Add session management features: implement user session revocation on password change, enhance session validation, and update UI for password change functionality
This commit is contained in:
@ -147,10 +147,11 @@ case 'auth/change-password':
|
||||
"UPDATE users SET passwordHash = :h, mustChangePassword = 0 WHERE userID = :uid"
|
||||
)->execute([':h' => $newHash, ':uid' => $user['userID']]);
|
||||
|
||||
token_revoke_all_for_user_on_pdo($pdo, $user['userID']);
|
||||
|
||||
qdb_save($tmpDb, $lockFp);
|
||||
|
||||
// Revoke the old (possibly temp) token and issue a fresh one
|
||||
token_revoke($bearerToken);
|
||||
// Issue a fresh session for this browser only
|
||||
$newToken = bin2hex(random_bytes(32));
|
||||
token_add($newToken, 30 * 24 * 60 * 60, [
|
||||
'role' => $user['role'],
|
||||
|
||||
46
handlers/session.php
Normal file
46
handlers/session.php
Normal file
@ -0,0 +1,46 @@
|
||||
<?php
|
||||
|
||||
/**
|
||||
* GET /api/session — verify Bearer token is still active (website session check).
|
||||
*/
|
||||
|
||||
if ($method !== 'GET') {
|
||||
json_error('METHOD_NOT_ALLOWED', 'Method not allowed', 405);
|
||||
}
|
||||
|
||||
$token = get_bearer_token();
|
||||
if (!$token) {
|
||||
json_error('UNAUTHORIZED', 'Missing Bearer token', 401);
|
||||
}
|
||||
|
||||
$rec = token_get_record($token);
|
||||
if (!$rec) {
|
||||
json_error('UNAUTHORIZED', 'Invalid or expired token', 401);
|
||||
}
|
||||
|
||||
$role = (string)($rec['role'] ?? '');
|
||||
if ($role === 'coach') {
|
||||
json_error('FORBIDDEN', 'Coach accounts can only sign in through the mobile app.', 403);
|
||||
}
|
||||
|
||||
$username = '';
|
||||
if (($rec['userID'] ?? '') !== '') {
|
||||
try {
|
||||
[$pdo, $tmpDb, $lockFp] = qdb_open(false);
|
||||
$stmt = $pdo->prepare('SELECT username FROM users WHERE userID = :uid');
|
||||
$stmt->execute([':uid' => $rec['userID']]);
|
||||
$row = $stmt->fetchColumn();
|
||||
$username = $row !== false ? (string)$row : '';
|
||||
qdb_discard($tmpDb, $lockFp);
|
||||
} catch (Throwable $e) {
|
||||
error_log('session username lookup: ' . $e->getMessage());
|
||||
}
|
||||
}
|
||||
|
||||
json_success([
|
||||
'valid' => true,
|
||||
'user' => $username,
|
||||
'role' => $role,
|
||||
'userID' => $rec['userID'] ?? '',
|
||||
'mustChangePassword' => !empty($rec['temp']),
|
||||
]);
|
||||
@ -232,6 +232,8 @@ case 'PATCH':
|
||||
'UPDATE users SET passwordHash = :h, mustChangePassword = :mcp WHERE userID = :uid'
|
||||
)->execute([':h' => $hash, ':mcp' => $mustChange, ':uid' => $targetUserID]);
|
||||
|
||||
token_revoke_all_for_user_on_pdo($pdo, $targetUserID);
|
||||
|
||||
qdb_save($tmpDb, $lockFp);
|
||||
|
||||
json_success([
|
||||
|
||||
Reference in New Issue
Block a user