Spaces:
Running
Running
File size: 3,605 Bytes
c7257f7 |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 |
<?php
// Authentication middleware - include at the top of protected pages
require_once 'config.php';
function requireAuth($required_role = null) {
// Check for JWT token in Authorization header or cookie
$token = null;
// First try Authorization header
$headers = function_exists('getallheaders') ? getallheaders() : [];
if (empty($headers) && isset($_SERVER['HTTP_AUTHORIZATION'])) {
$headers['Authorization'] = $_SERVER['HTTP_AUTHORIZATION'];
}
if (isset($headers['Authorization'])) {
$token = str_replace('Bearer ', '', $headers['Authorization']);
}
// Fallback to cookie
elseif (isset($_COOKIE['refresh_token'])) {
$token = $_COOKIE['refresh_token'];
}
if (!$token) {
// If the client expects HTML (browser navigation), redirect to login page
$accept = $_SERVER['HTTP_ACCEPT'] ?? '';
$isBrowser = strpos($accept, 'text/html') !== false || (isset($_SERVER['REQUEST_URI']) && (strpos($_SERVER['REQUEST_URI'], '.php') !== false));
if ($isBrowser) {
header('Location: /admin_login.php');
exit;
}
http_response_code(401);
echo json_encode(['message' => 'Authentication required']);
exit;
}
try {
// Use fully-qualified class names to ensure the Firebase JWT classes are found
$decoded = \Firebase\JWT\JWT::decode($token, new \Firebase\JWT\Key(JWT_SECRET, 'HS256'));
// Verify user still exists and is active (tolerant of missing is_active column)
global $pdo;
$stmt = $pdo->prepare("SELECT * FROM admin_users WHERE id = ?");
$stmt->execute([$decoded->user_id]);
$user = $stmt->fetch();
// If is_active column exists, enforce it; otherwise assume active
$inactive = false;
if ($user && array_key_exists('is_active', $user) && (int)$user['is_active'] !== 1) {
$inactive = true;
}
if (!$user || $inactive) {
$accept = $_SERVER['HTTP_ACCEPT'] ?? '';
$isBrowser = strpos($accept, 'text/html') !== false || (isset($_SERVER['REQUEST_URI']) && (strpos($_SERVER['REQUEST_URI'], '.php') !== false));
if ($isBrowser) {
header('Content-Type: text/html; charset=utf-8');
echo "<h2 style='color:red'>Admin user not found or inactive. Please check your database.</h2>";
exit;
}
http_response_code(401);
echo json_encode(['message' => 'User not found or inactive']);
exit;
}
// Check role if specified
if ($required_role && (!isset($user['role']) || $user['role'] !== $required_role)) {
http_response_code(403);
echo json_encode(['message' => 'Insufficient permissions']);
exit;
}
// Set global user data
global $current_user;
$current_user = $user;
return $decoded;
} catch (Exception $e) {
$accept = $_SERVER['HTTP_ACCEPT'] ?? '';
$isBrowser = strpos($accept, 'text/html') !== false || (isset($_SERVER['REQUEST_URI']) && (strpos($_SERVER['REQUEST_URI'], '.php') !== false));
if ($isBrowser) {
header('Location: /admin_login.php');
exit;
}
http_response_code(401);
echo json_encode(['message' => 'Invalid or expired token', 'error' => $e->getMessage()]);
exit;
}
}
// Call requireAuth() to protect the current page with admin role
requireAuth('admin');
?> |