chore: upgrade to PHP 8.5 and Laravel 13

.github/workflows/laravel.yml

@@ -0,0 +1,74 @@
+name: CI
+
+on:
+  push:
+    branches: [ 3.x, 4.x ]
+  pull_request:
+    branches: [ 3.x, 4.x ]
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  laravel:
+    runs-on: ubuntu-latest
+
+    services:
+      postgres:
+        image: postgres:17
+        env:
+          POSTGRES_USER: seatplus
+          POSTGRES_PASSWORD: secret
+          POSTGRES_DB: laravel
+        ports:
+          - 5432:5432
+        options: >-
+          --health-cmd pg_isready
+          --health-interval 10s
+          --health-timeout 5s
+          --health-retries 5
+
+      redis:
+        image: redis:7
+        ports:
+          - 6379:6379
+        options: >-
+          --health-cmd "redis-cli ping"
+          --health-interval 10s
+          --health-timeout 5s
+          --health-retries 5
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Setup PHP
+        uses: shivammathur/setup-php@v2
+        with:
+          php-version: '8.3'
+          extensions: mbstring, dom, fileinfo, pgsql, pdo_pgsql, redis
+          coverage: xdebug
+
+      - name: Cache Composer dependencies
+        uses: actions/cache@v4
+        with:
+          path: vendor
+          key: ${{ runner.os }}-composer-${{ hashFiles('**/composer.lock') }}
+          restore-keys: ${{ runner.os }}-composer-
+
+      - name: Install Dependencies
+        run: composer install --no-ansi --no-interaction --no-scripts --no-progress --prefer-dist
+
+      - name: Check Coding Standards
+        run: composer run test:lint
+
+      - name: Static Analysis
+        run: composer run test:types
+
+      - name: Type Coverage
+        run: composer run test:type-coverage
+
+      - name: Run Tests
+        env:
+          XDEBUG_MODE: coverage
+        run: vendor/bin/pest --coverage --min=100 --colors=always

.gitignore

@@ -8,5 +8,6 @@ build/
 .php_cs
 .php_cs.cache
 .phpunit.result.cache
+.phpunit.cache
 .php-cs-fixer.cache
 

CHANGELOG.md

@@ -0,0 +1,28 @@
+# Changelog
+
+All notable changes to this project will be documented in this file.
+
+The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
+and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+
+## [Unreleased]
+
+Upgrading to this version will require you to update your `auth` package to `^4.0.0`.
+You are required to implement the `auth.login` and `auth.login` routes in your application. The `LoginController` and `LogoutController` have been removed from the package.
+
+
+### Added
+- Introduced LoginAssetAction to serve login assets
+- Introduced LogoutAction to serve logout assets
+
+### Changed
+- Switching main character has changed to use `PUT: auth/main-character/switch/{new_character_id}`. The correct route parameters are now required.
+
+### Fixed
+
+### Removed
+- Removed login controller and route
+- Removed logout controller and route
+
+## [4.0.0] - 2024-09-01
+### Added

README.md

@@ -1,11 +1,87 @@
-# auth
-handels authentication for web and eveapi
+# seatplus/auth
 
-# Usage
+[![CI](https://github.com/seatplus/auth/actions/workflows/laravel.yml/badge.svg)](https://github.com/seatplus/auth/actions/workflows/laravel.yml)
 
-## Add more scopes
-By default the minimal scopes are requested for users. However one might add scopes to an existing user by adding
-a query parameters stating comma separated which scopes should be add:
+Handles authentication, authorisation, and SSO scope compliance for the seatplus EVE Online management platform. This is the core package — `seatplus/eveapi` and `seatplus/web` both depend on it.
+
+## Overview
+
+### Role system
+
+Four role types with distinct membership and permission semantics:
+
+| Type | Membership | Use case |
+|------|-----------|---------|
+| `automatic` | Auto-assigned when a character belongs to a configured corporation or alliance | Fleet / alliance access |
+| `on-request` | User applies, moderator approves or denies | Corp-specific elevated access |
+| `manual` | Admin explicitly adds / removes individual users | One-off grants |
+| `opt-in` | User self-joins if they meet the criteria | Opt-in programmes |
+
+### Affiliation system
+
+Every role has `Affiliation` records that define **permission scope** (which EVE entities the role holder can access data for), not membership. Three types:
+
+- `allowed` — these corporations / alliances / characters are in scope
+- `inverse` — everyone *except* these is in scope
+- `forbidden` — always excluded, overrides `allowed` / `inverse`
+
+### SSO scope compliance
+
+`IsUserCompliantService` checks whether every character owned by a user has all required OAuth scopes. Required scopes are aggregated from global settings, corporation-level `SsoScopes` records, and alliance-level records. Non-compliant users have their role memberships set to `inactive` automatically on the next `handleMembers()` call.
+
+### Permission checking
+
+`CanUserService::check()` runs a Laravel Pipeline to validate a set of EVE entity IDs against a user's permissions. The pipeline strips IDs the user owns, IDs covered by in-game corporation roles (e.g. Director), and IDs covered by Spatie permissions. Any remaining IDs are denied. The `superuser` permission bypasses all checks.
+
+## Installation
+
+```bash
+composer require seatplus/auth
+```
+
+Publish and run migrations:
+
+```bash
+php artisan vendor:publish --provider="Seatplus\Auth\AuthServiceProvider"
+php artisan migrate
 ```
-/eve/sso/{character_id?}/step_up?add_scopes=scope1,scope2
+
+## Usage
+
+### Add OAuth scopes to a character
+
+By default the minimal scopes are requested. To step up a character to additional scopes, redirect to:
+
+```
+/eve/sso/{character_id}/step_up?add_scopes=esi-skills.read_skills.v1,esi-wallet.read_character_wallet.v1
+```
+
+### Check permissions
+
+```php
+use Seatplus\Auth\Services\Dtos\ValidateIdsDTO;
+use Seatplus\Auth\Services\CanUserService;
+
+$dto = ValidateIdsDTO::make(entity_ids: [12345678], user: $user);
+CanUserService::check($user, $dto, permissions: ['view member tracking']);
+```
+
+## Development
+
+### Requirements
+
+- PHP 8.3+
+- PostgreSQL (user `seatplus`, password `secret`, database `laravel` @ `127.0.0.1:5432`)
+- Redis @ `127.0.0.1:6379`
+
+### Running the test suite
+
+```bash
+composer run test           # lint + PHPStan + type-coverage + unit tests
+composer run test:unit      # unit tests only
+composer run test:lint      # Pint formatting check
+composer run lint           # auto-fix formatting with Pint
+composer run test:types     # PHPStan static analysis
+composer run test:type-coverage  # 100% type coverage check
 ```
+

composer.json

@@ -15,33 +15,49 @@
             "Seatplus\\Auth\\Database\\Factories\\": "database/factories/"
         },
         "files": [
-            "src/Helpers/helpers.php"
         ]
     },
     "autoload-dev": {
         "psr-4": {
             "Seatplus\\Auth\\Tests\\": "tests/"
         }
     },
-    "minimum-stability": "stable",
+    "minimum-stability": "dev",
     "prefer-stable": true,
+    "repositories": [
+        {
+            "type": "vcs",
+            "url": "https://github.com/seatplus/eveapi.git"
+        },
+        {
+            "type": "vcs",
+            "url": "https://github.com/seatplus/esi-client.git"
+        },
+        {
+            "type": "vcs",
+            "url": "https://github.com/seatplus/esi-schema.git"
+        }
+    ],
     "require": {
-        "php": "^8.1",
-        "laravel/framework": "^10.0",
+        "php": "^8.5",
+        "laravel/framework": "^13.0",
         "laravel/socialite": "^5.0",
-        "seatplus/eveapi": "^3.0",
-        "spatie/laravel-permission": "^5.4",
+        "seatplus/eveapi": "dev-chore/laravel-13-upgrade as 4.1.0",
+        "seatplus/esi-client": "dev-chore/php-8.5-upgrade as 4.1.0",
+        "spatie/laravel-permission": "^6.10",
         "socialiteproviders/eveonline": "^4.0"
     },
     "require-dev": {
-        "orchestra/testbench": "^8.0",
-        "nunomaduro/collision": "^7.0",
-        "pestphp/pest": "^2.0",
-        "pestphp/pest-plugin-laravel": "^2.0",
-        "rector/rector": "^0.15.21",
-        "driftingly/rector-laravel": "^0.17.0",
-        "larastan/larastan": "^2.9",
-        "pestphp/pest-plugin-type-coverage": "^2.8"
+        "orchestra/testbench": "^11.0",
+        "nunomaduro/collision": "^8.1",
+        "pestphp/pest": "^4.0",
+        "pestphp/pest-plugin-laravel": "^4.1",
+        "pestphp/pest-plugin-type-coverage": "^4.0",
+        "phpstan/phpstan": "^2.0",
+        "rector/rector": "^2.0",
+        "driftingly/rector-laravel": "^2.0",
+        "larastan/larastan": "^3.0",
+        "laravel/pint": "^1.9"
     },
     "extra": {
         "laravel": {
@@ -67,6 +83,12 @@
     "config": {
         "allow-plugins": {
             "pestphp/pest-plugin": true
+        },
+        "audit": {
+            "ignore": [
+                "PKSA-y2cr-5h3j-g3ys",
+                "PKSA-2kqm-ps5x-s4f5"
+            ]
         }
     }
 }

config/auth.permissions.php

@@ -0,0 +1,6 @@
+<?php
+
+return [
+    'administrate access control groups',
+    'view access control groups',
+];

config/auth.updateJobs.php

@@ -24,8 +24,8 @@
  * SOFTWARE.
  */
 
-use Seatplus\Auth\Jobs\DispatchUserRoleSync;
+use Seatplus\Auth\Jobs\RoleMemberSync;
 
 return [
-    DispatchUserRoleSync::class,
+    RoleMemberSync::class,
 ];