Harden security model, enforce authorization workflow, and add audit automation

Author: soeren

.env.example

@@ -32,6 +32,16 @@ SESSION_LIFETIME=120
 SESSION_ENCRYPT=false
 SESSION_PATH=/
 SESSION_DOMAIN=null
+SESSION_SECURE_COOKIE=true
+SESSION_SAME_SITE=lax
+
+TRUSTED_HOSTS=
+TRUSTED_PROXIES=
+API_RATE_LIMIT_PER_MINUTE=60
+SECURITY_FORCE_HSTS=false
+UPLOAD_MAX_KB=10240
+UPLOAD_ALLOWED_EXTENSIONS=pdf,txt,csv,json,xml,md,doc,docx,xls,xlsx,png,jpg,jpeg,zip
+CORS_ALLOWED_ORIGINS=
 
 BROADCAST_CONNECTION=log
 FILESYSTEM_DISK=local

.github/workflows/security-audit.yml

@@ -0,0 +1,74 @@
+name: Security Audit
+
+on:
+  pull_request:
+  push:
+    branches:
+      - main
+      - master
+  schedule:
+    - cron: "0 5 * * 1"
+
+jobs:
+  dependency-audit:
+    name: Dependency Audit
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup PHP
+        uses: shivammathur/setup-php@v2
+        with:
+          php-version: "8.3"
+          tools: composer
+          extensions: mbstring, sqlite, pdo_sqlite
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: "22"
+          cache: npm
+
+      - name: Install PHP dependencies
+        run: composer install --no-interaction --no-progress --prefer-dist
+
+      - name: Install Node dependencies
+        run: npm ci --no-audit --fund=false
+
+      - name: Run Composer Audit
+        run: composer audit --no-interaction
+
+      - name: Run NPM Audit (production)
+        run: npm audit --omit=dev --audit-level=high
+
+  secret-scan:
+    name: Secret Scan
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Gitleaks
+        uses: gitleaks/gitleaks-action@v2
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          args: detect --source . --redact --verbose
+
+  sast:
+    name: SAST
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Semgrep
+        uses: returntocorp/semgrep-action@v1
+        with:
+          config: |
+            p/php
+            p/owasp-top-ten
+            p/secrets

app/Console/Commands/SetUserRole.php

@@ -0,0 +1,74 @@
+<?php
+
+namespace App\Console\Commands;
+
+use App\Enums\UserRole;
+use App\Models\User;
+use Illuminate\Console\Command;
+
+class SetUserRole extends Command
+{
+    protected $signature = 'user:set-role
+                            {user : User ID or email address}
+                            {role : admin, editor, or viewer}
+                            {--abilities= : Comma-separated custom abilities to set}';
+
+    protected $description = 'Set role and optional custom abilities for an existing user.';
+
+    public function handle(): int
+    {
+        $identifier = (string) $this->argument('user');
+        $roleValue = strtolower((string) $this->argument('role'));
+        $abilitiesOption = trim((string) $this->option('abilities'));
+
+        $user = User::query()
+            ->when(is_numeric($identifier), fn ($query) => $query->whereKey((int) $identifier))
+            ->when(! is_numeric($identifier), fn ($query) => $query->where('email', $identifier))
+            ->first();
+
+        if (! $user) {
+            $this->error('User not found.');
+
+            return self::FAILURE;
+        }
+
+        $role = UserRole::tryFrom($roleValue);
+        if (! $role) {
+            $this->error('Invalid role. Allowed: admin, editor, viewer.');
+
+            return self::FAILURE;
+        }
+
+        $abilities = null;
+        if ($abilitiesOption !== '') {
+            $validAbilities = config('authorization.abilities', []);
+            $parsedAbilities = array_values(array_unique(array_filter(array_map(
+                static fn (string $ability): string => trim($ability),
+                explode(',', $abilitiesOption)
+            ))));
+
+            $invalidAbilities = array_values(array_diff($parsedAbilities, $validAbilities));
+            if (! empty($invalidAbilities)) {
+                $this->error('Invalid abilities: '.implode(', ', $invalidAbilities));
+
+                return self::FAILURE;
+            }
+
+            $abilities = $parsedAbilities;
+        }
+
+        $user->forceFill([
+            'role' => $role,
+            'abilities' => $abilities,
+        ])->save();
+
+        $this->info(sprintf(
+            'Updated user %s (%s) to role %s.',
+            (string) $user->id,
+            (string) $user->email,
+            $role->value
+        ));
+
+        return self::SUCCESS;
+    }
+}

app/Enums/UserRole.php

@@ -0,0 +1,10 @@
+<?php
+
+namespace App\Enums;
+
+enum UserRole: string
+{
+    case ADMIN = 'admin';
+    case EDITOR = 'editor';
+    case VIEWER = 'viewer';
+}

app/Filament/Resources/Software/RelationManagers/VersionsRelationManager.php

@@ -2,15 +2,12 @@
 
 namespace App\Filament\Resources\Software\RelationManagers;
 
-use App\Enums\ApprovalStatus;
-use App\Enums\VersionStatus;
 use Filament\Actions\BulkActionGroup;
 use Filament\Actions\CreateAction;
 use Filament\Actions\DeleteAction;
 use Filament\Actions\DeleteBulkAction;
 use Filament\Actions\EditAction;
 use Filament\Forms\Components\DatePicker;
-use Filament\Forms\Components\Select;
 use Filament\Forms\Components\TextInput;
 use Filament\Resources\RelationManagers\RelationManager;
 use Filament\Schemas\Schema;
@@ -29,14 +26,6 @@ public function form(Schema $schema): Schema
                     ->required(),
                 DatePicker::make('release_date')
                     ->required(),
-                Select::make('status')
-                    ->options(VersionStatus::class)
-                    ->default('draft')
-                    ->required(),
-                Select::make('approval_status')
-                    ->options(ApprovalStatus::class)
-                    ->default('pending')
-                    ->required(),
                 DatePicker::make('eol_date'),
                 DatePicker::make('lts_date'),
                 TextInput::make('support_status'),

app/Filament/Resources/Software/Schemas/SoftwareForm.php

@@ -3,7 +3,6 @@
 namespace App\Filament\Resources\Software\Schemas;
 
 use App\Enums\SoftwareStatus;
-use Filament\Forms\Components\DatePicker;
 use Filament\Forms\Components\Select;
 use Filament\Forms\Components\Textarea;
 use Filament\Forms\Components\TextInput;
@@ -32,11 +31,6 @@ public static function configure(Schema $schema): Schema
                     ->options($statusOptions)
                     ->default(SoftwareStatus::ACTIVE->value)
                     ->required(),
-                TextInput::make('current_version')
-                    ->label(__('filament.software.fields.current_version'))
-                    ->maxLength(50),
-                DatePicker::make('last_release_date')
-                    ->label(__('filament.software.fields.last_release_date')),
                 TextInput::make('license_type')
                     ->label(__('filament.software.fields.license_type'))
                     ->maxLength(255),

app/Filament/Resources/Versions/Schemas/VersionForm.php

@@ -2,8 +2,6 @@
 
 namespace App\Filament\Resources\Versions\Schemas;
 
-use App\Enums\ApprovalStatus;
-use App\Enums\VersionStatus;
 use Filament\Forms\Components\DatePicker;
 use Filament\Forms\Components\Select;
 use Filament\Forms\Components\TextInput;
@@ -13,9 +11,6 @@ class VersionForm
 {
     public static function configure(Schema $schema): Schema
     {
-        $statusOptions = collect(VersionStatus::cases())->mapWithKeys(fn (VersionStatus $case) => [$case->value => $case->label()])->all();
-        $approvalOptions = collect(ApprovalStatus::cases())->mapWithKeys(fn (ApprovalStatus $case) => [$case->value => $case->label()])->all();
-
         return $schema
             ->components([
                 Select::make('software_id')
@@ -31,16 +26,6 @@ public static function configure(Schema $schema): Schema
                 DatePicker::make('release_date')
                     ->label(__('filament.versions.fields.release_date'))
                     ->required(),
-                Select::make('status')
-                    ->label(__('filament.versions.fields.status'))
-                    ->options($statusOptions)
-                    ->default(VersionStatus::DRAFT->value)
-                    ->required(),
-                Select::make('approval_status')
-                    ->label(__('filament.versions.fields.approval_status'))
-                    ->options($approvalOptions)
-                    ->default(ApprovalStatus::PENDING->value)
-                    ->required(),
                 DatePicker::make('eol_date')
                     ->label(__('filament.versions.fields.eol_date')),
                 DatePicker::make('lts_date')

app/Http/Controllers/Api/FileAttachmentController.php

@@ -10,6 +10,7 @@
 use App\Models\Version;
 use Illuminate\Http\JsonResponse;
 use Illuminate\Support\Facades\Storage;
+use Illuminate\Support\Str;
 
 class FileAttachmentController extends Controller
 {
@@ -31,7 +32,7 @@ public function store(StoreFileAttachmentRequest $request, Version $version): Js
         $path = $uploadedFile->store("attachments/{$version->id}", $disk);
 
         $attachment = $version->fileAttachments()->create([
-            'filename' => $uploadedFile->getClientOriginalName(),
+            'filename' => $this->sanitizeFilename($uploadedFile->getClientOriginalName()),
             'file_path' => $path,
             'mime_type' => $uploadedFile->getClientMimeType(),
             'size' => $uploadedFile->getSize(),
@@ -63,7 +64,7 @@ public function update(UpdateFileAttachmentRequest $request, Version $version, F
             $path = $uploadedFile->store("attachments/{$version->id}", $disk);
 
             $fileAttachment->update([
-                'filename' => $uploadedFile->getClientOriginalName(),
+                'filename' => $this->sanitizeFilename($uploadedFile->getClientOriginalName()),
                 'file_path' => $path,
                 'mime_type' => $uploadedFile->getClientMimeType(),
                 'size' => $uploadedFile->getSize(),
@@ -89,4 +90,15 @@ protected function ensureRelationship(Version $version, FileAttachment $attachme
     {
         abort_if($attachment->version_id !== $version->id, 404);
     }
+
+    protected function sanitizeFilename(string $originalName): string
+    {
+        $basename = pathinfo($originalName, PATHINFO_FILENAME);
+        $extension = strtolower((string) pathinfo($originalName, PATHINFO_EXTENSION));
+
+        $safeBase = preg_replace('/[^A-Za-z0-9._ -]/', '-', $basename) ?: 'file';
+        $safeBase = trim((string) Str::of($safeBase)->squish()->limit(100, ''));
+
+        return $extension !== '' ? $safeBase.'.'.$extension : $safeBase;
+    }
 }

app/Http/Controllers/Controller.php

@@ -2,7 +2,11 @@
 
 namespace App\Http\Controllers;
 
-abstract class Controller
+use Illuminate\Foundation\Auth\Access\AuthorizesRequests;
+use Illuminate\Foundation\Validation\ValidatesRequests;
+use Illuminate\Routing\Controller as BaseController;
+
+abstract class Controller extends BaseController
 {
-    //
+    use AuthorizesRequests, ValidatesRequests;
 }

app/Http/Middleware/SecurityHeaders.php

@@ -0,0 +1,28 @@
+<?php
+
+namespace App\Http\Middleware;
+
+use Closure;
+use Illuminate\Http\Request;
+use Symfony\Component\HttpFoundation\Response;
+
+class SecurityHeaders
+{
+    public function handle(Request $request, Closure $next): Response
+    {
+        $response = $next($request);
+        $response->headers->set('X-Frame-Options', 'SAMEORIGIN');
+        $response->headers->set('X-Content-Type-Options', 'nosniff');
+        $response->headers->set('Referrer-Policy', 'strict-origin-when-cross-origin');
+        $response->headers->set(
+            'Permissions-Policy',
+            'camera=(), geolocation=(), microphone=(), payment=(), usb=()'
+        );
+
+        if ($request->isSecure() || config('security.force_hsts', false)) {
+            $response->headers->set('Strict-Transport-Security', 'max-age=31536000; includeSubDomains');
+        }
+
+        return $response;
+    }
+}