Security hardening: encapsulate internals, throttle routes, validate RFC 8058 body

- Make `legacySubscriberType` private with a public getter to prevent
  external mutation of the Subscriber singleton
- Add `throttle:60,1` middleware to both the main and legacy unsubscribe routes
- Validate RFC 8058 POST body (`List-Unsubscribe=One-Click`) in
  UnsubscribeController; return 400 for invalid requests
- Deduplicate `unsubscribeLink()` call in SubscribableNotification::via()
- Warn in stub that the route should not be inside the `web` middleware
  group to avoid CSRF token verification on one-click POST requests
- Update POST tests to send the correct RFC 8058 body; add test asserting
  400 is returned when the body is missing

https://claude.ai/code/session_01R4pAjWwGY8xKspsdU8xnsy

Author: claude

src/Concerns/SubscribableNotification.php

@@ -21,13 +21,13 @@ public static function via(
             : null;
         $listValue = $list instanceof \BackedEnum ? $list->value : $list;
 
+        $unsubscribeUrl = $notifiable->unsubscribeLink($listValue);
+
         if ($listValue !== null) {
-            $message->viewData['unsubscribeLink'] = $notifiable->unsubscribeLink($listValue);
+            $message->viewData['unsubscribeLink'] = $unsubscribeUrl;
         }
         $message->viewData['unsubscribeLinkForAll'] = $notifiable->unsubscribeLink();
 
-        $unsubscribeUrl = $notifiable->unsubscribeLink($listValue);
-
         return $message->withSymfonyMessage(function (Email $email) use ($unsubscribeUrl) {
             $email->getHeaders()->addTextHeader('List-Unsubscribe', sprintf('<%s>', $unsubscribeUrl));
             $email->getHeaders()->addTextHeader('List-Unsubscribe-Post', 'List-Unsubscribe=One-Click');

src/Controllers/LegacyUnsubscribeController.php

@@ -17,7 +17,7 @@ public function __invoke(Request $request, mixed $subscriberId, ?string $mailing
     {
         return app(UnsubscribeController::class)(
             $request,
-            $this->subscriber->legacySubscriberType,
+            $this->subscriber->getLegacySubscriberType(),
             $subscriberId,
             $mailingList
         );

src/Controllers/UnsubscribeController.php

@@ -46,6 +46,10 @@ public function __invoke(Request $request, string $subscriberType, mixed $subscr
         event(new UserUnsubscribed($subscriber, $mailingList));
 
         if ($request->isMethod('post')) {
+            if ($request->input('List-Unsubscribe') !== 'One-Click') {
+                abort(400, __('Invalid unsubscribe request'));
+            }
+
             return response('', 204);
         }
 

src/Subscriber.php

@@ -13,7 +13,12 @@ final class Subscriber
     public string $routeName = 'unsubscribe';
 
     /** Morph type stored when legacyRoutes() is called — used by LegacyUnsubscribeController. */
-    public ?string $legacySubscriberType = null;
+    private ?string $legacySubscriberType = null;
+
+    public function getLegacySubscriberType(): ?string
+    {
+        return $this->legacySubscriberType;
+    }
 
     private ?\Closure $onUnsubscribeFromMailingList = null;
     private ?\Closure $onUnsubscribeFromAllMailingLists = null;
@@ -30,7 +35,8 @@ public function routes(mixed $router = null): void
         $router = $router ?? $this->app->make('router');
         $router->match(['GET', 'POST'], $this->uri, $this->handler)
             ->name($this->routeName)
-            ->where('subscriberType', '[^\d/][^/]*');
+            ->where('subscriberType', '[^\d/][^/]*')
+            ->middleware('throttle:60,1');
     }
 
     public function legacyRoutes(string $defaultModel, mixed $router = null): void
@@ -44,7 +50,8 @@ public function legacyRoutes(string $defaultModel, mixed $router = null): void
             ['GET', 'POST'],
             'unsubscribe/{subscriberId}/{mailingList?}',
             '\YlsIdeas\SubscribableNotifications\Controllers\LegacyUnsubscribeController'
-        )->name($this->routeName . '.legacy');
+        )->name($this->routeName . '.legacy')
+            ->middleware('throttle:60,1');
     }
 
     public function routeName(): string

stubs/SubscribableServiceProvider.stub

@@ -9,6 +9,8 @@ class SubscribableServiceProvider extends ServiceProvider
 {
     public function boot(): void
     {
+        // Note: register this route outside the 'web' middleware group to avoid CSRF token
+        // verification on the POST (RFC 8058 one-click) endpoint.
         Subscriber::routes();
 
         Subscriber::onUnsubscribeFromMailingList(function ($notifiable, string $mailingList) {

tests/Controllers/LegacyUnsubscribeControllerTest.php

@@ -81,7 +81,7 @@ public function test_it_returns_204_for_rfc8058_post_via_legacy_url()
 
         $url = URL::signedRoute('unsubscribe.legacy', ['subscriberId' => $user->id]);
 
-        $this->post($url)->assertNoContent();
+        $this->post($url, ['List-Unsubscribe' => 'One-Click'])->assertNoContent();
     }
 
     public function test_legacy_url_does_not_interfere_with_new_route()

tests/Controllers/UnsubscribeControllerTest.php

@@ -182,7 +182,7 @@ public function test_it_returns_200_for_rfc8058_one_click_post_unsubscribe()
             $called = true;
         });
 
-        $this->post($expectedUser->unsubscribeLink())
+        $this->post($expectedUser->unsubscribeLink(), ['List-Unsubscribe' => 'One-Click'])
             ->assertNoContent();
 
         $this->assertTrue($called);
@@ -205,9 +205,21 @@ public function test_it_returns_200_for_rfc8058_one_click_post_unsubscribe_from_
             $this->assertEquals('newsletter', $list);
         });
 
-        $this->post($expectedUser->unsubscribeLink('newsletter'))
+        $this->post($expectedUser->unsubscribeLink('newsletter'), ['List-Unsubscribe' => 'One-Click'])
             ->assertNoContent();
 
         $this->assertTrue($called);
     }
+
+    public function test_it_rejects_post_without_rfc8058_body()
+    {
+        $expectedUser = DummyUser::create([
+            'name' => 'test',
+            'email' => 'test@testing.local',
+            'password' => 'test',
+        ]);
+
+        $this->post($expectedUser->unsubscribeLink())
+            ->assertStatus(400);
+    }
 }