adding authentication

backend/api/index.php

@@ -1,4 +1,5 @@
 <?php
+session_start();
 header('Content-Type: application/json');
 header('Access-Control-Allow-Origin: *');
 header('Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS');
@@ -12,18 +13,33 @@ if ($_SERVER['REQUEST_METHOD'] === 'OPTIONS') {
 require_once __DIR__ . '/../config/database.php';
 
 $db = getDbConnection();
-$requestUri = $_SERVER['REQUEST_URI'];
-$method = $_SERVER['REQUEST_METHOD'];
 
-$path = parse_url($requestUri, PHP_URL_PATH);
+// Auth check (except for session check)
+$path = parse_url($_SERVER['REQUEST_URI'], PHP_URL_PATH);
 $path = str_replace('/api/', '', $path);
 $segments = explode('/', trim($path, '/'));
-
 $resource = $segments[0] ?? '';
+
+if ($resource !== 'session') {
+    $loggedin = isset($_SESSION['neptune_loggedin']) && $_SESSION['neptune_loggedin'] === true;
+    if (!$loggedin) {
+        http_response_code(401);
+        echo json_encode(['error' => 'Unauthorized']);
+        exit;
+    }
+}
+
+$method = $_SERVER['REQUEST_METHOD'];
 $id = $segments[1] ?? null;
 
 try {
     switch ($resource) {
+        case 'session':
+            handleSession($method, $db);
+            break;
+        case 'settings':
+            handleSettings($method, $db);
+            break;
         case 'teams':
             handleTeams($method, $id, $db);
             break;
@@ -51,6 +67,110 @@ try {
     echo json_encode(['error' => $e->getMessage()]);
 }
 
+function handleSession($method, $db) {
+    $loggedin = isset($_SESSION['neptune_loggedin']) && $_SESSION['neptune_loggedin'] === true;
+    if ($loggedin) {
+        $role = $_SESSION['neptune_role'] ?? 'user';
+        $stmt = $db->prepare("SELECT COUNT(*) as c FROM neptune_users WHERE role='admin'");
+        $stmt->execute();
+        $adminCount = $stmt->fetch()['c'];
+        echo json_encode([
+            'loggedin' => true,
+            'username' => $_SESSION['neptune_username'] ?? 'Unknown',
+            'role' => $role,
+            'admin_count' => (int)$adminCount
+        ]);
+    } else {
+        echo json_encode(['loggedin' => false]);
+    }
+}
+
+function handleSettings($method, $db) {
+    $role = $_SESSION['neptune_role'] ?? 'user';
+    if ($method === 'GET') {
+        if ($role !== 'admin') {
+            http_response_code(403);
+            echo json_encode(['error' => 'Admins only']);
+            return;
+        }
+        $users = $db->query("SELECT id, username, user_token, email, role, created_at FROM neptune_users ORDER BY created_at ASC")->fetchAll();
+        echo json_encode($users);
+    } elseif ($method === 'POST') {
+        if ($role !== 'admin') {
+            http_response_code(403);
+            echo json_encode(['error' => 'Admins only']);
+            return;
+        }
+        $data = json_decode(file_get_contents('php://input'), true);
+        $user_token = $data['user_token'] ?? '';
+        if (!$user_token) {
+            http_response_code(400);
+            echo json_encode(['error' => 'user_token required']);
+            return;
+        }
+        // Validate the token with Jakach Auth
+        $check_url = "https://auth.jakach.ch/api/auth/check_auth_key.php?auth_token=" . urlencode($user_token);
+        $ch = curl_init();
+        curl_setopt($ch, CURLOPT_URL, $check_url);
+        curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
+        curl_setopt($ch, CURLOPT_TIMEOUT, 10);
+        $response = curl_exec($ch);
+        $http = curl_getinfo($ch, CURLINFO_HTTP_CODE);
+        curl_close($ch);
+
+        if ($http !== 200 || !$response) {
+            http_response_code(400);
+            echo json_encode(['error' => 'Failed to validate token']);
+            return;
+        }
+        $info = json_decode($response, true);
+        if (!isset($info['status']) || $info['status'] !== 'success') {
+            http_response_code(400);
+            echo json_encode(['error' => 'Invalid token']);
+            return;
+        }
+
+        $stmt = $db->prepare("SELECT COUNT(*) as c FROM neptune_users WHERE user_token = ?");
+        $stmt->execute([$user_token]);
+        if ($stmt->fetch()['c'] > 0) {
+            http_response_code(400);
+            echo json_encode(['error' => 'User already exists']);
+            return;
+        }
+
+        $stmt = $db->prepare("INSERT INTO neptune_users (user_token, username, email, role) VALUES (?, ?, ?, 'user')");
+        $stmt->execute([$user_token, $info['username'], $info['email'] ?? '']);
+        echo json_encode(['status' => 'success', 'msg' => 'User added']);
+    } elseif ($method === 'DELETE') {
+        if ($role !== 'admin') {
+            http_response_code(403);
+            echo json_encode(['error' => 'Admins only']);
+            return;
+        }
+        $data = json_decode(file_get_contents('php://input'), true);
+        $id = $data['id'] ?? null;
+        if (!$id) {
+            http_response_code(400);
+            echo json_encode(['error' => 'id required']);
+            return;
+        }
+        // Prevent deleting the last admin
+        $stmt = $db->prepare("SELECT role FROM neptune_users WHERE id = ?");
+        $stmt->execute([$id]);
+        $user = $stmt->fetch();
+        if ($user && $user['role'] === 'admin') {
+            $adminCount = $db->query("SELECT COUNT(*) as c FROM neptune_users WHERE role='admin'")->fetch()['c'];
+            if ($adminCount <= 1) {
+                http_response_code(400);
+                echo json_encode(['error' => 'Cannot delete the last admin']);
+                return;
+            }
+        }
+        $db->prepare("DELETE FROM neptune_users WHERE id = ?")->execute([$id]);
+        echo json_encode(['status' => 'success']);
+    }
+}
+
 function handleTeams($method, $id, $db) {
     switch ($method) {
         case 'GET':