAuthentication())) {
+    $twoFactorLimiter = config('fortify.limiters.two-factor');
+
+    Route::post('/two-factor-challenge', [TwoFactorAuthenticatedSessionController::class, 'store'])
+        ->middleware(
+            array_filter([
+                'guest:' . config('fortify.guard'),
+                $twoFactorLimiter ? 'throttle:' . $twoFactorLimiter : null,
+            ]),
+        );
+}