add all files

2026-02-17 09:29:34 -06:00
parent b8c8d67c67
commit 782d203799
21925 changed files with 2433086 additions and 0 deletions
--- a/lasuca/api/endpoints/auth/login.php
+++ b/lasuca/api/endpoints/auth/login.php
@@ -0,0 +1,51 @@
+<?php
+// phpcs:ignoreFile
+/**
+ * POST /api/auth/login
+ * 
+ * Authenticate user and return JWT tokens.
+ */
+
+declare(strict_types=1);
+
+$body = api_get_json_body();
+api_require_fields($body, ['username', 'password']);
+
+$username = trim((string) $body['username']);
+$password = (string) $body['password'];
+
+// Attempt authentication
+$member = auth_attempt_login($username, $password);
+
+if ($member === null) {
+    api_error('Invalid username or password', 401);
+}
+
+// Generate tokens
+$accessToken = jwt_create_access_token($member);
+$refreshData = jwt_create_refresh_token($member);
+
+// Store refresh token in database
+$stored = jwt_store_refresh_token(
+    $member['username'],
+    $refreshData['token_id'],
+    $refreshData['expires_at']
+);
+
+if (!$stored) {
+    // Log but don't fail - access token still works
+    error_log('Failed to store refresh token for user: ' . $member['username']);
+}
+
+api_success([
+    'access_token' => $accessToken,
+    'refresh_token' => $refreshData['token'],
+    'token_type' => 'Bearer',
+    'expires_in' => 900, // 15 minutes in seconds
+    'user' => [
+        'username' => $member['username'],
+        'growerid' => $member['growerid'] ?? null,
+        'growername' => $member['growername'] ?? null,
+        'email' => $member['email'] ?? null,
+    ],
+]);
--- a/lasuca/api/endpoints/auth/logout.php
+++ b/lasuca/api/endpoints/auth/logout.php
@@ -0,0 +1,37 @@
+<?php
+// phpcs:ignoreFile
+/**
+ * POST /api/auth/logout
+ * 
+ * Revoke the current refresh token.
+ */
+
+declare(strict_types=1);
+
+$body = api_get_json_body();
+
+// If refresh token provided, revoke it specifically
+if (isset($body['refresh_token']) && $body['refresh_token'] !== '') {
+    $refreshToken = trim((string) $body['refresh_token']);
+    $payload = jwt_decode_token($refreshToken);
+    
+    if ($payload !== null && isset($payload['jti'])) {
+        jwt_revoke_refresh_token($payload['jti']);
+    }
+}
+
+// Optionally, if access token is valid, revoke all user tokens
+$accessToken = jwt_get_bearer_token();
+
+if ($accessToken !== null) {
+    $payload = jwt_decode_token($accessToken);
+    
+    if ($payload !== null && isset($payload['sub'])) {
+        // If 'revoke_all' flag is set, revoke all tokens for this user
+        if (isset($body['revoke_all']) && $body['revoke_all'] === true) {
+            jwt_revoke_all_user_tokens($payload['sub']);
+        }
+    }
+}
+
+api_success(['message' => 'Logged out successfully']);
--- a/lasuca/api/endpoints/auth/me.php
+++ b/lasuca/api/endpoints/auth/me.php
@@ -0,0 +1,30 @@
+<?php
+// phpcs:ignoreFile
+/**
+ * GET /api/auth/me
+ * 
+ * Return current authenticated user information.
+ */
+
+declare(strict_types=1);
+
+// Require valid access token
+$tokenUser = jwt_require_auth();
+
+// Fetch fresh user data from database
+$member = auth_find_member($tokenUser['username']);
+
+if ($member === null) {
+    api_error('User not found', 404);
+}
+
+api_success([
+    'user' => [
+        'username' => $member['username'],
+        'growerid' => $member['growerid'] ?? null,
+        'growername' => $member['growername'] ?? null,
+        'email' => $member['email'] ?? null,
+        'phone' => $member['phone'] ?? null,
+        'last_login_at' => $member['last_login_at'] ?? null,
+    ],
+]);
--- a/lasuca/api/endpoints/auth/refresh.php
+++ b/lasuca/api/endpoints/auth/refresh.php
@@ -0,0 +1,65 @@
+<?php
+// phpcs:ignoreFile
+/**
+ * POST /api/auth/refresh
+ * 
+ * Exchange a valid refresh token for a new access token.
+ */
+
+declare(strict_types=1);
+
+$body = api_get_json_body();
+api_require_fields($body, ['refresh_token']);
+
+$refreshToken = trim((string) $body['refresh_token']);
+
+// Decode the refresh token
+$payload = jwt_decode_token($refreshToken);
+
+if ($payload === null) {
+    api_error('Invalid or expired refresh token', 401);
+}
+
+if (!isset($payload['type']) || $payload['type'] !== 'refresh') {
+    api_error('Invalid token type', 401);
+}
+
+$username = $payload['sub'] ?? null;
+$tokenId = $payload['jti'] ?? null;
+
+if ($username === null || $tokenId === null) {
+    api_error('Invalid refresh token payload', 401);
+}
+
+// Verify token exists in database and is not revoked
+if (!jwt_validate_refresh_token($username, $tokenId)) {
+    api_error('Refresh token has been revoked or does not exist', 401);
+}
+
+// Look up current user data
+$member = auth_find_member($username);
+
+if ($member === null) {
+    api_error('User no longer exists', 401);
+}
+
+// Revoke the old refresh token (rotation for security)
+jwt_revoke_refresh_token($tokenId);
+
+// Generate new tokens
+$accessToken = jwt_create_access_token($member);
+$newRefreshData = jwt_create_refresh_token($member);
+
+// Store new refresh token
+jwt_store_refresh_token(
+    $member['username'],
+    $newRefreshData['token_id'],
+    $newRefreshData['expires_at']
+);
+
+api_success([
+    'access_token' => $accessToken,
+    'refresh_token' => $newRefreshData['token'],
+    'token_type' => 'Bearer',
+    'expires_in' => 900,
+]);