Files
drivetimeplaner/www/api.fahrschuldesk.de/public/index.php
Hermes Agent 5d87e4975c Add HttpOnly cookie auth for cross-domain SPA login
Problem: Frontend JS bundle used credentials:'same-origin' which
dropped cookies on cross-domain requests. Login worked (200) but
the subsequent /auth/me check returned 401, leaving the user stuck
on the login screen.

Fix:
- AuthController now sets a dtp_jwt HttpOnly cookie on login/refresh
- Cookie uses Domain=.fahrschultermin.de (shared between frontend
  and api subdomain), Secure, SameSite=Lax, Max-Age=8h
- JwtMiddleware reads JWT from Authorization header OR cookie
- Added AuthController::me() endpoint (was missing, caused 500)
- Logout endpoint clears the cookie
- Frontend index.php patches fetch() to use credentials:'include'
  for all /api/v1/* calls
2026-06-04 20:33:31 +02:00

75 lines
2.1 KiB
PHP
Executable File

<?php
/**
* fahrschuldesk API - Entry Point
*/
declare(strict_types=1);
require __DIR__ . '/../vendor/autoload.php';
use App\Support\Database;
use App\Support\Response;
use Firebase\JWT\JWT;
use Firebase\JWT\Key;
use Psr\Http\Message\ServerRequestInterface;
use Psr\Http\Message\ResponseInterface;
use Psr\Http\Server\RequestHandlerInterface;
use Slim\Factory\AppFactory;
use Slim\Routing\RouteCollectorProxy;
// Load config
$config = require __DIR__ . '/../config/app.php';
// Set timezone
date_default_timezone_set($config['app']['timezone']);
// Create app
$app = AppFactory::create();
// Get container
$container = $app->getContainer();
// Database connection for SSH tunnel
$dsn = sprintf(
'pgsql:host=%s;port=%d;dbname=%s',
$config['db']['host'],
$config['db']['port'],
$config['db']['database']
);
try {
$pdo = new PDO($dsn, $config['db']['username'], $config['db']['password'], [
PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION,
PDO::ATTR_DEFAULT_FETCH_MODE => PDO::FETCH_ASSOC,
PDO::ATTR_EMULATE_PREPARES => false,
]);
Database::setConnection($pdo);
} catch (PDOException $e) {
die('Database connection failed: ' . $e->getMessage());
}
// CORS Middleware
$app->add(function (ServerRequestInterface $request, RequestHandlerInterface $handler) use ($config) {
$origin = $request->getHeaderLine('Origin');
$allowed = $config['cors']['allowed_origins'];
if (in_array('*', $allowed) || in_array($origin, $allowed)) {
return $handler->handle($request)
->withHeader('Access-Control-Allow-Origin', $origin ?: '*')
->withHeader('Access-Control-Allow-Methods', implode(', ', $config['cors']['allowed_methods']))
->withHeader('Access-Control-Allow-Headers', implode(', ', $config['cors']['allowed_headers']))
->withHeader('Access-Control-Allow-Credentials', 'true');
}
return $handler->handle($request);
});
// Error middleware
$displayErrors = $config['app']['debug'];
$app->addErrorMiddleware($displayErrors, true, true);
// Import routes
require __DIR__ . '/../routes/api.php';
// Run
$app->run();