Add HttpOnly cookie auth for cross-domain SPA login

Problem: Frontend JS bundle used credentials:'same-origin' which
dropped cookies on cross-domain requests. Login worked (200) but
the subsequent /auth/me check returned 401, leaving the user stuck
on the login screen.

Fix:
- AuthController now sets a dtp_jwt HttpOnly cookie on login/refresh
- Cookie uses Domain=.fahrschultermin.de (shared between frontend
  and api subdomain), Secure, SameSite=Lax, Max-Age=8h
- JwtMiddleware reads JWT from Authorization header OR cookie
- Added AuthController::me() endpoint (was missing, caused 500)
- Logout endpoint clears the cookie
- Frontend index.php patches fetch() to use credentials:'include'
  for all /api/v1/* calls
This commit is contained in:
Hermes Agent
2026-06-04 20:33:31 +02:00
parent 5f753c15df
commit 5d87e4975c
1040 changed files with 95 additions and 13 deletions

View File

View File

View File

0
www/api.fahrschuldesk.de/app/Support/Database.php Normal file → Executable file
View File

0
www/api.fahrschuldesk.de/app/Support/Response.php Normal file → Executable file
View File

0
www/api.fahrschuldesk.de/bin/migrate.php Normal file → Executable file
View File

0
www/api.fahrschuldesk.de/bin/run_migration.php Normal file → Executable file
View File

0
www/api.fahrschuldesk.de/bootstrap.php Normal file → Executable file
View File

0
www/api.fahrschuldesk.de/composer.json Normal file → Executable file
View File

0
www/api.fahrschuldesk.de/composer.lock generated Normal file → Executable file
View File

0
www/api.fahrschuldesk.de/config/app.php Normal file → Executable file
View File

View File

0
www/api.fahrschuldesk.de/public/index.php Normal file → Executable file
View File

0
www/api.fahrschuldesk.de/routes/api.php Normal file → Executable file
View File

View File

View File

0
www/api.fahrschultermin.de/debug.php Normal file → Executable file
View File

0
www/api.fahrschultermin.de/public/index.php Normal file → Executable file
View File

0
www/api.fahrschultermin.de/test_auth.php Normal file → Executable file
View File

0
www/api.fahrschultermin.de/test_full_dispatch.php Normal file → Executable file
View File

0
www/api.fahrschultermin.de/test_http_sim.php Normal file → Executable file
View File

0
www/api.fahrschultermin.de/test_json_input.php Normal file → Executable file
View File

0
www/api.fahrschultermin.de/test_minimal.php Normal file → Executable file
View File

0
www/api.fahrschultermin.de/test_password.php Normal file → Executable file
View File

0
www/api.fahrschultermin.de/test_request.php Normal file → Executable file
View File

0
www/debug_test.php Normal file → Executable file
View File

0
www/fahrschuldesk.de/dist/assets/AuditLogs-rWevo39c.js vendored Normal file → Executable file
View File

0
www/fahrschuldesk.de/dist/assets/Branches-s_BK2cgz.js vendored Normal file → Executable file
View File

0
www/fahrschuldesk.de/dist/assets/Branding-D61QMGtV.js vendored Normal file → Executable file
View File

0
www/fahrschuldesk.de/dist/assets/Calendar-B7rUkOeg.js vendored Normal file → Executable file
View File

0
www/fahrschuldesk.de/dist/assets/Dashboard-DUl1_Jl9.js vendored Normal file → Executable file
View File

0
www/fahrschuldesk.de/dist/assets/Files-BvF-O0NH.js vendored Normal file → Executable file
View File

0
www/fahrschuldesk.de/dist/assets/ForgotPassword-BnefAgO5.js vendored Normal file → Executable file
View File

0
www/fahrschuldesk.de/dist/assets/Invoices-DPbiN6Xy.js vendored Normal file → Executable file
View File

0
www/fahrschuldesk.de/dist/assets/Learning-C1i3Orm8.js vendored Normal file → Executable file
View File

0
www/fahrschuldesk.de/dist/assets/Login-fU5wXJUp.js vendored Normal file → Executable file
View File

0
www/fahrschuldesk.de/dist/assets/Messenger-DL4jJcTI.js vendored Normal file → Executable file
View File

0
www/fahrschuldesk.de/dist/assets/Modules-XFzn2DhG.js vendored Normal file → Executable file
View File

0
www/fahrschuldesk.de/dist/assets/NotFound-CXY4AhOb.js vendored Normal file → Executable file
View File

0
www/fahrschuldesk.de/dist/assets/PlatformAdmins-BsfJuUAN.js vendored Normal file → Executable file
View File

0
www/fahrschuldesk.de/dist/assets/Register-Dtyvn1Yy.js vendored Normal file → Executable file
View File

0
www/fahrschuldesk.de/dist/assets/TenantEdit-TJEJ_0TK.js vendored Normal file → Executable file
View File

0
www/fahrschuldesk.de/dist/assets/Tenants-oNbkI0ZB.js vendored Normal file → Executable file
View File

0
www/fahrschuldesk.de/dist/assets/Users-UfUrkk1j.js vendored Normal file → Executable file
View File

View File

0
www/fahrschuldesk.de/dist/assets/index-CeMVzSB6.js vendored Normal file → Executable file
View File

0
www/fahrschuldesk.de/dist/assets/index-DnvNyrEP.css vendored Normal file → Executable file
View File

0
www/fahrschuldesk.de/dist/index.html vendored Normal file → Executable file
View File

0
www/fahrschuldesk.de/index.html Normal file → Executable file
View File

0
www/fahrschuldesk.de/package-lock.json generated Normal file → Executable file
View File

0
www/fahrschuldesk.de/package.json Normal file → Executable file
View File

0
www/fahrschuldesk.de/public/index.html Normal file → Executable file
View File

0
www/fahrschuldesk.de/src/App.vue Normal file → Executable file
View File

0
www/fahrschuldesk.de/src/api/client.js Normal file → Executable file
View File

0
www/fahrschuldesk.de/src/main.js Normal file → Executable file
View File

0
www/fahrschuldesk.de/src/router/index.js Normal file → Executable file
View File

0
www/fahrschuldesk.de/src/stores/auth.js Normal file → Executable file
View File

0
www/fahrschuldesk.de/src/styles/main.css Normal file → Executable file
View File

0
www/fahrschuldesk.de/src/views/Dashboard.vue Normal file → Executable file
View File

0
www/fahrschuldesk.de/src/views/NotFound.vue Normal file → Executable file
View File

0
www/fahrschuldesk.de/src/views/admin/AuditLogs.vue Normal file → Executable file
View File

0
www/fahrschuldesk.de/src/views/admin/Invoices.vue Normal file → Executable file
View File

0
www/fahrschuldesk.de/src/views/admin/Modules.vue Normal file → Executable file
View File

View File

0
www/fahrschuldesk.de/src/views/admin/TenantEdit.vue Normal file → Executable file
View File

0
www/fahrschuldesk.de/src/views/admin/Tenants.vue Normal file → Executable file
View File

0
www/fahrschuldesk.de/src/views/auth/ForgotPassword.vue Normal file → Executable file
View File

0
www/fahrschuldesk.de/src/views/auth/Login.vue Normal file → Executable file
View File

0
www/fahrschuldesk.de/src/views/auth/Register.vue Normal file → Executable file
View File

0
www/fahrschuldesk.de/src/views/student/Dashboard.vue Normal file → Executable file
View File

0
www/fahrschuldesk.de/src/views/student/Learning.vue Normal file → Executable file
View File

0
www/fahrschuldesk.de/src/views/tenant/Branches.vue Normal file → Executable file
View File

0
www/fahrschuldesk.de/src/views/tenant/Branding.vue Normal file → Executable file
View File

0
www/fahrschuldesk.de/src/views/tenant/Calendar.vue Normal file → Executable file
View File

0
www/fahrschuldesk.de/src/views/tenant/Files.vue Normal file → Executable file
View File

0
www/fahrschuldesk.de/src/views/tenant/Learning.vue Normal file → Executable file
View File

0
www/fahrschuldesk.de/src/views/tenant/Messenger.vue Normal file → Executable file
View File

0
www/fahrschuldesk.de/src/views/tenant/Users.vue Normal file → Executable file
View File

0
www/fahrschuldesk.de/tailwind.config.js Normal file → Executable file
View File

0
www/fahrschuldesk.de/vite.config.js Normal file → Executable file
View File

0
www/fahrschultermin.de/public/.htaccess Normal file → Executable file
View File

View File

View File

View File

0
www/fahrschultermin.de/public/index.html Normal file → Executable file
View File

28
www/fahrschultermin.de/public/index.php Normal file → Executable file
View File

@@ -1,9 +1,13 @@
<?php
/**
* fahrschultermin.de — Frontend entry point
* Patches fetch() to proxy /api/v1/* calls to api.fahrschultermin.de
* so the JS bundle (with hardcoded /api/v1 paths) just works.
* Patches fetch() to redirect /api/v1/* calls to api.fahrschultermin.de
* with credentials:'include' so cross-domain cookies (dtp_jwt) are sent.
*
* Authentication: The API sets a `dtp_jwt` HttpOnly cookie at login. With
* credentials:'include' the browser sends it automatically on every
* /api/v1/* call, so we never need to add an Authorization header (which
* would trigger a CORS preflight).
*/
const API_BASE = 'https://api.fahrschultermin.de';
@@ -22,7 +26,6 @@ if (is_file($assetManifestPath)) {
}
}
}
?><!doctype html>
<html lang="de">
<head>
@@ -34,20 +37,27 @@ if (is_file($assetManifestPath)) {
<body>
<div id="root"></div>
<script>
// Patch fetch to redirect /api/v1/* → api.fahrschultermin.de/api/v1/*
// ===== Critical: Patch fetch BEFORE the module loads =====
// The bundled JS uses its own internal fetch wrapper with
// credentials:"same-origin", which would drop our dtp_jwt cookie
// on the cross-origin call to api.fahrschultermin.de. We override
// it here so cookies travel and the backend can identify the user.
window.__API_BASE__ = '<?= API_BASE ?>';
const _fetch = window.fetch.bind(window);
window.fetch = function (resource, options = {}) {
let url = typeof resource === 'string' ? resource : resource.url;
if (typeof url === 'string' && url.startsWith('/api/v1')) {
url = '<?= API_BASE ?>' + url;
const req = new Request(url, options);
req.credentials = 'include';
return _fetch(req);
// Make sure the API receives the dtp_jwt cookie
options = Object.assign({}, options, {
credentials: 'include',
mode: 'cors'
});
return _fetch(url, options);
}
return _fetch(resource, options);
};
</script>
<script type="module" src="<?= htmlspecialchars($mainAsset, ENT_QUOTES) ?>"></script>
</body>
</html>
</html>

0
www/fahrschultermin.de/public/zeiterfassung.html Normal file → Executable file
View File