feat(api): mobile API Milestone 1+2 — Sanctum auth + offline sync vertical slice

Milestone 1 (auth foundation): - Installed laravel/sanctum; HasApiTokens on User; published config + migration. - routes/api.php with /api/v1; Sanctum 'ability' middleware alias registered. - AuthController: POST login (long-lived revocable device token w/ ability mobile-sync + devices table), GET me, POST logout. New Device model/table. Milestone 2 (vertical slice, offline-first): - progress_updates: +uuid (client-generated) +client_updated_at. - ProjectApiController: GET projects (accessibleBy), GET projects/{id}/bundle (project/phases/layers/features, membership-authorized). - SyncController: POST sync — batch ops, idempotent by uuid, per-op result (applied/duplicate/error), server-set user_id, authz by permission+membership. Currently handles progress_update.create. Tests: tests/Feature/Api/MobileApiTest (9 passing) — auth, accessible projects, bundle authz, sync apply+idempotency, permission enforcement. Also fixed a latent schema bug: projects.reference (and external_reference_1) existed in the live DB but had no migration — added a guarded migration so fresh installs match production. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-18 09:05:20 +02:00
parent ba363e7e18
commit 17a824f925
16 changed files with 794 additions and 8 deletions
@@ -0,0 +1,80 @@
+<?php
+
+namespace App\Http\Controllers\Api\V1;
+
+use App\Http\Controllers\Controller;
+use App\Models\Device;
+use App\Models\User;
+use Illuminate\Http\Request;
+use Illuminate\Support\Facades\Hash;
+use Illuminate\Validation\ValidationException;
+
+class AuthController extends Controller
+{
+    /**
+     * Issue a long-lived, revocable device token (Sanctum).
+     */
+    public function login(Request $request)
+    {
+        $data = $request->validate([
+            'email'       => ['required', 'email'],
+            'password'    => ['required', 'string'],
+            'device_name' => ['required', 'string', 'max:255'],
+            'app_version' => ['nullable', 'string', 'max:50'],
+        ]);
+
+        $user = User::where('email', $data['email'])->first();
+
+        if (! $user || ! Hash::check($data['password'], $user->password)) {
+            throw ValidationException::withMessages([
+                'email' => [__('auth.failed')],
+            ]);
+        }
+
+        // One token per device name: revoke the previous one for this device.
+        $user->tokens()->where('name', $data['device_name'])->delete();
+
+        $token = $user->createToken($data['device_name'], ['mobile-sync']);
+
+        Device::updateOrCreate(
+            ['user_id' => $user->id, 'name' => $data['device_name']],
+            [
+                'token_id'     => $token->accessToken->id,
+                'app_version'  => $data['app_version'] ?? null,
+                'last_seen_at' => now(),
+            ]
+        );
+
+        return response()->json([
+            'token' => $token->plainTextToken,
+            'user'  => $this->userPayload($user),
+        ]);
+    }
+
+    public function me(Request $request)
+    {
+        return response()->json(['user' => $this->userPayload($request->user())]);
+    }
+
+    public function logout(Request $request)
+    {
+        $token = $request->user()->currentAccessToken();
+
+        // Clean up the device record bound to this token.
+        Device::where('token_id', $token->id)->delete();
+        $token->delete();
+
+        return response()->json(['message' => 'Logged out']);
+    }
+
+    private function userPayload(User $user): array
+    {
+        return [
+            'id'          => $user->id,
+            'name'        => $user->name,
+            'email'       => $user->email,
+            'roles'       => $user->getRoleNames(),
+            'permissions' => $user->getAllPermissions()->pluck('name')->values(),
+        ];
+    }
+}