Problem: Frontend JS bundle used credentials:'same-origin' which dropped cookies on cross-domain requests. Login worked (200) but the subsequent /auth/me check returned 401, leaving the user stuck on the login screen. Fix: - AuthController now sets a dtp_jwt HttpOnly cookie on login/refresh - Cookie uses Domain=.fahrschultermin.de (shared between frontend and api subdomain), Secure, SameSite=Lax, Max-Age=8h - JwtMiddleware reads JWT from Authorization header OR cookie - Added AuthController::me() endpoint (was missing, caused 500) - Logout endpoint clears the cookie - Frontend index.php patches fetch() to use credentials:'include' for all /api/v1/* calls
43 lines
862 B
PHP
Executable File
43 lines
862 B
PHP
Executable File
<?php
|
|
|
|
declare(strict_types=1);
|
|
|
|
namespace App\Support;
|
|
|
|
use App\Repositories\UserRepository;
|
|
|
|
final class Auth
|
|
{
|
|
public static function user(): ?array
|
|
{
|
|
$userId = $_SESSION['user_id'] ?? null;
|
|
if (!$userId) {
|
|
return null;
|
|
}
|
|
|
|
return (new UserRepository())->findById((int) $userId);
|
|
}
|
|
|
|
public static function requireUser(): array
|
|
{
|
|
$user = self::user();
|
|
if ($user === null) {
|
|
Response::json(['message' => 'Unauthenticated'], 401);
|
|
}
|
|
|
|
return $user;
|
|
}
|
|
|
|
public static function requireRole(array|string $roles): array
|
|
{
|
|
$user = self::requireUser();
|
|
$roles = (array) $roles;
|
|
|
|
if (!in_array($user['role'], $roles, true)) {
|
|
Response::json(['message' => 'Forbidden'], 403);
|
|
}
|
|
|
|
return $user;
|
|
}
|
|
}
|