03 - Central Auth Runtime
Dokumen ini membahas alur auth terpusat, runtime endpoint user, serta mapping class yang terlibat.Scope#
routes/central/auth-runtime.php
routes/central/auth-runtime/core.php
routes/central/auth-runtime/activity.php
routes/central/auth-runtime/session.php
routes/central/auth-runtime/notification.php
routes/central/auth-runtime/security.php
End-to-End Auth Flow#
Runtime Middleware Pipeline#
Endpoint Matrix#
A. Public/Pre-runtime Auth (/api/v1/auth/*)#
| Method | Path | Controller | Middleware Khusus | Tujuan |
|---|
| POST | /auth/register | RegisterController | throttle:auth-register | Registrasi user baru |
| POST | /auth/login | LoginController | throttle:auth-login | Login kredensial |
| POST | /auth/refresh | RefreshTokenController | throttle:auth-refresh | Rotasi access token |
| POST | /auth/social/google | SocialGoogleLoginController | throttle:auth-login | Login via social account |
| GET | /auth/social/google/redirect | SocialGoogleOAuthController@redirect | - | Start OAuth redirect |
| GET | /auth/social/google/callback | SocialGoogleOAuthController@callback | - | Callback OAuth |
| POST | /auth/two-factor/challenge | TwoFactorChallengeController | auth:sanctum, ability:auth:2fa-challenge, throttle:auth-login | Verifikasi challenge 2FA |
| POST | /auth/forgot-password | PasswordResetLinkController | throttle:auth-password | Request reset link |
| POST | /auth/reset-password | PasswordResetController | throttle:auth-password | Set password baru |
| GET | /auth/verify-email/{id}/{hash} | VerifyEmailController | signed:relative, throttle:auth-email-verification | Verify email |
| POST | /auth/verify-email/resend/{id}/{hash} | ResendEmailVerificationController | signed:relative, throttle:auth-email-verification | Resend verify link |
| POST | /auth/select-tenant | SelectTenantController | auth:sanctum, tenant.context, ability:tenant:select, throttle:auth-select-tenant | Pilih tenant context |
| POST | /auth/tenant-onboarding | OnboardingController | auth:sanctum, ability:tenant:onboard, throttle:auth-register | Selesaikan onboarding tenant |
B. Runtime Auth Core (/api/v1/auth/*)#
| Method | Path | Controller | Middleware |
|---|
| POST | /auth/logout | LogoutController | runtime baseline |
| POST | /auth/logout-all | LogoutAllController | runtime baseline + password.confirmed |
| GET | /auth/me | MeController | runtime baseline |
ability:tenant:access,platform:access
C. Runtime Activity#
| Method | Path | Controller |
|---|
| GET | /auth/activities | AuthActivityController@index |
| GET | /auth/activities/suspicious | AuthActivityController@suspicious |
| GET | /auth/activities/tenant | AuthActivityController@tenantActivities |
| GET | /auth/activities/user-security | AuthActivityController@userSecurity |
| GET | /activities | AuthActivityController@index (alias BC) |
| GET | /activities/suspicious | AuthActivityController@suspicious (alias BC) |
| GET | /activities/tenant | AuthActivityController@tenantActivities (alias BC) |
| GET | /activities/user-security | AuthActivityController@userSecurity (alias BC) |
D. Runtime Session#
| Method | Path | Controller | Middleware Khusus |
|---|
| GET | /user/sessions | UserSessionController@index | runtime baseline |
| DELETE | /user/sessions/token/{tokenId} | UserSessionController@revokeByToken | stepup.confirmed |
| DELETE | /user/sessions/device/{deviceName} | UserSessionController@revokeByDevice | stepup.confirmed |
E. Runtime Notification#
| Method | Path | Controller |
|---|
| GET | /user/notifications | UserNotificationController@index |
| PATCH | /user/notifications/read-all | UserNotificationController@markAllAsRead |
| PATCH | /user/notifications/{notificationId}/read | UserNotificationController@markAsRead |
F. Runtime Security#
| Method | Path | Controller | Middleware Khusus |
|---|
| POST | /user/security/confirm-password | UserSecurityController@confirmPassword | runtime baseline |
| GET | /user/security/confirmed-password-status | UserSecurityController@confirmedPasswordStatus | runtime baseline |
| POST | /user/security/pin/verify | UserSecurityController@verifyPin | runtime baseline |
| POST | /user/security/pin/setup | UserSecurityController@setupPin | password.confirmed |
| PUT | /user/security/pin/change | UserSecurityController@changePin | password.confirmed |
| DELETE | /user/security/pin | UserSecurityController@disablePin | password.confirmed |
| PUT | /user/security/password | UserSecurityController@updatePassword | runtime baseline |
| POST | /user/security/two-factor-authentication | UserSecurityController@enableTwoFactorAuthentication | password.confirmed |
| DELETE | /user/security/two-factor-authentication | UserSecurityController@disableTwoFactorAuthentication | password.confirmed |
| POST | /user/security/confirmed-two-factor-authentication | UserSecurityController@confirmTwoFactorAuthentication | password.confirmed |
| GET | /user/security/two-factor-qr-code | UserSecurityController@twoFactorQrCode | password.confirmed |
| GET | /user/security/two-factor-recovery-codes | UserSecurityController@twoFactorRecoveryCodes | password.confirmed |
| POST | /user/security/two-factor-recovery-codes | UserSecurityController@regenerateTwoFactorRecoveryCodes | password.confirmed |
| GET | /user/security/two-factor-secret-key | UserSecurityController@twoFactorSecretKey | password.confirmed |
Class Responsibility Map#
MeController: agregasi data user + tenant + authz.
AuthorizationResolver: resolve roles/permissions tenant-scoped dan platform-scoped.
BuildsAuthenticatedSessionResponse: builder payload session auth.
LoginController + RefreshTokenController: issue/rotate token flow.
SelectTenantController: boundary transisi dari token global ke token tenant-scoped.
GET /auth/me Contract#
{
"success": true,
"code": "SUCCESS",
"data": {
"id": "uuid",
"name": "string",
"account": {
"type": "platform_admin|user",
"status": "active|inactive"
},
"current_tenant": {
"id": "uuid",
"name": "string",
"slug": "string"
},
"authz": {
"roles": ["owner", "ppic"],
"permissions": ["po.create", "mr.read"]
}
}
}
Diubah pada 2026-03-03 22:25:30
