revoked access to website for coaches, added web-specific tokens

This commit is contained in:
2026-05-26 15:49:19 +02:00
parent 7671c9f329
commit 2181d1731e
36 changed files with 129 additions and 41 deletions

View File

@ -1,6 +1,6 @@
<?php
$tokenRec = require_valid_token();
$tokenRec = require_valid_token_web();
$method = $_SERVER['REQUEST_METHOD'];
switch ($method) {

View File

@ -1,7 +1,6 @@
<?php
$tokenRec = require_valid_token();
require_role(['admin', 'supervisor'], $tokenRec);
$tokenRec = require_valid_token_web();
$callerRole = $tokenRec['role'];
$callerEntityID = $tokenRec['entityID'] ?? '';

View File

@ -43,6 +43,8 @@ case 'auth/login':
qdb_discard($tmpDb, $lockFp);
qdb_reject_coach_web_login((string)($user['role'] ?? ''));
if ((int)$user['mustChangePassword'] === 1) {
$tempToken = bin2hex(random_bytes(32));
token_add($tempToken, 10 * 60, [
@ -127,6 +129,8 @@ case 'auth/change-password':
json_error('FORBIDDEN', 'Token does not match user', 403);
}
qdb_reject_coach_web_login((string)($user['role'] ?? ''));
if (!password_verify($oldPassword, $user['passwordHash'])) {
qdb_discard($tmpDb, $lockFp);
json_error('INVALID_CREDENTIALS', 'Old password incorrect', 401);

View File

@ -1,6 +1,6 @@
<?php
$tokenRec = require_valid_token();
$tokenRec = require_valid_token_web();
require_role(['admin'], $tokenRec);
$dbPath = QDB_PATH;

View File

@ -1,7 +1,6 @@
<?php
$tokenRec = require_valid_token();
require_role(['admin', 'supervisor'], $tokenRec);
$tokenRec = require_valid_token_web();
$callerRole = $tokenRec['role'];
$callerEntityID = $tokenRec['entityID'] ?? '';

View File

@ -1,6 +1,6 @@
<?php
$tokenRec = require_valid_token();
$tokenRec = require_valid_token_web();
$token = $tokenRec['_token'];
if ($method !== 'GET') {

View File

@ -1,6 +1,6 @@
<?php
$tokenRec = require_valid_token();
$tokenRec = require_valid_token_web();
if ($method !== 'GET') {
json_error('METHOD_NOT_ALLOWED', 'Method not allowed', 405);

View File

@ -1,6 +1,6 @@
<?php
$tokenRec = require_valid_token();
$tokenRec = require_valid_token_web();
switch ($method) {

View File

@ -1,6 +1,6 @@
<?php
$tokenRec = require_valid_token();
$tokenRec = require_valid_token_web();
switch ($method) {

View File

@ -1,6 +1,6 @@
<?php
$tokenRec = require_valid_token();
$tokenRec = require_valid_token_web();
if ($method !== 'GET') {
json_error('METHOD_NOT_ALLOWED', 'Method not allowed', 405);

View File

@ -1,6 +1,6 @@
<?php
$tokenRec = require_valid_token();
$tokenRec = require_valid_token_web();
$validTypes = ['question', 'answer_option', 'string', 'app_string', 'language'];

View File

@ -1,7 +1,6 @@
<?php
$tokenRec = require_valid_token();
require_role(['admin', 'supervisor'], $tokenRec);
$tokenRec = require_valid_token_web();
$callerRole = $tokenRec['role'];
$callerEntityID = $tokenRec['entityID'] ?? '';