Add HttpOnly cookie auth for cross-domain SPA login
Problem: Frontend JS bundle used credentials:'same-origin' which dropped cookies on cross-domain requests. Login worked (200) but the subsequent /auth/me check returned 401, leaving the user stuck on the login screen. Fix: - AuthController now sets a dtp_jwt HttpOnly cookie on login/refresh - Cookie uses Domain=.fahrschultermin.de (shared between frontend and api subdomain), Secure, SameSite=Lax, Max-Age=8h - JwtMiddleware reads JWT from Authorization header OR cookie - Added AuthController::me() endpoint (was missing, caused 500) - Logout endpoint clears the cookie - Frontend index.php patches fetch() to use credentials:'include' for all /api/v1/* calls
This commit is contained in:
0
www/fahrschultermin.de/public/.htaccess
Normal file → Executable file
0
www/fahrschultermin.de/public/.htaccess
Normal file → Executable file
0
www/fahrschultermin.de/public/assets/.vite/manifest.json
Normal file → Executable file
0
www/fahrschultermin.de/public/assets/.vite/manifest.json
Normal file → Executable file
0
www/fahrschultermin.de/public/assets/assets/main-C54NZrM5.css
Normal file → Executable file
0
www/fahrschultermin.de/public/assets/assets/main-C54NZrM5.css
Normal file → Executable file
0
www/fahrschultermin.de/public/assets/assets/main-F76uNDS1.js
Normal file → Executable file
0
www/fahrschultermin.de/public/assets/assets/main-F76uNDS1.js
Normal file → Executable file
0
www/fahrschultermin.de/public/index.html
Normal file → Executable file
0
www/fahrschultermin.de/public/index.html
Normal file → Executable file
28
www/fahrschultermin.de/public/index.php
Normal file → Executable file
28
www/fahrschultermin.de/public/index.php
Normal file → Executable file
@@ -1,9 +1,13 @@
|
||||
<?php
|
||||
|
||||
/**
|
||||
* fahrschultermin.de — Frontend entry point
|
||||
* Patches fetch() to proxy /api/v1/* calls to api.fahrschultermin.de
|
||||
* so the JS bundle (with hardcoded /api/v1 paths) just works.
|
||||
* Patches fetch() to redirect /api/v1/* calls to api.fahrschultermin.de
|
||||
* with credentials:'include' so cross-domain cookies (dtp_jwt) are sent.
|
||||
*
|
||||
* Authentication: The API sets a `dtp_jwt` HttpOnly cookie at login. With
|
||||
* credentials:'include' the browser sends it automatically on every
|
||||
* /api/v1/* call, so we never need to add an Authorization header (which
|
||||
* would trigger a CORS preflight).
|
||||
*/
|
||||
|
||||
const API_BASE = 'https://api.fahrschultermin.de';
|
||||
@@ -22,7 +26,6 @@ if (is_file($assetManifestPath)) {
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
?><!doctype html>
|
||||
<html lang="de">
|
||||
<head>
|
||||
@@ -34,20 +37,27 @@ if (is_file($assetManifestPath)) {
|
||||
<body>
|
||||
<div id="root"></div>
|
||||
<script>
|
||||
// Patch fetch to redirect /api/v1/* → api.fahrschultermin.de/api/v1/*
|
||||
// ===== Critical: Patch fetch BEFORE the module loads =====
|
||||
// The bundled JS uses its own internal fetch wrapper with
|
||||
// credentials:"same-origin", which would drop our dtp_jwt cookie
|
||||
// on the cross-origin call to api.fahrschultermin.de. We override
|
||||
// it here so cookies travel and the backend can identify the user.
|
||||
window.__API_BASE__ = '<?= API_BASE ?>';
|
||||
const _fetch = window.fetch.bind(window);
|
||||
window.fetch = function (resource, options = {}) {
|
||||
let url = typeof resource === 'string' ? resource : resource.url;
|
||||
if (typeof url === 'string' && url.startsWith('/api/v1')) {
|
||||
url = '<?= API_BASE ?>' + url;
|
||||
const req = new Request(url, options);
|
||||
req.credentials = 'include';
|
||||
return _fetch(req);
|
||||
// Make sure the API receives the dtp_jwt cookie
|
||||
options = Object.assign({}, options, {
|
||||
credentials: 'include',
|
||||
mode: 'cors'
|
||||
});
|
||||
return _fetch(url, options);
|
||||
}
|
||||
return _fetch(resource, options);
|
||||
};
|
||||
</script>
|
||||
<script type="module" src="<?= htmlspecialchars($mainAsset, ENT_QUOTES) ?>"></script>
|
||||
</body>
|
||||
</html>
|
||||
</html>
|
||||
|
||||
0
www/fahrschultermin.de/public/zeiterfassung.html
Normal file → Executable file
0
www/fahrschultermin.de/public/zeiterfassung.html
Normal file → Executable file
Reference in New Issue
Block a user