removed legacy files
This commit is contained in:
@ -7,7 +7,7 @@
|
||||
* GET ?clients=1 -> list of clients assigned to the authenticated coach
|
||||
* POST -> submit interview answers for a client (coach / supervisor / admin).
|
||||
* Re-posting the same clientCode + questionnaireID updates answers in place (re-edit).
|
||||
* Mobile clients encrypt answers at rest on device; POST body is plaintext JSON over HTTPS.
|
||||
* Sensitive POST/GET ?clients=1 bodies use encrypted payloads (HKDF from Bearer token).
|
||||
*/
|
||||
|
||||
// Public app UI catalog for the login screen (no token, no PII).
|
||||
@ -23,7 +23,7 @@ $tokenRec = require_valid_token();
|
||||
if ($method === 'POST') {
|
||||
require_role(['admin', 'supervisor', 'coach'], $tokenRec);
|
||||
|
||||
$body = read_json_body();
|
||||
$body = read_encrypted_json_body($tokenRec['_token']);
|
||||
require_fields($body, ['questionnaireID', 'clientCode', 'answers']);
|
||||
|
||||
$qnID = trim($body['questionnaireID']);
|
||||
@ -259,7 +259,7 @@ if ($fetchClients) {
|
||||
}, $clientCodes);
|
||||
|
||||
qdb_discard($tmpDb, $lockFp);
|
||||
json_success(['coachID' => $coachID, 'clients' => $clients]);
|
||||
json_success_sensitive(['coachID' => $coachID, 'clients' => $clients], $tokenRec['_token']);
|
||||
}
|
||||
|
||||
if ($qnID) {
|
||||
|
||||
@ -67,12 +67,18 @@ case 'auth/login':
|
||||
'entityID' => $user['entityID'],
|
||||
'userID' => $user['userID'],
|
||||
]);
|
||||
json_success([
|
||||
'token' => $token,
|
||||
'user' => $username,
|
||||
'role' => $user['role'],
|
||||
'clients' => $assignedClients,
|
||||
]);
|
||||
$loginData = [
|
||||
'token' => $token,
|
||||
'user' => $username,
|
||||
'role' => $user['role'],
|
||||
];
|
||||
if ($assignedClients !== []) {
|
||||
$loginData['clientsPayload'] = qdb_sensitive_envelope(
|
||||
json_encode(['clients' => $assignedClients], JSON_UNESCAPED_UNICODE),
|
||||
$token
|
||||
);
|
||||
}
|
||||
json_success($loginData);
|
||||
} catch (Throwable $e) {
|
||||
if (isset($tmpDb, $lockFp)) qdb_discard($tmpDb, $lockFp);
|
||||
error_log($e->getMessage());
|
||||
|
||||
@ -1,73 +0,0 @@
|
||||
<?php
|
||||
|
||||
$tokenRec = require_valid_token_web();
|
||||
$token = $tokenRec['_token'];
|
||||
|
||||
if ($method !== 'GET') {
|
||||
json_error('METHOD_NOT_ALLOWED', 'Method not allowed', 405);
|
||||
}
|
||||
|
||||
$dbPath = QDB_PATH;
|
||||
if (!file_exists($dbPath)) {
|
||||
json_error('NOT_FOUND', 'Database not found', 404);
|
||||
}
|
||||
|
||||
$encMaster = file_get_contents($dbPath);
|
||||
if ($encMaster === false) {
|
||||
json_error('SERVER_ERROR', 'Could not read database', 500);
|
||||
}
|
||||
|
||||
try {
|
||||
$masterKey = get_master_key_bytes();
|
||||
$plain = aes256_cbc_decrypt_bytes($encMaster, $masterKey);
|
||||
} catch (Throwable $e) {
|
||||
error_log($e->getMessage());
|
||||
json_error('SERVER_ERROR', 'Decryption failed', 500);
|
||||
}
|
||||
|
||||
$role = $tokenRec['role'] ?? '';
|
||||
if ($role !== 'admin') {
|
||||
$tmpFilter = tempnam(sys_get_temp_dir(), 'qdb_filt_');
|
||||
file_put_contents($tmpFilter, $plain);
|
||||
try {
|
||||
$fpdo = new PDO("sqlite:$tmpFilter");
|
||||
$fpdo->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
|
||||
$fpdo->exec("PRAGMA foreign_keys = OFF;");
|
||||
|
||||
[$clause, $params] = rbac_client_filter($tokenRec);
|
||||
$delStmt = $fpdo->prepare("DELETE FROM client WHERE NOT ($clause)");
|
||||
foreach ($params as $k => $v) $delStmt->bindValue($k, $v);
|
||||
$delStmt->execute();
|
||||
|
||||
$fpdo->exec("DELETE FROM client_answer WHERE clientCode NOT IN (SELECT clientCode FROM client)");
|
||||
$fpdo->exec("DELETE FROM completed_questionnaire WHERE clientCode NOT IN (SELECT clientCode FROM client)");
|
||||
|
||||
foreach (['users', 'admin', 'supervisor', 'coach'] as $tbl) {
|
||||
$fpdo->exec("DELETE FROM $tbl");
|
||||
}
|
||||
|
||||
$fpdo = null;
|
||||
$plain = file_get_contents($tmpFilter);
|
||||
} finally {
|
||||
@unlink($tmpFilter);
|
||||
}
|
||||
}
|
||||
|
||||
$type = strtolower(trim($_GET['type'] ?? 'encrypted'));
|
||||
|
||||
if ($type === 'plain') {
|
||||
header('Content-Type: application/octet-stream');
|
||||
header('Content-Disposition: attachment; filename="questionnaire_database.sqlite"');
|
||||
header('Content-Length: ' . strlen($plain));
|
||||
echo $plain;
|
||||
exit;
|
||||
}
|
||||
|
||||
$sessionKey = hkdf_session_key_from_token($token);
|
||||
$out = aes256_cbc_encrypt_bytes($plain, $sessionKey);
|
||||
|
||||
header('Content-Type: application/octet-stream');
|
||||
header('Content-Disposition: attachment; filename="questionnaire_database"');
|
||||
header('Content-Length: ' . strlen($out));
|
||||
echo $out;
|
||||
exit;
|
||||
Reference in New Issue
Block a user