diff --git a/public/index.html b/public/index.html index ef55f51..0ebf0d8 100644 --- a/public/index.html +++ b/public/index.html @@ -49,6 +49,7 @@ pre.raw-line { background: var(--bs-tertiary-bg); padding: .75rem; border-radius
Sign in required
+

Authenticate with your Jakach account to access the system.

Log in using Jakach Login @@ -367,16 +368,36 @@ async function checkAuth() { initApp(); return true; } - } catch (e) {} + if (res.error) { + showLogin(res.error); + return false; + } + } catch (e) { + try { + const err = JSON.parse(e.message); + showLogin(err.error); + } catch { + showLogin(); + } + } showLogin(); return false; } -function showLogin() { +function showLogin(errorMsg) { document.getElementById('appLogin').style.display = ''; document.getElementById('appMain').style.display = 'none'; const loginUrl = window.location.origin + '/oauth.php?redirect=' + encodeURIComponent(window.location.href); document.getElementById('loginBtn').href = 'https://auth.jakach.ch/?send_to=' + encodeURIComponent(loginUrl); + const errorBox = document.getElementById('authErrorBox'); + if (errorMsg) { + errorBox.textContent = errorMsg; + errorBox.classList.remove('d-none'); + document.getElementById('loginBtn').textContent = 'Try again'; + } else { + errorBox.classList.add('d-none'); + document.getElementById('loginBtn').innerHTML = 'Log in using Jakach Login'; + } } async function logout() { diff --git a/public/oauth.php b/public/oauth.php index 8470edd..913608e 100644 --- a/public/oauth.php +++ b/public/oauth.php @@ -3,6 +3,7 @@ require_once __DIR__ . '/../vendor/autoload.php'; use Jakach\Logging\Storage\Database; +use Jakach\Logging\Storage\Repository; session_set_cookie_params([ 'lifetime' => 86400 * 7, @@ -13,11 +14,11 @@ session_set_cookie_params([ session_start(); $authToken = $_GET['auth'] ?? ''; +$errorRedirect = $_GET['redirect'] ?? '/'; if (!$authToken) { - header('Content-Type: application/json'); - http_response_code(400); - echo json_encode(['error' => 'Missing auth token']); + $_SESSION['auth_error'] = 'Missing authentication token.'; + header('Location: ' . $errorRedirect); exit; } @@ -32,18 +33,31 @@ $httpCode = curl_getinfo($ch, CURLINFO_HTTP_CODE); curl_close($ch); if ($httpCode !== 200 || !$response) { - header('Content-Type: application/json'); - http_response_code(502); - echo json_encode(['error' => 'Auth server unreachable']); + $_SESSION['auth_error'] = 'Authentication server is unreachable. Please try again later.'; + header('Location: ' . $errorRedirect); exit; } $data = json_decode($response, true); if (!isset($data['status']) || $data['status'] !== 'success') { - header('Content-Type: application/json'); - http_response_code(401); - echo json_encode(['error' => 'Authentication failed', 'msg' => $data['msg'] ?? 'unknown']); + $_SESSION['auth_error'] = 'Authentication failed: ' . ($data['msg'] ?? 'Unknown error'); + header('Location: ' . $errorRedirect); + exit; +} + +$userToken = $data['user_token'] ?? ''; + +$db = new Database(); +$repo = new Repository($db); + +$allowedTokens = $repo->getAllowedUserTokens(); + +if (empty($allowedTokens)) { + $repo->setAllowedUserTokens([$userToken]); +} elseif (!in_array($userToken, $allowedTokens, true)) { + $_SESSION['auth_error'] = 'Your Jakach account is not authorized to access this system. Contact an administrator.'; + header('Location: ' . $errorRedirect); exit; } @@ -52,22 +66,8 @@ $_SESSION['username'] = $data['username'] ?? 'unknown'; $_SESSION['id'] = $data['id'] ?? ''; $_SESSION['email'] = $data['email'] ?? ''; $_SESSION['telegram_id'] = $data['telegram_id'] ?? ''; -$_SESSION['user_token'] = $data['user_token'] ?? ''; - -if (!headers_sent()) { - $db = new Database(); - $repo = new \Jakach\Logging\Storage\Repository($db); - $allowedTokens = $repo->getAllowedUserTokens(); - - if (!empty($allowedTokens) && !in_array($_SESSION['user_token'], $allowedTokens, true)) { - $_SESSION = []; - session_destroy(); - header('Content-Type: application/json'); - http_response_code(403); - echo json_encode(['error' => 'Your account is not authorized to access this system']); - exit; - } -} +$_SESSION['user_token'] = $userToken; +unset($_SESSION['auth_error']); $redirect = $_GET['redirect'] ?? '/'; header('Location: ' . $redirect); diff --git a/src/Api/AuthMiddleware.php b/src/Api/AuthMiddleware.php index f23a390..06672a3 100644 --- a/src/Api/AuthMiddleware.php +++ b/src/Api/AuthMiddleware.php @@ -30,16 +30,16 @@ class AuthMiddleware } $allowedTokens = $this->repo->getAllowedUserTokens(); - if (!empty($allowedTokens)) { - $userToken = $_SESSION['user_token'] ?? ''; - if (!in_array($userToken, $allowedTokens, true)) { - return null; - } + $userToken = $_SESSION['user_token'] ?? ''; + + if (!empty($allowedTokens) && !in_array($userToken, $allowedTokens, true)) { + $_SESSION['auth_error'] = 'Your Jakach account is not authorized to access this system.'; + return null; } return [ 'username' => $_SESSION['username'] ?? 'unknown', - 'user_token' => $_SESSION['user_token'] ?? '', + 'user_token' => $userToken, 'email' => $_SESSION['email'] ?? '', ]; } diff --git a/src/Api/Router.php b/src/Api/Router.php index d7e54ea..3d2836d 100644 --- a/src/Api/Router.php +++ b/src/Api/Router.php @@ -85,24 +85,25 @@ class Router private function respond(int $code, mixed $result): void { http_response_code($code); + if (is_array($result)) { $hasObjects = false; + $isList = array_is_list($result); foreach ($result as $key => $val) { if (is_object($val) && method_exists($val, 'toArray')) { $result[$key] = $val->toArray(); $hasObjects = true; } } - if ($hasObjects) { - echo json_encode($result, JSON_PRETTY_PRINT | JSON_UNESCAPED_SLASHES); - return; - } - if (array_is_list($result) && (empty($result) || !isset($result['data']))) { - $result = ['data' => $result]; + if ($hasObjects || ($isList && (empty($result) || !isset($result['data'])))) { + if ($isList) { + $result = ['data' => $result]; + } } } elseif (is_object($result) && method_exists($result, 'toArray')) { $result = ['data' => $result->toArray()]; } + echo json_encode($result, JSON_PRETTY_PRINT | JSON_UNESCAPED_SLASHES); }