Commit Graph

15 Commits

Author SHA1 Message Date
Hermes Agent
5d87e4975c Add HttpOnly cookie auth for cross-domain SPA login
Problem: Frontend JS bundle used credentials:'same-origin' which
dropped cookies on cross-domain requests. Login worked (200) but
the subsequent /auth/me check returned 401, leaving the user stuck
on the login screen.

Fix:
- AuthController now sets a dtp_jwt HttpOnly cookie on login/refresh
- Cookie uses Domain=.fahrschultermin.de (shared between frontend
  and api subdomain), Secure, SameSite=Lax, Max-Age=8h
- JwtMiddleware reads JWT from Authorization header OR cookie
- Added AuthController::me() endpoint (was missing, caused 500)
- Logout endpoint clears the cookie
- Frontend index.php patches fetch() to use credentials:'include'
  for all /api/v1/* calls
2026-06-04 20:33:31 +02:00
Hermes Agent
5f753c15df Add InstructorAvailabilityService with vacation, units limits, break rules
- InstructorAvailabilityService checks:
  1. Vacation (instructor_vacations table)
  2. Regular availability (instructor_availability weekday/time windows)
  3. Daily units limit (max_daily_units + max_daily_override)
  4. Weekly units limit (max_weekly_units + max_weekly_override)
  5. Break rules (between appointments, continuous minutes)

- AppointmentsController now uses availabilityService
- Fixed getQueryParam() -> getQueryParams() compatibility
- Instructor model updated with max_*_units fields
2026-05-20 22:50:26 +02:00
Hermes Agent
f68400e282 feat: add refresh token flow for long-lived sessions
- Add RefreshToken model with rotation
- Add POST /auth/refresh endpoint
- Add POST /auth/logout that revokes refresh token
- Login returns JWT (8h) + refresh_token (30 days)
- Refresh rotates token (old is revoked)
- Fix Carbon\Carbon::now() calls instead of now() helper
- Update API docs
2026-05-20 17:57:18 +02:00
Hermes Agent
af2b179a49 feat: add student conflict detection in appointments
- Add hasStudentConflict() to Appointment model
- Check student conflicts in store() and update()
- Returns 409 Conflict when student has overlapping appointment
- Fixed PostgreSQL sequence for appointments id
2026-05-20 17:45:14 +02:00
Hermes Agent
09759b7619 feat: JWT secret in .env, conflict detection, docs, deploy script
- Move JWT_SECRET from hardcode to .env (security)
- Add hasInstructorConflict() to Appointment model
- Add conflict check in store() and update() — returns 409
- Add .env.example with placeholder
- Add API documentation (README.md)
- Add deploy_api.sh script
2026-05-20 17:30:24 +02:00
Hermes Agent
09324a9513 Clean: remove old custom PHP API from www/fahrschultermin.de 2026-05-20 16:36:18 +02:00
Hermes Agent
8fccf0e406 Backup: old custom PHP API code removed from fahrschultermin.de 2026-05-20 16:36:12 +02:00
Hermes Agent
8ab4e532fd Slim API deployment - composer install + full CRUD endpoints 2026-05-20 14:36:05 +02:00
Hermes Agent
48bf9c7088 Patch API URL in JS bundle: /api/v1 → api.fahrschultermin.de/api/v1 2026-05-18 23:50:24 +02:00
Hermes Agent
2d6c0ad3aa Split API and frontend, migrate SQLite to PostgreSQL
- api.fahrschultermin.de: full API entry point with CORS + session auth
- fahrschultermin.de: frontend only, no more /api/v1 routing
- Database.php: PostgreSQL support (pgsql driver + lastval())
- All repositories: use Database::lastInsertId() for PG compatibility
- config/app.php: PostgreSQL connection settings + CORS config
- bootstrap.php: pass full $config to Database::configure()
- public/index.php: fetch-patch to redirect /api/v1 to api.fahrschultermin.de
- database/schema_pgsql.sql: full PostgreSQL schema (BIGSERIAL)
- database/import_pgsql.sql: 518 rows migrated from SQLite
2026-05-18 23:50:00 +02:00
Hermes Agent
33d61c2fc7 Phase 1 complete - API + Frontend deployed, DB migrated 2026-05-18 23:28:25 +02:00
Hermes Agent
4f0ab5c518 Phase 1: API + Frontend Skelett 2026-05-18 23:08:54 +02:00
Hermes Agent
aa9580c061 Docs: fahrschuldesk Plan erweitert - Billing, Messenger, DKS, Audit-Log, Branding, Self-Hosted 2026-05-18 22:59:02 +02:00
Hermes Agent
6ca0df4538 Docs: fahrschuldesk Projektplan angelegt 2026-05-18 22:49:36 +02:00
Hermes Agent
22206d361a Initial commit: sync from server - all domains and code 2026-05-18 22:12:40 +02:00