2026-05-08 09:37:16 +03:00
|
|
|
|
<?php
|
|
|
|
|
|
|
2026-05-16 15:01:07 +03:00
|
|
|
|
use App\Http\Middleware\EnsureSaasAdmin;
|
2026-05-08 14:29:50 +03:00
|
|
|
|
use App\Http\Middleware\SetTenantContext;
|
2026-05-21 06:42:38 +03:00
|
|
|
|
use Illuminate\Database\QueryException;
|
2026-05-08 09:37:16 +03:00
|
|
|
|
use Illuminate\Foundation\Application;
|
|
|
|
|
|
use Illuminate\Foundation\Configuration\Exceptions;
|
|
|
|
|
|
use Illuminate\Foundation\Configuration\Middleware;
|
2026-05-21 06:42:38 +03:00
|
|
|
|
use Illuminate\Http\Request;
|
|
|
|
|
|
use Illuminate\Support\Facades\Log;
|
2026-05-29 14:14:04 +03:00
|
|
|
|
use Illuminate\Validation\ValidationException;
|
2026-05-08 09:37:16 +03:00
|
|
|
|
|
|
|
|
|
|
return Application::configure(basePath: dirname(__DIR__))
|
|
|
|
|
|
->withRouting(
|
|
|
|
|
|
web: __DIR__.'/../routes/web.php',
|
|
|
|
|
|
commands: __DIR__.'/../routes/console.php',
|
|
|
|
|
|
health: '/up',
|
|
|
|
|
|
)
|
|
|
|
|
|
->withMiddleware(function (Middleware $middleware): void {
|
2026-05-08 19:41:35 +03:00
|
|
|
|
// /api/auth/* размещены в web.php (см. routes/web.php) и используют
|
|
|
|
|
|
// session-based Sanctum auth. Token-based mode (через api.php) пока
|
|
|
|
|
|
// не нужен — добавим если понадобится для интеграций.
|
|
|
|
|
|
|
2026-05-08 14:29:50 +03:00
|
|
|
|
$middleware->alias([
|
|
|
|
|
|
'tenant' => SetTenantContext::class,
|
2026-05-16 15:01:07 +03:00
|
|
|
|
'saas-admin' => EnsureSaasAdmin::class,
|
2026-05-08 14:29:50 +03:00
|
|
|
|
]);
|
2026-05-09 05:33:21 +03:00
|
|
|
|
|
|
|
|
|
|
// Webhook receive endpoint (POST /api/webhook/{token}) не должен требовать
|
|
|
|
|
|
// CSRF — запросы приходят от внешних CRM-систем без сессии браузера.
|
|
|
|
|
|
// Авторизация — через webhook_token в URL + (на prod) HMAC.
|
|
|
|
|
|
$middleware->validateCsrfTokens(except: [
|
|
|
|
|
|
'api/webhook/*',
|
|
|
|
|
|
]);
|
2026-05-08 09:37:16 +03:00
|
|
|
|
})
|
|
|
|
|
|
->withExceptions(function (Exceptions $exceptions): void {
|
2026-05-29 14:14:04 +03:00
|
|
|
|
// Reduce verbosity of constraint-violation logging (SQLSTATE 23xxx):
|
|
|
|
|
|
// data-validity errors do not need a full stack trace в laravel.log.
|
|
|
|
|
|
// Incident 2026-05-29: 420k повторов B1+SMS check_violation накопили
|
|
|
|
|
|
// 8.7 GB stack traces → disk full → 4h prod downtime.
|
|
|
|
|
|
// Solution: log a warning summary с sqlstate, return false to stop
|
|
|
|
|
|
// default reporting (which would write full stack trace).
|
|
|
|
|
|
// Ref: docs/incidents/2026-05-29-disk-full-pg-recovery.md §5
|
|
|
|
|
|
$exceptions->reportable(function (QueryException $e) {
|
|
|
|
|
|
$sqlState = $e->errorInfo[0] ?? '';
|
|
|
|
|
|
if (is_string($sqlState) && str_starts_with($sqlState, '23')) {
|
|
|
|
|
|
Log::warning('db.constraint_violation', [
|
|
|
|
|
|
'sqlstate' => $sqlState,
|
|
|
|
|
|
'message' => mb_substr($e->getMessage(), 0, 200),
|
|
|
|
|
|
]);
|
|
|
|
|
|
|
|
|
|
|
|
return false; // skip default reporting (no stack trace в laravel.log)
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
return null; // continue default reporting для non-constraint QueryExceptions
|
|
|
|
|
|
});
|
|
|
|
|
|
|
2026-05-21 06:42:38 +03:00
|
|
|
|
$exceptions->render(function (QueryException $e, Request $request) {
|
2026-05-29 14:14:04 +03:00
|
|
|
|
$sqlState = $e->errorInfo[0] ?? '';
|
|
|
|
|
|
$isConstraintViolation = is_string($sqlState) && str_starts_with($sqlState, '23');
|
|
|
|
|
|
|
|
|
|
|
|
if (! $isConstraintViolation) {
|
|
|
|
|
|
// Default verbose log для non-constraint QueryExceptions (table missing,
|
|
|
|
|
|
// syntax error, etc. — these are bugs needing investigation).
|
|
|
|
|
|
Log::error('db.query_exception', [
|
|
|
|
|
|
'message' => $e->getMessage(),
|
|
|
|
|
|
'sql' => $e->getSql(),
|
|
|
|
|
|
'path' => $request->path(),
|
|
|
|
|
|
]);
|
|
|
|
|
|
}
|
|
|
|
|
|
// Constraint violations уже залогированы в reportable() выше как warning,
|
|
|
|
|
|
// дублировать не нужно.
|
|
|
|
|
|
|
2026-05-21 06:42:38 +03:00
|
|
|
|
if ($request->expectsJson()) {
|
|
|
|
|
|
return response()->json([
|
|
|
|
|
|
'message' => 'Не удалось сохранить. Проверьте данные или попробуйте ещё раз.',
|
|
|
|
|
|
], 422);
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
return null; // default render for non-JSON
|
|
|
|
|
|
});
|
2026-05-25 16:30:35 +03:00
|
|
|
|
|
|
|
|
|
|
// Supplier webhook always returns JSON, even when client omits Accept header.
|
|
|
|
|
|
// Without this render, Laravel's default ValidationException handler returns
|
|
|
|
|
|
// 302 redirect to /, which strips POST body — losing supplier leads.
|
|
|
|
|
|
// Confirmed 2026-05-25: 76 of 234 webhook hits today got 302 instead of 422.
|
2026-05-29 14:14:04 +03:00
|
|
|
|
$exceptions->render(function (ValidationException $e, Request $request) {
|
2026-05-25 16:30:35 +03:00
|
|
|
|
if ($request->is('api/webhook/supplier/*')) {
|
|
|
|
|
|
return response()->json([
|
|
|
|
|
|
'message' => 'Validation failed',
|
|
|
|
|
|
'errors' => $e->errors(),
|
|
|
|
|
|
], 422);
|
|
|
|
|
|
}
|
2026-05-29 14:14:04 +03:00
|
|
|
|
|
2026-05-25 16:30:35 +03:00
|
|
|
|
return null; // default render for other routes
|
|
|
|
|
|
});
|
2026-05-08 09:37:16 +03:00
|
|
|
|
})->create();
|
