added clients list to coach login response
This commit is contained in:
@ -50,6 +50,49 @@ Request:
|
|||||||
|
|
||||||
Success:
|
Success:
|
||||||
|
|
||||||
|
```json
|
||||||
|
{
|
||||||
|
"ok": true,
|
||||||
|
"data": {
|
||||||
|
"token": "64-character-hex-token",
|
||||||
|
"user": "coach1",
|
||||||
|
"role": "coach",
|
||||||
|
"clients": [
|
||||||
|
{ "clientCode": "CLIENT-001" },
|
||||||
|
{ "clientCode": "CLIENT-002" }
|
||||||
|
]
|
||||||
|
}
|
||||||
|
}
|
||||||
|
```
|
||||||
|
|
||||||
|
For `coach` accounts, `clients` lists client codes currently assigned to that coach (`client.coachID`). Other roles omit this field or return an empty array.
|
||||||
|
|
||||||
|
If the account must change its password first, the response contains `mustChangePassword: true` and a temporary token. That temporary token cannot access questionnaire endpoints until the password is changed.
|
||||||
|
|
||||||
|
### Change password
|
||||||
|
|
||||||
|
`POST /api/auth/change-password`
|
||||||
|
|
||||||
|
Headers:
|
||||||
|
|
||||||
|
```http
|
||||||
|
Authorization: Bearer <token>
|
||||||
|
```
|
||||||
|
|
||||||
|
The token may be a normal session token or the temporary token returned when `mustChangePassword` is true.
|
||||||
|
|
||||||
|
Request:
|
||||||
|
|
||||||
|
```json
|
||||||
|
{
|
||||||
|
"username": "coach1",
|
||||||
|
"old_password": "temporary-or-current-password",
|
||||||
|
"new_password": "new-secret"
|
||||||
|
}
|
||||||
|
```
|
||||||
|
|
||||||
|
Success:
|
||||||
|
|
||||||
```json
|
```json
|
||||||
{
|
{
|
||||||
"ok": true,
|
"ok": true,
|
||||||
@ -61,7 +104,16 @@ Success:
|
|||||||
}
|
}
|
||||||
```
|
```
|
||||||
|
|
||||||
If the account must change its password first, the response contains `mustChangePassword: true` and a temporary token. That temporary token cannot access questionnaire endpoints until the password is changed.
|
The server revokes the previous token and returns a new full session token. `new_password` must be at least 6 characters.
|
||||||
|
|
||||||
|
Common failures:
|
||||||
|
|
||||||
|
- `400 MISSING_FIELDS`: required fields missing.
|
||||||
|
- `400 PASSWORD_TOO_SHORT`: new password too short.
|
||||||
|
- `401 INVALID_CREDENTIALS`: old password incorrect.
|
||||||
|
- `403`: invalid, expired, or mismatched token.
|
||||||
|
|
||||||
|
There is no self-service signup endpoint. Coach accounts are created on the web by administrators.
|
||||||
|
|
||||||
## Fetch Questionnaires
|
## Fetch Questionnaires
|
||||||
|
|
||||||
|
|||||||
@ -23,12 +23,26 @@ case 'auth/login':
|
|||||||
);
|
);
|
||||||
$stmt->execute([':u' => $username]);
|
$stmt->execute([':u' => $username]);
|
||||||
$user = $stmt->fetch(PDO::FETCH_ASSOC);
|
$user = $stmt->fetch(PDO::FETCH_ASSOC);
|
||||||
qdb_discard($tmpDb, $lockFp);
|
|
||||||
|
|
||||||
if (!$user || !password_verify($password, $user['passwordHash'])) {
|
if (!$user || !password_verify($password, $user['passwordHash'])) {
|
||||||
|
qdb_discard($tmpDb, $lockFp);
|
||||||
json_error('INVALID_CREDENTIALS', 'Invalid username or password', 401);
|
json_error('INVALID_CREDENTIALS', 'Invalid username or password', 401);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
$assignedClients = [];
|
||||||
|
if (($user['role'] ?? '') === 'coach' && ($user['entityID'] ?? '') !== '') {
|
||||||
|
$cStmt = $pdo->prepare(
|
||||||
|
"SELECT clientCode FROM client WHERE coachID = :cid ORDER BY clientCode"
|
||||||
|
);
|
||||||
|
$cStmt->execute([':cid' => $user['entityID']]);
|
||||||
|
$assignedClients = array_map(
|
||||||
|
fn($code) => ['clientCode' => $code],
|
||||||
|
$cStmt->fetchAll(PDO::FETCH_COLUMN)
|
||||||
|
);
|
||||||
|
}
|
||||||
|
|
||||||
|
qdb_discard($tmpDb, $lockFp);
|
||||||
|
|
||||||
if ((int)$user['mustChangePassword'] === 1) {
|
if ((int)$user['mustChangePassword'] === 1) {
|
||||||
$tempToken = bin2hex(random_bytes(32));
|
$tempToken = bin2hex(random_bytes(32));
|
||||||
token_add($tempToken, 10 * 60, [
|
token_add($tempToken, 10 * 60, [
|
||||||
@ -52,9 +66,10 @@ case 'auth/login':
|
|||||||
'userID' => $user['userID'],
|
'userID' => $user['userID'],
|
||||||
]);
|
]);
|
||||||
json_success([
|
json_success([
|
||||||
'token' => $token,
|
'token' => $token,
|
||||||
'user' => $username,
|
'user' => $username,
|
||||||
'role' => $user['role'],
|
'role' => $user['role'],
|
||||||
|
'clients' => $assignedClients,
|
||||||
]);
|
]);
|
||||||
} catch (Throwable $e) {
|
} catch (Throwable $e) {
|
||||||
if (isset($tmpDb, $lockFp)) qdb_discard($tmpDb, $lockFp);
|
if (isset($tmpDb, $lockFp)) qdb_discard($tmpDb, $lockFp);
|
||||||
|
|||||||
Reference in New Issue
Block a user