projects/emailtemplate.it
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
22b1fff7a9653f40b561ec4726fdf55b6611c985
emailtemplate.it/inc/OUTDATED auth_helpers.php
Lars Gebhardt-Kusche 9dee06cdd6 commit
2025-12-04 22:33:05 +01:00

139 lines
4.3 KiB
PHP
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
<?php
// inc/auth_helpers.php robustes Session-Handling (2025-09-05)
declare(strict_types=1);
/** ===== Session ===== */
function auth_start_session(array $cfg): void {
if (session_status() === PHP_SESSION_NONE) {
$name = $cfg['auth']['session_name'] ?? 'et_session';
session_name($name);
// Defaults
$cookiePath = $cfg['auth']['cookie_path'] ?? '/';
$cookieDomain = $cfg['auth']['cookie_domain'] ?? '';
$cookieSecure = $cfg['auth']['cookie_secure'] ?? true;
$cookieHttpOnly = $cfg['auth']['cookie_httponly'] ?? true;
$cookieSameSite = $cfg['auth']['cookie_samesite'] ?? 'Lax';
// PHP 7.3+ array API
session_set_cookie_params([
'lifetime' => 0,
'path' => $cookiePath,
'domain' => $cookieDomain,
'secure' => $cookieSecure,
'httponly' => $cookieHttpOnly,
'samesite' => $cookieSameSite,
]);
session_start();
}
}
/** ===== Auth Core ===== */
function auth_login(PDO $pdoCustomers, array $cfg, string $email, string $password): array {
auth_start_session($cfg);
$sql = "SELECT cu.id, cu.customer_id, cu.email, cu.password_hash, cu.role,
c.slug AS customer_slug, c.plan, c.status
FROM customer_users cu
JOIN customers c ON c.id = cu.customer_id
WHERE cu.email = :email AND cu.is_active = 1
LIMIT 1";
$st = $pdoCustomers->prepare($sql);
$st->execute([':email' => $email]);
$u = $st->fetch(PDO::FETCH_ASSOC);
if (!$u || !password_verify($password, $u['password_hash'])) {
return ['ok' => false, 'error' => 'invalid_credentials'];
}
if (($u['status'] ?? 'active') !== 'active') {
return ['ok' => false, 'error' => 'customer_inactive'];
}
// neue Session-ID, alte wird invalidiert
session_regenerate_id(true);
$_SESSION['user'] = [
'id' => (int)$u['id'],
'email' => $u['email'],
'role' => $u['role'],
'customer_id' => (int)$u['customer_id'],
'customer_slug' => $u['customer_slug'],
'plan' => $u['plan'],
];
return ['ok' => true, 'user' => $_SESSION['user']];
}
function auth_logout(array $cfg): void {
auth_start_session($cfg);
// Sessiondaten löschen
$_SESSION = [];
// Cookie-Parameter aus der aktiven Session
$params = session_get_cookie_params();
$name = session_name();
// Kandidaten für Domain/Path, um "falsch" gesetzte Cookies sicher zu treffen
$host = $_SERVER['HTTP_HOST'] ?? '';
$cfgDomain = $cfg['auth']['cookie_domain'] ?? '';
$paths = array_values(array_unique([$params['path'] ?? '/', '/', '']));
$domains = array_values(array_unique([
$params['domain'] ?? '',
$cfgDomain,
$host,
ltrim($host, '.'),
(strpos($host, '.') !== false ? '.' . ltrim($host, '.') : $host),
]));
// Alle Varianten invalidieren (secure/httponly wie gesetzt)
foreach ($paths as $p) {
foreach ($domains as $d) {
if ($d === null) continue;
setcookie($name, '', time() - 3600, $p, $d, $params['secure'] ?? true, $params['httponly'] ?? true);
}
// zusätzlich: ohne Domain (trifft Host-spezifische Cookies)
setcookie($name, '', time() - 3600, $p, '', $params['secure'] ?? true, $params['httponly'] ?? true);
}
// Session beenden
session_destroy();
session_write_close();
// In Staging aggressiv: Browser bitten, Cookies zu löschen (nicht jeder Browser respektiert das sofort)
if (($cfg['env'] ?? 'prod') === 'staging') {
header('Clear-Site-Data: "cookies"', false);
}
}
function auth_require(array $cfg): void {
auth_start_session($cfg);
if (empty($_SESSION['user'])) {
http_response_code(401);
header('Content-Type: application/json; charset=utf-8');
echo json_encode(['ok' => false, 'error' => 'unauthorized']);
exit;
}
}
function require_role(array $cfg, array $roles): void {
auth_start_session($cfg);
$r = $_SESSION['user']['role'] ?? null;
if (!$r || !in_array($r, $roles, true)) {
http_response_code(403);
header('Content-Type: application/json; charset=utf-8');
echo json_encode(['ok' => false, 'error' => 'forbidden']);
exit;
}
}
function current_user(array $cfg): ?array {
auth_start_session($cfg);
return $_SESSION['user'] ?? null;
}
function current_customer_id(array $cfg): ?int {
$u = current_user($cfg);
return $u['customer_id'] ?? null;
}
Reference in New Issue View Git Blame Copy Permalink