Files
drivetimeplaner/backup/old_api_20260520/app/Http/Controllers/ReferenceDataController.php
Hermes Agent 5d87e4975c Add HttpOnly cookie auth for cross-domain SPA login
Problem: Frontend JS bundle used credentials:'same-origin' which
dropped cookies on cross-domain requests. Login worked (200) but
the subsequent /auth/me check returned 401, leaving the user stuck
on the login screen.

Fix:
- AuthController now sets a dtp_jwt HttpOnly cookie on login/refresh
- Cookie uses Domain=.fahrschultermin.de (shared between frontend
  and api subdomain), Secure, SameSite=Lax, Max-Age=8h
- JwtMiddleware reads JWT from Authorization header OR cookie
- Added AuthController::me() endpoint (was missing, caused 500)
- Logout endpoint clears the cookie
- Frontend index.php patches fetch() to use credentials:'include'
  for all /api/v1/* calls
2026-06-04 20:33:31 +02:00

91 lines
3.0 KiB
PHP
Executable File

<?php
declare(strict_types=1);
namespace App\Http\Controllers;
use App\Repositories\ReferenceDataRepository;
use App\Support\Auth;
use App\Support\Request;
use App\Support\Response;
final class ReferenceDataController
{
public function lessonTypes(): void
{
$user = Auth::requireUser();
Response::json(['data' => (new ReferenceDataRepository())->lessonTypes((int) $user['tenant_id'])]);
}
public function storeLessonType(Request $request): void
{
$user = Auth::requireRole('tenant_admin');
$record = (new ReferenceDataRepository())->createLessonType((int) $user['tenant_id'], $request->input());
Response::json(['data' => $record], 201);
}
public function updateLessonType(Request $request, array $params): void
{
$user = Auth::requireRole('tenant_admin');
$record = (new ReferenceDataRepository())->updateLessonType((int) $user['tenant_id'], (int) $params['id'], $request->input());
Response::json(['data' => $record]);
}
public function destroyLessonType(Request $request, array $params): void
{
$user = Auth::requireRole('tenant_admin');
try {
$deleted = (new ReferenceDataRepository())->deleteLessonType((int) $user['tenant_id'], (int) $params['id']);
} catch (\RuntimeException $exception) {
Response::json(['message' => $exception->getMessage()], 409);
}
if (!$deleted) {
Response::json(['message' => 'Not found'], 404);
}
Response::noContent();
}
public function reorderLessonTypes(Request $request): void
{
$user = Auth::requireRole('tenant_admin');
$records = (new ReferenceDataRepository())->reorderLessonTypes(
(int) $user['tenant_id'],
(array) ($request->input()['lesson_type_ids'] ?? [])
);
Response::json(['data' => $records]);
}
public function updateLessonTypeMatrix(Request $request): void
{
$user = Auth::requireRole('tenant_admin');
$records = (new ReferenceDataRepository())->updateLessonTypeMatrix(
(int) $user['tenant_id'],
(array) ($request->input()['rows'] ?? [])
);
Response::json(['data' => $records]);
}
public function templates(): void
{
$user = Auth::requireUser();
Response::json(['data' => (new ReferenceDataRepository())->templates((int) $user['tenant_id'])]);
}
public function storeTemplate(Request $request): void
{
$user = Auth::requireRole('tenant_admin');
$record = (new ReferenceDataRepository())->createTemplate((int) $user['tenant_id'], $request->input());
Response::json(['data' => $record], 201);
}
public function updateTemplate(Request $request, array $params): void
{
$user = Auth::requireRole('tenant_admin');
$record = (new ReferenceDataRepository())->updateTemplate((int) $user['tenant_id'], (int) $params['id'], $request->input());
Response::json(['data' => $record]);
}
}