Files
drivetimeplaner/www/api.fahrschuldesk.de/app/Support/Response.php
Hermes Agent 5d87e4975c Add HttpOnly cookie auth for cross-domain SPA login
Problem: Frontend JS bundle used credentials:'same-origin' which
dropped cookies on cross-domain requests. Login worked (200) but
the subsequent /auth/me check returned 401, leaving the user stuck
on the login screen.

Fix:
- AuthController now sets a dtp_jwt HttpOnly cookie on login/refresh
- Cookie uses Domain=.fahrschultermin.de (shared between frontend
  and api subdomain), Secure, SameSite=Lax, Max-Age=8h
- JwtMiddleware reads JWT from Authorization header OR cookie
- Added AuthController::me() endpoint (was missing, caused 500)
- Logout endpoint clears the cookie
- Frontend index.php patches fetch() to use credentials:'include'
  for all /api/v1/* calls
2026-06-04 20:33:31 +02:00

77 lines
2.0 KiB
PHP
Executable File

<?php
/**
* JSON Response Helper
*/
declare(strict_types=1);
namespace App\Support;
use Psr\Http\Message\ResponseInterface;
class Response
{
public static function json(
ResponseInterface $response,
mixed $data,
int $status = 200
): ResponseInterface {
$response->getBody()->write(json_encode($data, JSON_THROW_ON_ERROR | JSON_UNESCAPED_UNICODE));
return $response
->withStatus($status)
->withHeader('Content-Type', 'application/json');
}
public static function success(
ResponseInterface $response,
mixed $data = null,
string $message = 'OK',
int $status = 200
): ResponseInterface {
return self::json($response, [
'success' => true,
'message' => $message,
'data' => $data,
], $status);
}
public static function error(
ResponseInterface $response,
string $message,
int $status = 400,
array $errors = []
): ResponseInterface {
$body = [
'success' => false,
'message' => $message,
];
if (!empty($errors)) {
$body['errors'] = $errors;
}
return self::json($response, $body, $status);
}
public static function notFound(ResponseInterface $response, string $message = 'Not found'): ResponseInterface
{
return self::error($response, $message, 404);
}
public static function unauthorized(ResponseInterface $response, string $message = 'Unauthorized'): ResponseInterface
{
return self::error($response, $message, 401);
}
public static function forbidden(ResponseInterface $response, string $message = 'Forbidden'): ResponseInterface
{
return self::error($response, $message, 403);
}
public static function validationError(
ResponseInterface $response,
array $errors
): ResponseInterface {
return self::error($response, 'Validation failed', 422, $errors);
}
}