Owner: Dev Team | Last Updated: 2026-02-21 | Status: Current
Booking security architecture -- authentication, authorization, encryption, and data protection.
| Layer | Implementation |
|---|---|
| Authentication | Laravel Sanctum (SPA sessions + API tokens) |
| Authorization | Role-based access control (RBAC) via middleware |
| Encryption at Rest | AES-256-CBC (Laravel encryption), custom EncryptedJsonCast |
| Encryption in Transit | TLS/SSL (production) |
| Input Validation | Laravel Form Requests (105 request classes) |
| CSRF Protection | Laravel CSRF tokens (excluded for webhooks) |
| Password Hashing | Bcrypt (12 rounds) |
| Rate Limiting | Throttle middleware (configurable) |
| User Status | CheckUserStatus middleware |
Authorization headerBokunBasicAuthMiddlewareSuper Admin (s_admin)
└── Full access to all companies and features
Admin (admin)
└── Full access within own company
Manager (manager)
└── Leads, bookings, customers
Content Manager (content_manager)
└── Content, media management
Cashier (cashier)
└── POS operations, bookings
Cruise Employee (cruise_employee)
└── Check-in, manifests
Customer (customer)
└── Client-side only
// RoleMiddleware checks:
1. User is authenticated
2. User role is in allowed roles list
3. If not → 403 Forbidden
// CheckUserStatus checks:
1. User status is active
2. If inactive → logout, session invalidate, redirect to login
| Model | Field | Cast |
|---|---|---|
| Company | mail_config.password |
EncryptedJsonCast |
| Company | token |
Hidden from serialization |
| User | password |
Bcrypt hashed |
APP_KEY=base64:... # Auto-generated by php artisan key:generate
Cipher: AES-256-CBC
105 Form Request classes provide server-side validation of all input data.
Location: app/Http/Requests/
| Measure | Implementation |
|---|---|
| Webhook verification | STRIPE_WEBHOOK_SECRET signature check |
| Manual capture | Funds are authorized but not charged until confirmation |
| Customer creation | Idempotency keys to prevent duplicates |
| PCI compliance | Stripe.js on the client (card data does not pass through the server) |
/webhook/stripe)Warning: Never commit the
.envfile. It contains secrets (APP_KEY, STRIPE_SECRET, DB_PASSWORD).
| Date | Author | Change |
|---|---|---|
| 2026-02-21 | Documentation Team | Initial creation |
Prev: Data Models | Next: Decisions | Up: Architecture