gitmedia/presseportale
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Security-Härtung Login & Magic-Link (Review 16.06.)

Browse source 
- Magic-Link-Versand im Login rate-limited (E-Mail+IP 3/h und IP-only 15/h);
  verhindert Mail-Fluten und das Entwerten aktiver Links.
- Inaktive (aber verifizierte) User werden beim Passwort-Login zentral
  blockiert (Auth::logout + Fehler) – sichert nur-auth/verified-Routen ab.
- Rollensicherer Login-Redirect: gemerkte intended-Admin-URLs schicken einen
  Customer nicht mehr in den 403, sondern auf das rollengerechte Ziel.
- ContactAccess prüft is_active vor jeder Mutation: deaktivierte Bestands-
  Accounts werden durch eine Anfrage weder verändert noch angemailt.
- Magic-Link-Verbrauch atomar (UPDATE … whereNull(consumed_at)) – Single-Use
  auch bei parallelen Requests.
- Sicherheits-Doku um diese Härtungen + Captcha-Empfehlung ergänzt.

Tests: Rate-Limit, intended-Admin-URL für Customer, inaktiver Login,
ContactAccess ohne Mutation inaktiver Accounts.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
This commit is contained in:
Kevin Adametz 2026-06-16 09:33:44 +00:00
parent 84f7eb3aab
commit d98d297524
7 changed files with 201 additions and 16 deletions
Download patch file Download diff file Expand all files Collapse all files

20
tests/Feature/Auth/MagicLinkLoginTest.php
View file

@ -48,6 +48,26 @@ test('the magic link modal validates its own email field and closes on success',
->assertDispatched('magic-link-sent');
});
test('magic link requests are rate limited per email', function () {
/** @var TestCase $this */
Mail::fake();
$user = User::factory()->create(['is_active' => true]);
foreach (range(1, 3) as $ignored) {
LivewireVolt::test('auth.login')
->set('magicEmail', $user->email)
->call('sendMagicLink')
->assertHasNoErrors();
}
LivewireVolt::test('auth.login')
->set('magicEmail', $user->email)
->call('sendMagicLink')
->assertHasErrors(['magicEmail']);
Mail::assertSent(MagicLoginLink::class, 3);
});
test('admin can login with a valid magic link and lands on admin dashboard', function () {
/** @var TestCase $this */
$this->seed(RolesAndPermissionsSeeder::class);