Files
Hermes Agent 5d87e4975c Add HttpOnly cookie auth for cross-domain SPA login
Problem: Frontend JS bundle used credentials:'same-origin' which
dropped cookies on cross-domain requests. Login worked (200) but
the subsequent /auth/me check returned 401, leaving the user stuck
on the login screen.

Fix:
- AuthController now sets a dtp_jwt HttpOnly cookie on login/refresh
- Cookie uses Domain=.fahrschultermin.de (shared between frontend
  and api subdomain), Secure, SameSite=Lax, Max-Age=8h
- JwtMiddleware reads JWT from Authorization header OR cookie
- Added AuthController::me() endpoint (was missing, caused 500)
- Logout endpoint clears the cookie
- Frontend index.php patches fetch() to use credentials:'include'
  for all /api/v1/* calls
2026-06-04 20:33:31 +02:00

28 lines
973 B
PHP
Executable File

<?php
declare(strict_types=1);
$bootstrap = require __DIR__ . '/../app/bootstrap.php';
use App\Support\Database;
$db = Database::connection();
$migrations = glob(__DIR__ . '/../database/migrations/*.sql');
sort($migrations);
foreach ($migrations as $migration) {
$statements = array_filter(array_map('trim', explode(';', file_get_contents($migration))));
foreach ($statements as $statement) {
if (preg_match('/^ALTER\s+TABLE\s+([A-Za-z0-9_]+)\s+ADD\s+COLUMN\s+([A-Za-z0-9_]+)/i', $statement, $matches) === 1) {
$columns = $db->query('PRAGMA table_info(' . $matches[1] . ')')->fetchAll();
$columnNames = array_map(static fn (array $column): string => strtolower((string) $column['name']), $columns);
if (in_array(strtolower($matches[2]), $columnNames, true)) {
continue;
}
}
$db->exec($statement);
}
fwrite(STDOUT, "Applied: " . basename($migration) . PHP_EOL);
}