60 lines
1.6 KiB
PHP
60 lines
1.6 KiB
PHP
<?php
|
|
|
|
/**
|
|
* BOHA Automation - Token Refresh Endpoint
|
|
*
|
|
* Uses the httpOnly refresh_token cookie to issue a new access token.
|
|
* Called silently on page load and when access token expires.
|
|
*/
|
|
|
|
declare(strict_types=1);
|
|
|
|
require_once dirname(__DIR__) . '/config.php';
|
|
require_once dirname(__DIR__) . '/includes/JWTAuth.php';
|
|
require_once dirname(__DIR__) . '/includes/RateLimiter.php';
|
|
|
|
setCorsHeaders();
|
|
setSecurityHeaders();
|
|
setNoCacheHeaders();
|
|
header('Content-Type: application/json; charset=utf-8');
|
|
|
|
if ($_SERVER['REQUEST_METHOD'] !== 'POST') {
|
|
errorResponse('Method not allowed', 405);
|
|
}
|
|
|
|
$rateLimiter = new RateLimiter();
|
|
$rateLimiter->enforce('refresh', 30);
|
|
|
|
// Check for refresh token in cookie
|
|
if (!isset($_COOKIE['refresh_token'])) {
|
|
errorResponse('No refresh token', 401);
|
|
}
|
|
|
|
// Attempt to refresh tokens
|
|
$result = JWTAuth::refreshTokens();
|
|
|
|
if (!$result) {
|
|
errorResponse('Invalid or expired refresh token', 401);
|
|
}
|
|
|
|
// Add 2FA info to user data
|
|
try {
|
|
$pdo = db();
|
|
$stmt = $pdo->prepare('SELECT totp_enabled FROM users WHERE id = ?');
|
|
$stmt->execute([$result['user']['id']]);
|
|
$u = $stmt->fetch();
|
|
$result['user']['totp_enabled'] = (bool) ($u['totp_enabled'] ?? false);
|
|
|
|
$stmt = $pdo->query("SELECT require_2fa FROM company_settings LIMIT 1");
|
|
$result['user']['require_2fa'] = (bool) $stmt->fetchColumn();
|
|
} catch (PDOException $e) {
|
|
$result['user']['totp_enabled'] = false;
|
|
$result['user']['require_2fa'] = false;
|
|
}
|
|
|
|
successResponse([
|
|
'access_token' => $result['access_token'],
|
|
'expires_in' => $result['expires_in'],
|
|
'user' => $result['user'],
|
|
], 'Token refreshed');
|