Commit Graph

6 Commits

Author SHA1 Message Date
Hermes Agent
5d87e4975c Add HttpOnly cookie auth for cross-domain SPA login
Problem: Frontend JS bundle used credentials:'same-origin' which
dropped cookies on cross-domain requests. Login worked (200) but
the subsequent /auth/me check returned 401, leaving the user stuck
on the login screen.

Fix:
- AuthController now sets a dtp_jwt HttpOnly cookie on login/refresh
- Cookie uses Domain=.fahrschultermin.de (shared between frontend
  and api subdomain), Secure, SameSite=Lax, Max-Age=8h
- JwtMiddleware reads JWT from Authorization header OR cookie
- Added AuthController::me() endpoint (was missing, caused 500)
- Logout endpoint clears the cookie
- Frontend index.php patches fetch() to use credentials:'include'
  for all /api/v1/* calls
2026-06-04 20:33:31 +02:00
Hermes Agent
5f753c15df Add InstructorAvailabilityService with vacation, units limits, break rules
- InstructorAvailabilityService checks:
  1. Vacation (instructor_vacations table)
  2. Regular availability (instructor_availability weekday/time windows)
  3. Daily units limit (max_daily_units + max_daily_override)
  4. Weekly units limit (max_weekly_units + max_weekly_override)
  5. Break rules (between appointments, continuous minutes)

- AppointmentsController now uses availabilityService
- Fixed getQueryParam() -> getQueryParams() compatibility
- Instructor model updated with max_*_units fields
2026-05-20 22:50:26 +02:00
Hermes Agent
f68400e282 feat: add refresh token flow for long-lived sessions
- Add RefreshToken model with rotation
- Add POST /auth/refresh endpoint
- Add POST /auth/logout that revokes refresh token
- Login returns JWT (8h) + refresh_token (30 days)
- Refresh rotates token (old is revoked)
- Fix Carbon\Carbon::now() calls instead of now() helper
- Update API docs
2026-05-20 17:57:18 +02:00
Hermes Agent
af2b179a49 feat: add student conflict detection in appointments
- Add hasStudentConflict() to Appointment model
- Check student conflicts in store() and update()
- Returns 409 Conflict when student has overlapping appointment
- Fixed PostgreSQL sequence for appointments id
2026-05-20 17:45:14 +02:00
Hermes Agent
09759b7619 feat: JWT secret in .env, conflict detection, docs, deploy script
- Move JWT_SECRET from hardcode to .env (security)
- Add hasInstructorConflict() to Appointment model
- Add conflict check in store() and update() — returns 409
- Add .env.example with placeholder
- Add API documentation (README.md)
- Add deploy_api.sh script
2026-05-20 17:30:24 +02:00
Hermes Agent
8ab4e532fd Slim API deployment - composer install + full CRUD endpoints 2026-05-20 14:36:05 +02:00