73de53994f
- Made `/api/auth/me` public and return explicit allowlist (name, email, two_factor_confirmed_at, tier, subscription fields) instead of spreading `$user->toArray()` which leaked is_admin, stripe_id, pm_type, pm_last_four, postcode. Returns `null` when unauthenticated rather than 401. - Moved `/auth/logout` to remain behind auth:sanctum gate. - Added 3×200ms retry with exponential backoff to EiaBrentPriceSource and FredBrentPriceSource on ConnectionException or 5xx responses. Timeout raised from 10s to 30s. - Both sources now throw typed BrentPriceFetchException on exhausted retries instead of silently returning null + logging. Updated tests to assert exception message includes HTTP status or "connection failed".
88 lines
2.8 KiB
PHP
88 lines
2.8 KiB
PHP
<?php
|
|
|
|
namespace App\Http\Controllers\Api;
|
|
|
|
use App\Http\Controllers\Controller;
|
|
use App\Models\Plan;
|
|
use App\Models\User;
|
|
use App\Services\PlanFeatures;
|
|
use Illuminate\Http\JsonResponse;
|
|
use Illuminate\Http\Request;
|
|
use Illuminate\Support\Facades\Auth;
|
|
use Illuminate\Validation\Rules\Password;
|
|
use Laravel\Sanctum\TransientToken;
|
|
|
|
class AuthController extends Controller
|
|
{
|
|
public function register(Request $request): JsonResponse
|
|
{
|
|
$data = $request->validate([
|
|
'name' => ['required', 'string', 'max:255'],
|
|
'email' => ['required', 'email', 'max:255', 'unique:users,email'],
|
|
'password' => ['required', 'confirmed', Password::defaults()],
|
|
]);
|
|
|
|
$user = User::create($data);
|
|
$token = $user->createToken('api')->plainTextToken;
|
|
|
|
return response()->json(['token' => $token, 'user' => $user], 201);
|
|
}
|
|
|
|
public function login(Request $request): JsonResponse
|
|
{
|
|
$credentials = $request->validate([
|
|
'email' => ['required', 'email'],
|
|
'password' => ['required', 'string'],
|
|
]);
|
|
|
|
if (! Auth::attempt($credentials)) {
|
|
return response()->json(['message' => 'Invalid credentials.'], 401);
|
|
}
|
|
|
|
/** @var User $user */
|
|
$user = Auth::user();
|
|
$token = $user->createToken('api')->plainTextToken;
|
|
|
|
return response()->json(['token' => $token, 'user' => $user]);
|
|
}
|
|
|
|
public function logout(Request $request): JsonResponse
|
|
{
|
|
$token = $request->user()->currentAccessToken();
|
|
|
|
// TransientToken means session-based auth (no Bearer token) — invalidate session instead
|
|
if ($token instanceof TransientToken) {
|
|
$request->session()->invalidate();
|
|
$request->session()->regenerateToken();
|
|
} else {
|
|
$token->delete();
|
|
}
|
|
|
|
return response()->json(['message' => 'Logged out.']);
|
|
}
|
|
|
|
public function me(Request $request): JsonResponse
|
|
{
|
|
$user = $request->user();
|
|
|
|
if ($user === null) {
|
|
return new JsonResponse('null', json: true);
|
|
}
|
|
|
|
$subscription = $user->subscription();
|
|
|
|
$expiresAt = $subscription?->ends_at ?? $subscription?->current_period_end;
|
|
|
|
return response()->json([
|
|
'name' => $user->name,
|
|
'email' => $user->email,
|
|
'two_factor_confirmed_at' => $user->two_factor_confirmed_at?->toIso8601String(),
|
|
'tier' => PlanFeatures::for($user)->tier(),
|
|
'subscription_cancelled' => $subscription?->canceled() ?? false,
|
|
'subscription_cadence' => Plan::resolveCadenceForUser($user),
|
|
'subscribed_at' => $subscription?->created_at?->toIso8601String(),
|
|
'subscription_expires_at' => $expiresAt?->toIso8601String(),
|
|
]);
|
|
}
|
|
}
|