Problem: Frontend JS bundle used credentials:'same-origin' which dropped cookies on cross-domain requests. Login worked (200) but the subsequent /auth/me check returned 401, leaving the user stuck on the login screen. Fix: - AuthController now sets a dtp_jwt HttpOnly cookie on login/refresh - Cookie uses Domain=.fahrschultermin.de (shared between frontend and api subdomain), Secure, SameSite=Lax, Max-Age=8h - JwtMiddleware reads JWT from Authorization header OR cookie - Added AuthController::me() endpoint (was missing, caused 500) - Logout endpoint clears the cookie - Frontend index.php patches fetch() to use credentials:'include' for all /api/v1/* calls
37 lines
912 B
PHP
Executable File
37 lines
912 B
PHP
Executable File
<?php
|
|
|
|
declare(strict_types=1);
|
|
|
|
require __DIR__ . '/../vendor/autoload.php';
|
|
|
|
use App\Config\Container;
|
|
use Symfony\Component\Dotenv\Dotenv;
|
|
|
|
// Load .env file safely
|
|
$envFile = __DIR__ . '/../.env';
|
|
if (file_exists($envFile)) {
|
|
$dotenv = new Dotenv();
|
|
$dotenv->load($envFile);
|
|
}
|
|
|
|
// Boot Eloquent BEFORE creating the app
|
|
Container::boot();
|
|
|
|
$container = Container::build();
|
|
\Slim\Factory\AppFactory::setContainer($container);
|
|
|
|
$app = \Slim\Factory\AppFactory::create();
|
|
|
|
// CORS Middleware
|
|
$app->add(new \Tuupola\Middleware\CorsMiddleware([
|
|
'origin' => ['https://fahrschultermin.de', 'https://www.fahrschultermin.de'],
|
|
'methods' => ['GET', 'POST', 'PATCH', 'DELETE', 'OPTIONS'],
|
|
'headers.allow' => ['Content-Type', 'Authorization', 'X-Requested-With'],
|
|
'credentials' => true,
|
|
'cache.maxage' => 86400,
|
|
]));
|
|
|
|
// Routes
|
|
(require __DIR__ . '/../src/Routes/api.php')($app);
|
|
|
|
$app->run(); |