Harden credit flows and add RevenueCat webhook

2025-09-25 14:05:58 +02:00
parent 9248d7a3f5
commit 215d19f07e
18 changed files with 804 additions and 190 deletions
--- a/app/Http/Controllers/OAuthController.php
+++ b/app/Http/Controllers/OAuthController.php
@@ -140,7 +140,7 @@ class OAuthController extends Controller
        if (! $tenant) {
            Log::error('[OAuth] Tenant not found during token issuance', [
                'client_id' => $request->client_id,
-                'code_id' => $cachedCode['id'] ?? null,
+                'refresh_token_id' => $storedRefreshToken->id,
                'tenant_id' => $tenantId,
            ]);

@@ -180,7 +180,7 @@ class OAuthController extends Controller
        if (! $cachedCode || Arr::get($cachedCode, 'expires_at') < now()) {
            Log::warning('[OAuth] Authorization code missing or expired', [
                'client_id' => $request->client_id,
-                'code_id' => $cachedCode['id'] ?? null,
+                'refresh_token_id' => $storedRefreshToken->id,
            ]);

            return $this->errorResponse('Invalid or expired authorization code', 400);
@@ -191,7 +191,7 @@ class OAuthController extends Controller
        if (! $oauthCode || $oauthCode->isExpired() || ! Hash::check($request->code, $oauthCode->code)) {
            Log::warning('[OAuth] Authorization code validation failed', [
                'client_id' => $request->client_id,
-                'code_id' => $cachedCode['id'] ?? null,
+                'refresh_token_id' => $storedRefreshToken->id,
            ]);

            return $this->errorResponse('Invalid authorization code', 400);
@@ -221,7 +221,7 @@ class OAuthController extends Controller
        if (! $tenant) {
            Log::error('[OAuth] Tenant not found during token issuance', [
                'client_id' => $request->client_id,
-                'code_id' => $cachedCode['id'] ?? null,
+                'refresh_token_id' => $storedRefreshToken->id,
                'tenant_id' => $tenantId,
            ]);

@@ -283,6 +283,15 @@ class OAuthController extends Controller
            return $this->errorResponse('Invalid refresh token', 400);
        }

+        $storedIp = (string) ($storedRefreshToken->ip_address ?? '');
+        $currentIp = (string) ($request->ip() ?? '');
+
+        if ($storedIp !== '' && $currentIp !== '' && ! hash_equals($storedIp, $currentIp)) {
+            $storedRefreshToken->update(['revoked_at' => now()]);
+
+            return $this->errorResponse('Refresh token cannot be used from this IP address', 403);
+        }
+
        $client = OAuthClient::query()->where('client_id', $request->client_id)->where('is_active', true)->first();
        if (! $client) {
            return $this->errorResponse('Invalid client', 401);
@@ -292,7 +301,7 @@ class OAuthController extends Controller
        if (! $tenant) {
            Log::error('[OAuth] Tenant not found during token issuance', [
                'client_id' => $request->client_id,
-                'code_id' => $cachedCode['id'] ?? null,
+                'refresh_token_id' => $storedRefreshToken->id,
                'tenant_id' => $storedRefreshToken->tenant_id,
            ]);

@@ -560,4 +569,4 @@ class OAuthController extends Controller
            return redirect('/admin')->with('error', 'Connection error: '.$e->getMessage());
        }
    }
-}
+}