# Team Sensitive Credentials API

## Overview

The `Team` model contains sensitive WhatsApp Business API credentials (`webhook_verify_token` and `meta_access_token`) that are excluded from mass assignment for security reasons. These fields use Laravel's encrypted casting for secure storage.

## Security Design

- **Not Mass-Assignable**: These fields are NOT in the `$fillable` array, preventing accidental exposure through mass assignment
- **Encrypted Storage**: Fields are automatically encrypted/decrypted using Laravel's `'encrypted'` cast
- **Explicit Setters**: Must be set using dedicated setter methods

## API Methods

### Setting Credentials

```php
// Set webhook verify token
$team->setWebhookVerifyToken('your-secret-token');

// Set Meta access token  
$team->setMetaAccessToken('your-meta-access-token');
```

### Reading Credentials

```php
// Get decrypted webhook verify token
$token = $team->getWebhookVerifyToken();

// Get decrypted Meta access token
$token = $team->getMetaAccessToken();

// Or use property access (thanks to encrypted cast)
$token = $team->webhook_verify_token;
$token = $team->meta_access_token;
```

### Clearing Credentials

```php
// Set to null to clear
$team->setWebhookVerifyToken(null);
$team->setMetaAccessToken(null);
```

## Usage Examples

### During Team Setup

```php
$team = Team::create([
    'name' => 'My Company',
    'slug' => 'my-company',
    'owner_id' => $user->id,
    'plan_id' => $plan->id,
]);

// Set WhatsApp credentials after creation
$team->setWebhookVerifyToken(config('services.meta.webhook_verify_token'));
$team->setMetaAccessToken($metaAccessToken);
```

### Updating Credentials

```php
$team = Team::find($teamId);

// Update the Meta access token after OAuth refresh
$team->setMetaAccessToken($newAccessToken);
```

### Verifying Webhooks

```php
$team = Team::find($teamId);

// Get the verify token to validate incoming webhooks
$verifyToken = $team->getWebhookVerifyToken();

if ($request->input('hub.verify_token') === $verifyToken) {
    // Token verified
}
```

## Why This Design?

This pattern follows the same security approach used in `WhatsAppChannel::setAccessToken()`:

1. **Prevents Mass Assignment Vulnerabilities**: Even if request data is passed directly to `Team::create()` or `update()`, these sensitive fields cannot be set
2. **Explicit Intent**: Forces developers to explicitly handle sensitive credentials
3. **Audit Trail**: Makes it clear in code where credentials are being set
4. **Type Safety**: Methods provide clear parameter types and return values

## Testing

See `tests/Unit/Models/TeamTest.php` for comprehensive test coverage including:
- Mass assignment protection
- Setter/getter functionality
- Encryption verification
- Null value handling
- Property accessor compatibility