fix: prevent sensitive field leaks in /me, add retry logic to Brent price sources

- Made `/api/auth/me` public and return explicit allowlist (name, email, two_factor_confirmed_at, tier, subscription fields) instead of spreading `$user->toArray()` which leaked is_admin, stripe_id, pm_type, pm_last_four, postcode. Returns `null` when unauthenticated rather than 401. - Moved `/auth/logout` to remain behind auth:sanctum gate. - Added 3×200ms retry with exponential backoff to EiaBrentPriceSource and FredBrentPriceSource on ConnectionException or 5xx responses. Timeout raised from 10s to 30s. - Both sources now throw typed BrentPriceFetchException on exhausted retries instead of silently returning null + logging. Updated tests to assert exception message includes HTTP status or "connection failed".
2026-05-01 13:22:36 +01:00
parent df70e514e9
commit 73de53994f
6 changed files with 145 additions and 75 deletions
--- a/app/Http/Controllers/Api/AuthController.php
+++ b/app/Http/Controllers/Api/AuthController.php
@@ -64,19 +64,24 @@ class AuthController extends Controller
    public function me(Request $request): JsonResponse
    {
        $user = $request->user();
+
+        if ($user === null) {
+            return new JsonResponse('null', json: true);
+        }
+
        $subscription = $user->subscription();

        $expiresAt = $subscription?->ends_at ?? $subscription?->current_period_end;

-        return response()->json(array_merge(
-            $user->toArray(),
-            [
-                'tier' => PlanFeatures::for($user)->tier(),
-                'subscription_cancelled' => $subscription?->canceled() ?? false,
-                'subscription_cadence' => Plan::resolveCadenceForUser($user),
-                'subscribed_at' => $subscription?->created_at?->toIso8601String(),
-                'subscription_expires_at' => $expiresAt?->toIso8601String(),
-            ],
-        ));
+        return response()->json([
+            'name' => $user->name,
+            'email' => $user->email,
+            'two_factor_confirmed_at' => $user->two_factor_confirmed_at?->toIso8601String(),
+            'tier' => PlanFeatures::for($user)->tier(),
+            'subscription_cancelled' => $subscription?->canceled() ?? false,
+            'subscription_cadence' => Plan::resolveCadenceForUser($user),
+            'subscribed_at' => $subscription?->created_at?->toIso8601String(),
+            'subscription_expires_at' => $expiresAt?->toIso8601String(),
+        ]);
    }
 }