Add session management features: implement user session revocation on password change, enhance session validation, and update UI for password change functionality

This commit is contained in:
tom.hempel
2026-06-01 23:11:00 +02:00
parent e4d55f4c90
commit 43c47bca6d
13 changed files with 472 additions and 200 deletions

46
handlers/session.php Normal file
View File

@ -0,0 +1,46 @@
<?php
/**
* GET /api/session — verify Bearer token is still active (website session check).
*/
if ($method !== 'GET') {
json_error('METHOD_NOT_ALLOWED', 'Method not allowed', 405);
}
$token = get_bearer_token();
if (!$token) {
json_error('UNAUTHORIZED', 'Missing Bearer token', 401);
}
$rec = token_get_record($token);
if (!$rec) {
json_error('UNAUTHORIZED', 'Invalid or expired token', 401);
}
$role = (string)($rec['role'] ?? '');
if ($role === 'coach') {
json_error('FORBIDDEN', 'Coach accounts can only sign in through the mobile app.', 403);
}
$username = '';
if (($rec['userID'] ?? '') !== '') {
try {
[$pdo, $tmpDb, $lockFp] = qdb_open(false);
$stmt = $pdo->prepare('SELECT username FROM users WHERE userID = :uid');
$stmt->execute([':uid' => $rec['userID']]);
$row = $stmt->fetchColumn();
$username = $row !== false ? (string)$row : '';
qdb_discard($tmpDb, $lockFp);
} catch (Throwable $e) {
error_log('session username lookup: ' . $e->getMessage());
}
}
json_success([
'valid' => true,
'user' => $username,
'role' => $role,
'userID' => $rec['userID'] ?? '',
'mustChangePassword' => !empty($rec['temp']),
]);