adding authentication

backend/api/index.php

@@ -1,4 +1,5 @@
 <?php
+session_start();
 header('Content-Type: application/json');
 header('Access-Control-Allow-Origin: *');
 header('Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS');
@@ -12,18 +13,33 @@ if ($_SERVER['REQUEST_METHOD'] === 'OPTIONS') {
 require_once __DIR__ . '/../config/database.php';
 
 $db = getDbConnection();
-$requestUri = $_SERVER['REQUEST_URI'];
-$method = $_SERVER['REQUEST_METHOD'];
 
-$path = parse_url($requestUri, PHP_URL_PATH);
+// Auth check (except for session check)
+$path = parse_url($_SERVER['REQUEST_URI'], PHP_URL_PATH);
 $path = str_replace('/api/', '', $path);
 $segments = explode('/', trim($path, '/'));
-
 $resource = $segments[0] ?? '';
+
+if ($resource !== 'session') {
+    $loggedin = isset($_SESSION['neptune_loggedin']) && $_SESSION['neptune_loggedin'] === true;
+    if (!$loggedin) {
+        http_response_code(401);
+        echo json_encode(['error' => 'Unauthorized']);
+        exit;
+    }
+}
+
+$method = $_SERVER['REQUEST_METHOD'];
 $id = $segments[1] ?? null;
 
 try {
     switch ($resource) {
+        case 'session':
+            handleSession($method, $db);
+            break;
+        case 'settings':
+            handleSettings($method, $db);
+            break;
         case 'teams':
             handleTeams($method, $id, $db);
             break;
@@ -51,6 +67,110 @@ try {
     echo json_encode(['error' => $e->getMessage()]);
 }
 
+function handleSession($method, $db) {
+    $loggedin = isset($_SESSION['neptune_loggedin']) && $_SESSION['neptune_loggedin'] === true;
+    if ($loggedin) {
+        $role = $_SESSION['neptune_role'] ?? 'user';
+        $stmt = $db->prepare("SELECT COUNT(*) as c FROM neptune_users WHERE role='admin'");
+        $stmt->execute();
+        $adminCount = $stmt->fetch()['c'];
+        echo json_encode([
+            'loggedin' => true,
+            'username' => $_SESSION['neptune_username'] ?? 'Unknown',
+            'role' => $role,
+            'admin_count' => (int)$adminCount
+        ]);
+    } else {
+        echo json_encode(['loggedin' => false]);
+    }
+}
+
+function handleSettings($method, $db) {
+    $role = $_SESSION['neptune_role'] ?? 'user';
+    if ($method === 'GET') {
+        if ($role !== 'admin') {
+            http_response_code(403);
+            echo json_encode(['error' => 'Admins only']);
+            return;
+        }
+        $users = $db->query("SELECT id, username, user_token, email, role, created_at FROM neptune_users ORDER BY created_at ASC")->fetchAll();
+        echo json_encode($users);
+    } elseif ($method === 'POST') {
+        if ($role !== 'admin') {
+            http_response_code(403);
+            echo json_encode(['error' => 'Admins only']);
+            return;
+        }
+        $data = json_decode(file_get_contents('php://input'), true);
+        $user_token = $data['user_token'] ?? '';
+        if (!$user_token) {
+            http_response_code(400);
+            echo json_encode(['error' => 'user_token required']);
+            return;
+        }
+        // Validate the token with Jakach Auth
+        $check_url = "https://auth.jakach.ch/api/auth/check_auth_key.php?auth_token=" . urlencode($user_token);
+        $ch = curl_init();
+        curl_setopt($ch, CURLOPT_URL, $check_url);
+        curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
+        curl_setopt($ch, CURLOPT_TIMEOUT, 10);
+        $response = curl_exec($ch);
+        $http = curl_getinfo($ch, CURLINFO_HTTP_CODE);
+        curl_close($ch);
+
+        if ($http !== 200 || !$response) {
+            http_response_code(400);
+            echo json_encode(['error' => 'Failed to validate token']);
+            return;
+        }
+        $info = json_decode($response, true);
+        if (!isset($info['status']) || $info['status'] !== 'success') {
+            http_response_code(400);
+            echo json_encode(['error' => 'Invalid token']);
+            return;
+        }
+
+        $stmt = $db->prepare("SELECT COUNT(*) as c FROM neptune_users WHERE user_token = ?");
+        $stmt->execute([$user_token]);
+        if ($stmt->fetch()['c'] > 0) {
+            http_response_code(400);
+            echo json_encode(['error' => 'User already exists']);
+            return;
+        }
+
+        $stmt = $db->prepare("INSERT INTO neptune_users (user_token, username, email, role) VALUES (?, ?, ?, 'user')");
+        $stmt->execute([$user_token, $info['username'], $info['email'] ?? '']);
+        echo json_encode(['status' => 'success', 'msg' => 'User added']);
+    } elseif ($method === 'DELETE') {
+        if ($role !== 'admin') {
+            http_response_code(403);
+            echo json_encode(['error' => 'Admins only']);
+            return;
+        }
+        $data = json_decode(file_get_contents('php://input'), true);
+        $id = $data['id'] ?? null;
+        if (!$id) {
+            http_response_code(400);
+            echo json_encode(['error' => 'id required']);
+            return;
+        }
+        // Prevent deleting the last admin
+        $stmt = $db->prepare("SELECT role FROM neptune_users WHERE id = ?");
+        $stmt->execute([$id]);
+        $user = $stmt->fetch();
+        if ($user && $user['role'] === 'admin') {
+            $adminCount = $db->query("SELECT COUNT(*) as c FROM neptune_users WHERE role='admin'")->fetch()['c'];
+            if ($adminCount <= 1) {
+                http_response_code(400);
+                echo json_encode(['error' => 'Cannot delete the last admin']);
+                return;
+            }
+        }
+        $db->prepare("DELETE FROM neptune_users WHERE id = ?")->execute([$id]);
+        echo json_encode(['status' => 'success']);
+    }
+}
+
 function handleTeams($method, $id, $db) {
     switch ($method) {
         case 'GET':

backend/config/database.php

@@ -30,4 +30,12 @@ function migrate($db) {
         z_index INT DEFAULT 0,
         created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP
     )");
+    $db->exec("CREATE TABLE IF NOT EXISTS neptune_users (
+        id INT AUTO_INCREMENT PRIMARY KEY,
+        user_token VARCHAR(255) NOT NULL UNIQUE,
+        username VARCHAR(255) NOT NULL,
+        email VARCHAR(255) DEFAULT '',
+        role ENUM('admin','user') DEFAULT 'user',
+        created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP
+    )");
 }

backend/login.php

@@ -0,0 +1,107 @@
+<?php
+session_start();
+
+// If already logged in, redirect
+if (isset($_SESSION['neptune_loggedin']) && $_SESSION['neptune_loggedin'] === true) {
+    header('Location: /');
+    exit;
+}
+
+$error = '';
+$success = '';
+
+// Check for auth callback from Jakach Auth
+if (isset($_GET['auth'])) {
+    $auth_token = $_GET['auth'];
+    $check_url = "https://auth.jakach.ch/api/auth/check_auth_key.php?auth_token=" . urlencode($auth_token);
+
+    $ch = curl_init();
+    curl_setopt($ch, CURLOPT_URL, $check_url);
+    curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
+    curl_setopt($ch, CURLOPT_TIMEOUT, 10);
+    $response = curl_exec($ch);
+    $http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
+    curl_close($ch);
+
+    if ($http_code !== 200 || !$response) {
+        $error = 'Failed to contact authentication server.';
+    } else {
+        $data = json_decode($response, true);
+        if (isset($data['status']) && $data['status'] === 'success') {
+            $user_token = $data['user_token'];
+            $username = $data['username'];
+            $email = $data['email'] ?? '';
+
+            require_once __DIR__ . '/config/database.php';
+            $db = getDbConnection();
+
+            // Check if user exists in our db
+            $stmt = $db->prepare("SELECT * FROM neptune_users WHERE user_token = ?");
+            $stmt->execute([$user_token]);
+            $user = $stmt->fetch();
+
+            if ($user) {
+                $_SESSION['neptune_loggedin'] = true;
+                $_SESSION['neptune_user_token'] = $user['user_token'];
+                $_SESSION['neptune_username'] = $user['username'];
+                $_SESSION['neptune_role'] = $user['role'];
+                header('Location: /');
+                exit;
+            } else {
+                // First user becomes admin
+                $count = $db->query("SELECT COUNT(*) as c FROM neptune_users")->fetch()['c'];
+                $role = ($count == 0) ? 'admin' : 'user';
+
+                $stmt = $db->prepare("INSERT INTO neptune_users (user_token, username, email, role) VALUES (?, ?, ?, ?)");
+                $stmt->execute([$user_token, $username, $email, $role]);
+
+                $_SESSION['neptune_loggedin'] = true;
+                $_SESSION['neptune_user_token'] = $user_token;
+                $_SESSION['neptune_username'] = $username;
+                $_SESSION['neptune_role'] = $role;
+                header('Location: /');
+                exit;
+            }
+        } else {
+            $error = 'Authentication failed: ' . ($data['msg'] ?? 'unknown error');
+        }
+    }
+}
+?>
+<!DOCTYPE html>
+<html lang="en" data-bs-theme="dark">
+<head>
+    <meta charset="UTF-8">
+    <meta name="viewport" content="width=device-width, initial-scale=1.0">
+    <title>Neptune - Login</title>
+    <link href="https://cdn.jsdelivr.net/npm/bootstrap@5.3.2/dist/css/bootstrap.min.css" rel="stylesheet">
+    <link href="https://cdn.jsdelivr.net/npm/@fortawesome/fontawesome-free@6.5.1/css/all.min.css" rel="stylesheet">
+    <style>
+        body { background: #0a0e1a; display: flex; align-items: center; justify-content: center; min-height: 100vh; }
+        .login-card { background: #131a2b; border: 1px solid #1e2a45; border-radius: .75rem; padding: 2.5rem; max-width: 420px; width: 100%; }
+        .login-card h1 { font-size: 1.5rem; }
+        .login-card p { color: #64748b; font-size: .9rem; }
+        .btn-jakach { background: #3b82f6; color: #fff; }
+        .btn-jakach:hover { background: #2563eb; color: #fff; }
+    </style>
+</head>
+<body>
+    <div class="login-card text-center">
+        <i class="fas fa-globe text-primary mb-3" style="font-size: 2.5rem;"></i>
+        <h1 class="fw-bold mb-1">Neptune</h1>
+        <p class="mb-4">Cybersecurity Incident Journal</p>
+
+        <?php if ($error): ?>
+            <div class="alert alert-danger py-2 small"><?= htmlspecialchars($error) ?></div>
+        <?php endif; ?>
+        <?php if ($success): ?>
+            <div class="alert alert-success py-2 small"><?= htmlspecialchars($success) ?></div>
+        <?php endif; ?>
+
+        <a href="https://auth.jakach.ch/?send_to=<?= urlencode('http://' . ($_SERVER['HTTP_HOST'] ?? 'localhost:8080') . '/login.php') ?>" class="btn btn-jakach w-100 py-2 mb-2">
+            <i class="fas fa-right-to-bracket me-2"></i>Log in with Jakach Auth
+        </a>
+        <small class="text-secondary">First user automatically becomes admin</small>
+    </div>
+</body>
+</html>

backend/logout.php

@@ -0,0 +1,6 @@
+<?php
+session_start();
+$_SESSION = array();
+session_destroy();
+header('Location: /');
+exit;