'pw1', 'user02' => 'pw2', 'Tmp_Daniel' => 'dummy4', 'Tmp_Johanna' => 'dummy1', 'Tmp_Anke' => 'dummy2', 'Tmp_Liliana' => 'dummy3', 'Amy_tmp' => 'dummy4', 'Brigitte_tmp' => 'dummy5', 'Extra1_tmp' => 'dummy6', 'Extra2_tmp' => 'dummy7', 'Danny' => 'pw1', 'User1' => 'pw1', 'User2' => 'pw2', 'User3' => 'pw3', 'User4' => 'pw4', 'User5' => 'pw5', 'User6' => 'pw6', 'User7' => 'pw7', 'User8' => 'pw8', 'User9' => 'pw9', 'User10' => 'pw10', 'User11' => 'pw11' ]; $STORE_FILE = __DIR__ . '/users.json'; function load_store($path) { if (!file_exists($path)) return []; $txt = file_get_contents($path); $arr = json_decode($txt, true); return is_array($arr) ? $arr : []; } function save_store($path, $data) { file_put_contents($path, json_encode($data, JSON_PRETTY_PRINT | JSON_UNESCAPED_SLASHES)); } $raw = file_get_contents("php://input"); $in = json_decode($raw, true) ?: []; $username = trim($in['username'] ?? ''); $oldPassword = (string)($in['old_password'] ?? ''); $newPassword = (string)($in['new_password'] ?? ''); if ($username === '' || $oldPassword === '' || $newPassword === '') { http_response_code(400); echo json_encode(["success" => false, "message" => "Felder fehlen"]); exit; } if (strlen($newPassword) < 6) { http_response_code(400); echo json_encode(["success" => false, "message" => "Neues Passwort zu kurz (min. 6 Zeichen)."]); exit; } $store = load_store($STORE_FILE); // Fall A: User hat schon Hash -> altes Passwort gegen Hash prüfen if (array_key_exists($username, $store) && isset($store[$username]['hash'])) { $hash = (string)$store[$username]['hash']; if (!password_verify($oldPassword, $hash)) { http_response_code(401); echo json_encode(["success" => false, "message" => "Altes Passwort falsch."]); exit; } } else { // Fall B: User hat noch keinen Hash -> gegen Default prüfen if (!array_key_exists($username, $USERS_DEFAULT) || $USERS_DEFAULT[$username] !== $oldPassword) { http_response_code(401); echo json_encode(["success" => false, "message" => "Altes Passwort falsch."]); exit; } } // neuen Hash setzen (bcrypt) $store[$username] = [ "hash" => password_hash($newPassword, PASSWORD_DEFAULT), "changedAt" => time() ]; save_store($STORE_FILE, $store); // Nach erfolgreichem Wechsel direkt einloggen (Token erstellen) $token = bin2hex(random_bytes(32)); token_add($token, 30 * 24 * 60 * 60); echo json_encode([ "success" => true, "message" => "Passwort geändert.", "token" => $token, "user" => $username ]);