Add HttpOnly cookie auth for cross-domain SPA login

Problem: Frontend JS bundle used credentials:'same-origin' which
dropped cookies on cross-domain requests. Login worked (200) but
the subsequent /auth/me check returned 401, leaving the user stuck
on the login screen.

Fix:
- AuthController now sets a dtp_jwt HttpOnly cookie on login/refresh
- Cookie uses Domain=.fahrschultermin.de (shared between frontend
  and api subdomain), Secure, SameSite=Lax, Max-Age=8h
- JwtMiddleware reads JWT from Authorization header OR cookie
- Added AuthController::me() endpoint (was missing, caused 500)
- Logout endpoint clears the cookie
- Frontend index.php patches fetch() to use credentials:'include'
  for all /api/v1/* calls
This commit is contained in:
Hermes Agent
2026-06-04 20:33:31 +02:00
parent 5f753c15df
commit 5d87e4975c
1040 changed files with 95 additions and 13 deletions

28
www/fahrschultermin.de/public/index.php Normal file → Executable file
View File

@@ -1,9 +1,13 @@
<?php
/**
* fahrschultermin.de — Frontend entry point
* Patches fetch() to proxy /api/v1/* calls to api.fahrschultermin.de
* so the JS bundle (with hardcoded /api/v1 paths) just works.
* Patches fetch() to redirect /api/v1/* calls to api.fahrschultermin.de
* with credentials:'include' so cross-domain cookies (dtp_jwt) are sent.
*
* Authentication: The API sets a `dtp_jwt` HttpOnly cookie at login. With
* credentials:'include' the browser sends it automatically on every
* /api/v1/* call, so we never need to add an Authorization header (which
* would trigger a CORS preflight).
*/
const API_BASE = 'https://api.fahrschultermin.de';
@@ -22,7 +26,6 @@ if (is_file($assetManifestPath)) {
}
}
}
?><!doctype html>
<html lang="de">
<head>
@@ -34,20 +37,27 @@ if (is_file($assetManifestPath)) {
<body>
<div id="root"></div>
<script>
// Patch fetch to redirect /api/v1/* → api.fahrschultermin.de/api/v1/*
// ===== Critical: Patch fetch BEFORE the module loads =====
// The bundled JS uses its own internal fetch wrapper with
// credentials:"same-origin", which would drop our dtp_jwt cookie
// on the cross-origin call to api.fahrschultermin.de. We override
// it here so cookies travel and the backend can identify the user.
window.__API_BASE__ = '<?= API_BASE ?>';
const _fetch = window.fetch.bind(window);
window.fetch = function (resource, options = {}) {
let url = typeof resource === 'string' ? resource : resource.url;
if (typeof url === 'string' && url.startsWith('/api/v1')) {
url = '<?= API_BASE ?>' + url;
const req = new Request(url, options);
req.credentials = 'include';
return _fetch(req);
// Make sure the API receives the dtp_jwt cookie
options = Object.assign({}, options, {
credentials: 'include',
mode: 'cors'
});
return _fetch(url, options);
}
return _fetch(resource, options);
};
</script>
<script type="module" src="<?= htmlspecialchars($mainAsset, ENT_QUOTES) ?>"></script>
</body>
</html>
</html>