fix: Security hardening for auth and token flows

[MrAdder]

This PR improves authentication/session safety, token handling, and state-changing request semantics across account and visit-transfer flows.

• Strengthened token generation and token-used behaviour.
• Added OAuth call back state validation for Discord account linking.
• Hardened visit-transfer reference token handling and authorization checks.
• Corrected password complexity validation so numeric requirements are enforced.
• Removed debug-dump error handling from runtime paths and replaced with safe handling.
• Converted sensitive state-changing actions from GET to POST and updated related UI forms to include CSRF protection.

Tests

• Added/updated automated tests for OAuth call back validation, reference-token authorization/validity, password complexity checks, UKCP failure handling, and updated TeamSpeak account-management flows.
• Relevant feature/unit suites pass.

[Copilot]

Pull request overview

This PR hardens several authentication- and token-adjacent flows (OAuth callback integrity, token generation/consumption semantics, and state-changing endpoints) and updates the UI/tests accordingly to reduce security risk.

Changes:

• Strengthens token generation/used semantics and adds additional token validity checks in visit-transfer reference flows.
• Adds Discord OAuth callback state validation and updates related tests.
• Converts several state-changing routes from GET to POST and updates Blade templates to submit CSRF-protected forms; adds/updates tests for UKCP + password complexity.

Reviewed changes

Copilot reviewed 13 out of 13 changed files in this pull request and generated 1 comment.

Show a summary per file

File	Description
tests/Unit/UKCPLibraryTest.php	Adds unit coverage for UKCP “mark notification read” behavior.
tests/Feature/VisitTransfer/ReferenceTokenSecurityTest.php	New feature tests covering reference-token owner/type/expiry/used behavior.
tests/Feature/Services/DiscordTest.php	Adds/updates OAuth callback tests for state validation.
tests/Feature/Account/TeamspeakManagementTest.php	Updates delete action to POST and stabilizes config for test runs.
tests/Feature/Account/ResetPasswordTest.php	Adds test ensuring numeric password requirement is enforced.
routes/web-main.php	Switches several state-changing endpoints from GET to POST.
resources/views/teamspeak/new.blade.php	Replaces destructive link with CSRF-protected POST form.
resources/views/mship/management/dashboard.blade.php	Converts several state-changing links to CSRF-protected POST forms.
app/Providers/AppServiceProvider.php	Fixes numbers validator to actually check numeric characters.
app/Models/Sys/Token.php	Replaces uniqid token codes with secure random codes; updates “used” semantics.
app/Libraries/UKCP.php	Removes dd() and returns false on mark-notification failure.
app/Http/Requests/VisitTransfer/ReferenceSubmitRequest.php	Removes the existing FormRequest (validation/authorization).
app/Http/Requests/Mship/Account/DiscordRegistration.php	Requires state for Discord OAuth callback requests.
app/Http/Controllers/VisitTransfer/Site/Reference.php	Adds reference-token resolution/validation helpers; updates cancel/complete flows.
app/Http/Controllers/Discord/Registration.php	Stores OAuth state in session on redirect; validates state on callback.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

You can also share your feedback on Copilot code review. Take the survey.