112 lines
2.9 KiB
PHP
112 lines
2.9 KiB
PHP
<?php
|
|
|
|
/**
|
|
* BOHA Automation - Session Check API (JWT)
|
|
*
|
|
* GET /api/admin/session.php
|
|
*
|
|
* Checks if the user has a valid session by:
|
|
* 1. First checking the Authorization header for a valid access token
|
|
* 2. If no valid access token, tries to refresh using the refresh_token cookie
|
|
*
|
|
* Response:
|
|
* {
|
|
* "success": true,
|
|
* "data": {
|
|
* "authenticated": boolean,
|
|
* "user": { ... } | null,
|
|
* "access_token": "string" | null,
|
|
* "expires_in": int | null
|
|
* }
|
|
* }
|
|
*/
|
|
|
|
declare(strict_types=1);
|
|
|
|
require_once dirname(__DIR__) . '/config.php';
|
|
require_once dirname(__DIR__) . '/includes/JWTAuth.php';
|
|
require_once dirname(__DIR__) . '/includes/RateLimiter.php';
|
|
|
|
setCorsHeaders();
|
|
setSecurityHeaders();
|
|
setNoCacheHeaders();
|
|
header('Content-Type: application/json; charset=utf-8');
|
|
|
|
// 200 req/min - vola se pri kazde zmene route
|
|
$rateLimiter = new RateLimiter();
|
|
$rateLimiter->enforce('session', 200);
|
|
|
|
// Cleanup expired refresh tokenu (0.1% sance)
|
|
if (rand(1, 1000) === 1) {
|
|
try {
|
|
JWTAuth::cleanupExpiredTokens();
|
|
} catch (Exception $e) {
|
|
}
|
|
}
|
|
|
|
if (!in_array($_SERVER['REQUEST_METHOD'], ['GET', 'POST'])) {
|
|
errorResponse('Metoda není povolena', 405);
|
|
}
|
|
|
|
/** @return array<string, mixed> */
|
|
function get2FAInfo(PDO $pdo, int $userId): array
|
|
{
|
|
try {
|
|
$stmt = $pdo->prepare("SELECT totp_enabled FROM users WHERE id = ?");
|
|
$stmt->execute([$userId]);
|
|
$row = $stmt->fetch();
|
|
|
|
$r2fa = $pdo->query("SELECT require_2fa FROM company_settings LIMIT 1");
|
|
return [
|
|
'totp_enabled' => (bool) ($row['totp_enabled'] ?? false),
|
|
'require_2fa' => (bool) $r2fa->fetchColumn(),
|
|
];
|
|
} catch (PDOException $e) {
|
|
return ['totp_enabled' => false, 'require_2fa' => false];
|
|
}
|
|
}
|
|
|
|
$authData = JWTAuth::optionalAuth();
|
|
|
|
if ($authData) {
|
|
$userData = $authData['user'];
|
|
$userData['permissions'] = JWTAuth::getUserPermissions($authData['user_id']);
|
|
|
|
$twoFA = get2FAInfo(db(), $authData['user_id']);
|
|
$userData['totp_enabled'] = $twoFA['totp_enabled'];
|
|
$userData['require_2fa'] = $twoFA['require_2fa'];
|
|
|
|
successResponse([
|
|
'authenticated' => true,
|
|
'user' => $userData,
|
|
'access_token' => null,
|
|
'expires_in' => null,
|
|
]);
|
|
}
|
|
|
|
$refreshToken = $_COOKIE['refresh_token'] ?? null;
|
|
|
|
if ($refreshToken) {
|
|
$result = JWTAuth::refreshTokens();
|
|
|
|
if ($result) {
|
|
$twoFA = get2FAInfo(db(), $result['user']['id']);
|
|
$result['user']['totp_enabled'] = $twoFA['totp_enabled'];
|
|
$result['user']['require_2fa'] = $twoFA['require_2fa'];
|
|
|
|
successResponse([
|
|
'authenticated' => true,
|
|
'user' => $result['user'],
|
|
'access_token' => $result['access_token'],
|
|
'expires_in' => $result['expires_in'],
|
|
]);
|
|
}
|
|
}
|
|
|
|
successResponse([
|
|
'authenticated' => false,
|
|
'user' => null,
|
|
'access_token' => null,
|
|
'expires_in' => null,
|
|
]);
|