Nexus upgrade design and refresh

2026-04-11 01:23:28 +02:00
parent 9d5bb2d3cf
commit e83925ba64
53 changed files with 13388 additions and 60 deletions
--- a/public/index.php
+++ b/public/index.php
@@ -1,6 +1,9 @@
 <?php
 declare(strict_types=1);

+use Modules\MiningChecker\Support\ApiException as MiningApiException;
+use Modules\MiningChecker\Support\DebugState as MiningDebugState;
+
 // boot application (config, autoload, services)
 require_once __DIR__ . '/../config/fileload.php';

@@ -8,6 +11,8 @@ require_once __DIR__ . '/../config/fileload.php';
 $uriPath = parse_url($_SERVER['REQUEST_URI'] ?? '/', PHP_URL_PATH) ?: '/';
 $uriPath = preg_replace('~/{2,}~', '/', $uriPath);
 $uriPath = trim($uriPath, '/');
+$projectRoot = dirname(__DIR__);
+$auth = app()->auth();
 $isRetoolPath = ($uriPath === 'retool' || str_starts_with($uriPath, 'retool/'));
 if (defined('APP_BASIC_AUTH') && APP_BASIC_AUTH && !$isRetoolPath) {
    $authUser = getenv('STAGING_AUTH_USER') ?: 'staging';
@@ -27,9 +32,15 @@ $publicPaths = [
    'auth/login',
    'auth/callback',
    'auth/logout',
+    'auth/keycloak/login',
+    'auth/keycloak/callback',
+    'auth/keycloak/logout',
+    'auth/me',
    'module/pi_control/terminal_info',
 ];
-if (defined('APP_AUTH_ENABLED') && APP_AUTH_ENABLED && !in_array($uriPath, $publicPaths, true)) {
+$requiresGlobalAuth = in_array($uriPath, ['settings', 'users', 'modules', 'modules/install', 'debug'], true)
+    || str_starts_with($uriPath, 'modules/setup/');
+if (defined('APP_AUTH_ENABLED') && APP_AUTH_ENABLED && $requiresGlobalAuth && !in_array($uriPath, $publicPaths, true)) {
    $user = auth_user();
    if (!$user) {
        header('Location: /auth/login', true, 302);
@@ -43,6 +54,139 @@ if (str_contains($uriPath, '..')) {
    exit('Bad request');
 }

+if ($uriPath === 'auth/keycloak/login') {
+    $returnTo = (string)($_GET['return_to'] ?? '/');
+    $auth->login($returnTo);
+}
+
+if ($uriPath === 'auth/keycloak/callback') {
+    $uriPath = 'auth/callback';
+}
+
+if ($uriPath === 'auth/keycloak/logout') {
+    $uriPath = 'auth/logout';
+}
+
+if ($uriPath === 'auth/me') {
+    header('Content-Type: application/json; charset=utf-8');
+    echo json_encode([
+        'authenticated' => $auth->isAuthenticated(),
+        'user' => $auth->user(),
+    ], JSON_UNESCAPED_UNICODE | JSON_UNESCAPED_SLASHES);
+    exit;
+}
+
+if (preg_match('~^api/module-auth/([a-zA-Z0-9_-]+)$~', $uriPath, $moduleAuthMatches)) {
+    $moduleName = $moduleAuthMatches[1];
+    $moduleMeta = app()->modules()->get($moduleName);
+    if ($moduleMeta === null) {
+        http_response_code(404);
+        header('Content-Type: application/json; charset=utf-8');
+        echo json_encode(['error' => 'module_not_found'], JSON_UNESCAPED_UNICODE | JSON_UNESCAPED_SLASHES);
+        exit;
+    }
+    if (!$auth->isAuthenticated()) {
+        http_response_code(401);
+        header('Content-Type: application/json; charset=utf-8');
+        echo json_encode(['error' => 'auth_required'], JSON_UNESCAPED_UNICODE | JSON_UNESCAPED_SLASHES);
+        exit;
+    }
+    if (!$auth->canAccessModule($moduleMeta)) {
+        http_response_code(403);
+        header('Content-Type: application/json; charset=utf-8');
+        echo json_encode(['error' => 'forbidden'], JSON_UNESCAPED_UNICODE | JSON_UNESCAPED_SLASHES);
+        exit;
+    }
+
+    header('Content-Type: application/json; charset=utf-8');
+    if ($_SERVER['REQUEST_METHOD'] === 'GET') {
+        echo json_encode(['data' => ($moduleMeta['auth'] ?? ['required' => false, 'users' => [], 'groups' => []])], JSON_UNESCAPED_UNICODE | JSON_UNESCAPED_SLASHES);
+        exit;
+    }
+    if ($_SERVER['REQUEST_METHOD'] === 'PUT') {
+        $input = json_decode((string)file_get_contents('php://input'), true);
+        if (!is_array($input)) {
+            $input = [];
+        }
+        echo json_encode(['data' => app()->modules()->saveAuth($moduleName, $input)], JSON_UNESCAPED_UNICODE | JSON_UNESCAPED_SLASHES);
+        exit;
+    }
+
+    http_response_code(405);
+    echo json_encode(['error' => 'method_not_allowed'], JSON_UNESCAPED_UNICODE | JSON_UNESCAPED_SLASHES);
+    exit;
+}
+
+if (preg_match('~^api/mining-checker(?:/(.*))?$~', $uriPath, $apiMatches)) {
+    $moduleMeta = app()->modules()->get('mining-checker') ?? ['auth' => ['required' => false]];
+    if (!$auth->canAccessModule($moduleMeta)) {
+        http_response_code($auth->isAuthenticated() ? 403 : 401);
+        header('Content-Type: application/json; charset=utf-8');
+        echo json_encode([
+            'error' => $auth->isAuthenticated() ? 'forbidden' : 'auth_required',
+            'login_url' => '/auth/login',
+        ], JSON_UNESCAPED_UNICODE | JSON_UNESCAPED_SLASHES);
+        exit;
+    }
+
+    require_once $projectRoot . '/modules/mining-checker/bootstrap.php';
+
+    try {
+        (new Modules\MiningChecker\Api\Router($projectRoot . '/modules/mining-checker'))->handle($apiMatches[1] ?? '');
+    } catch (MiningApiException $exception) {
+        $debugTrace = MiningDebugState::export();
+        http_response_code($exception->statusCode());
+        header('Content-Type: application/json; charset=utf-8');
+        echo json_encode([
+            'error' => $exception->getMessage(),
+            'context' => $exception->context(),
+            'debug' => $debugTrace !== [] ? $debugTrace : null,
+        ], JSON_UNESCAPED_UNICODE | JSON_UNESCAPED_SLASHES);
+        exit;
+    } catch (Throwable $exception) {
+        $debugTrace = MiningDebugState::export();
+        http_response_code(500);
+        header('Content-Type: application/json; charset=utf-8');
+        echo json_encode([
+            'error' => 'Unerwarteter Mining-Checker Fehler.',
+            'context' => ['message' => $exception->getMessage()],
+            'debug' => $debugTrace !== [] ? $debugTrace : null,
+        ], JSON_UNESCAPED_UNICODE | JSON_UNESCAPED_SLASHES);
+        exit;
+    }
+}
+
+if (preg_match('~^module-assets/([a-zA-Z0-9_-]+)/(.*)$~', $uriPath, $assetMatches)) {
+    $module = $assetMatches[1];
+    $relativeAssetPath = trim($assetMatches[2], '/');
+    if ($relativeAssetPath === '' || str_contains($relativeAssetPath, '..')) {
+        http_response_code(400);
+        exit('Bad request');
+    }
+
+    $assetFile = $projectRoot . '/modules/' . $module . '/assets/' . $relativeAssetPath;
+    if (!is_file($assetFile)) {
+        http_response_code(404);
+        exit('Asset not found');
+    }
+
+    $extension = strtolower(pathinfo($assetFile, PATHINFO_EXTENSION));
+    $contentType = match ($extension) {
+        'css' => 'text/css; charset=utf-8',
+        'js' => 'application/javascript; charset=utf-8',
+        'json' => 'application/json; charset=utf-8',
+        'png' => 'image/png',
+        'jpg', 'jpeg' => 'image/jpeg',
+        'webp' => 'image/webp',
+        'svg' => 'image/svg+xml',
+        default => 'application/octet-stream',
+    };
+
+    header('Content-Type: ' . $contentType);
+    readfile($assetFile);
+    exit;
+}
+
 // Basispfad fuer Landingpages
 $pagesBase = realpath(__DIR__ . '/../partials/landingpages') ?: (__DIR__ . '/../partials/landingpages');
 $page404 = $pagesBase . '/errorpages/404.php';
@@ -68,7 +212,15 @@ if (str_starts_with($uriPath, 'modules/install')) {
 } elseif (preg_match('~^module/([a-zA-Z0-9_-]+)(?:/(.+))?$~', $uriPath, $m)) {
    $module = $m[1];
    $page = isset($m[2]) && $m[2] !== '' ? trim($m[2], '/') : 'index';
+    $moduleMeta = app()->modules()->get($module);
+    if ($moduleMeta !== null) {
+        $auth->requireModuleAccess($moduleMeta);
+    }
    $modulePage = app()->modules()->resolvePage($module, $page);
+    $moduleBootstrap = $projectRoot . '/modules/' . $module . '/bootstrap.php';
+    if (is_file($moduleBootstrap)) {
+        require_once $moduleBootstrap;
+    }
    if ($modulePage) {
        $target = $modulePage;
    } else {