Problem: Frontend JS bundle used credentials:'same-origin' which dropped cookies on cross-domain requests. Login worked (200) but the subsequent /auth/me check returned 401, leaving the user stuck on the login screen. Fix: - AuthController now sets a dtp_jwt HttpOnly cookie on login/refresh - Cookie uses Domain=.fahrschultermin.de (shared between frontend and api subdomain), Secure, SameSite=Lax, Max-Age=8h - JwtMiddleware reads JWT from Authorization header OR cookie - Added AuthController::me() endpoint (was missing, caused 500) - Logout endpoint clears the cookie - Frontend index.php patches fetch() to use credentials:'include' for all /api/v1/* calls
61 lines
2.0 KiB
PHP
Executable File
61 lines
2.0 KiB
PHP
Executable File
<?php
|
|
// Simulate HTTP request via environment variables
|
|
$_SERVER['REQUEST_URI'] = '/api/v1/auth/login';
|
|
$_SERVER['REQUEST_METHOD'] = 'POST';
|
|
$_SERVER['HTTP_HOST'] = 'api.fahrschultermin.de';
|
|
$_SERVER['HTTPS'] = 'on';
|
|
$_SERVER['CONTENT_TYPE'] = 'application/json';
|
|
$_SERVER['SERVER_SOFTWARE'] = 'Caddy';
|
|
|
|
// Also add needed env vars that index.php uses
|
|
$_ENV['REQUEST_METHOD'] = 'POST';
|
|
$_ENV['REQUEST_URI'] = '/api/v1/auth/login';
|
|
|
|
const BASE_PATH = __DIR__;
|
|
|
|
spl_autoload_register(static function (string $class): void {
|
|
$prefix = 'App\\';
|
|
if (!str_starts_with($class, $prefix)) return;
|
|
$relativeClass = substr($class, strlen($prefix));
|
|
$path = BASE_PATH . '/app/' . str_replace('\\', '/', $relativeClass) . '.php';
|
|
if (is_file($path)) require_once $path;
|
|
});
|
|
|
|
$config = require BASE_PATH . '/config/app.php';
|
|
date_default_timezone_set('UTC');
|
|
session_name($config['session_name']);
|
|
|
|
$sessionPath = $config['session_path'] ?? BASE_PATH . '/storage/sessions';
|
|
if (!is_dir($sessionPath)) mkdir($sessionPath, 0775, true);
|
|
session_save_path($sessionPath);
|
|
|
|
$isHttps = isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] !== 'off';
|
|
$sameSite = $isHttps ? 'None' : 'Lax';
|
|
session_set_cookie_params([
|
|
'lifetime' => 0,
|
|
'path' => '/',
|
|
'domain' => $config['session_domain'] ?? '',
|
|
'secure' => $isHttps,
|
|
'httponly' => true,
|
|
'samesite' => $sameSite,
|
|
]);
|
|
|
|
// Important: Start session BEFORE any output
|
|
session_start();
|
|
|
|
// Now check if we can read the JSON body
|
|
$raw = file_get_contents('php://input');
|
|
echo "Raw input: '$raw'\n";
|
|
|
|
\App\Support\Database::configure($config);
|
|
|
|
$request = new \App\Support\Request();
|
|
$input = $request->input();
|
|
echo "Parsed input: " . json_encode($input) . "\n";
|
|
echo "Request path: " . $request->path() . "\n";
|
|
echo "Request method: " . $request->method() . "\n";
|
|
|
|
$auth = new \App\Http\Controllers\AuthController();
|
|
$router = new \App\Support\Router($request);
|
|
$router->post('/api/v1/auth/login', [$auth, 'login']);
|
|
$router->dispatch(); |