Initial commit

2026-03-12 12:43:56 +01:00
commit f733dee856
137 changed files with 51192 additions and 0 deletions
--- a/api/admin/refresh.php
+++ b/api/admin/refresh.php
@@ -0,0 +1,59 @@
+<?php
+
+/**
+ * BOHA Automation - Token Refresh Endpoint
+ *
+ * Uses the httpOnly refresh_token cookie to issue a new access token.
+ * Called silently on page load and when access token expires.
+ */
+
+declare(strict_types=1);
+
+require_once dirname(__DIR__) . '/config.php';
+require_once dirname(__DIR__) . '/includes/JWTAuth.php';
+require_once dirname(__DIR__) . '/includes/RateLimiter.php';
+
+setCorsHeaders();
+setSecurityHeaders();
+setNoCacheHeaders();
+header('Content-Type: application/json; charset=utf-8');
+
+if ($_SERVER['REQUEST_METHOD'] !== 'POST') {
+    errorResponse('Method not allowed', 405);
+}
+
+$rateLimiter = new RateLimiter();
+$rateLimiter->enforce('refresh', 30);
+
+// Check for refresh token in cookie
+if (!isset($_COOKIE['refresh_token'])) {
+    errorResponse('No refresh token', 401);
+}
+
+// Attempt to refresh tokens
+$result = JWTAuth::refreshTokens();
+
+if (!$result) {
+    errorResponse('Invalid or expired refresh token', 401);
+}
+
+// Add 2FA info to user data
+try {
+    $pdo = db();
+    $stmt = $pdo->prepare('SELECT totp_enabled FROM users WHERE id = ?');
+    $stmt->execute([$result['user']['id']]);
+    $u = $stmt->fetch();
+    $result['user']['totp_enabled'] = (bool) ($u['totp_enabled'] ?? false);
+
+    $stmt = $pdo->query("SELECT require_2fa FROM company_settings LIMIT 1");
+    $result['user']['require_2fa'] = (bool) $stmt->fetchColumn();
+} catch (PDOException $e) {
+    $result['user']['totp_enabled'] = false;
+    $result['user']['require_2fa'] = false;
+}
+
+successResponse([
+    'access_token' => $result['access_token'],
+    'expires_in' => $result['expires_in'],
+    'user' => $result['user'],
+], 'Token refreshed');