'pw1', 'user02' => 'pw2', 'Tmp_Daniel' => 'dummy4', 'Tmp_Johanna' => 'dummy1', 'Tmp_Anke' => 'dummy2', 'Tmp_Liliana' => 'dummy3', 'Amy_tmp' => 'dummy4', 'Brigitte_tmp' => 'dummy5', 'Extra1_tmp' => 'dummy6', 'Extra2_tmp' => 'dummy7', 'Danny' => 'pw1', 'User1' => 'pw1', 'User2' => 'pw2', 'User3' => 'pw3', 'User4' => 'pw4', 'User5' => 'pw5', 'User6' => 'pw6', 'User7' => 'pw7', 'User8' => 'pw8', 'User9' => 'pw9', 'User10' => 'pw10', 'User11' => 'pw11' ]; $STORE_FILE = __DIR__ . '/users.json'; // persistenter Speicher für gehashte Passwörter function load_store($path) { if (!file_exists($path)) return []; $txt = file_get_contents($path); $arr = json_decode($txt, true); return is_array($arr) ? $arr : []; } function save_store($path, $data) { file_put_contents($path, json_encode($data, JSON_PRETTY_PRINT | JSON_UNESCAPED_SLASHES)); } $raw = file_get_contents("php://input"); $data = json_decode($raw, true) ?: []; $username = trim($data['username'] ?? ''); $password = (string)($data['password'] ?? ''); if ($username === '' || $password === '') { http_response_code(400); echo json_encode(["success" => false, "message" => "Username/Passwort fehlt"]); exit; } // 1) Prüfe, ob Nutzer bereits ein *eigenes*, gehashtes Passwort hat $store = load_store($STORE_FILE); // Struktur: ["user01" => ["hash" => "...", "changedAt" => 1234567890]] if (array_key_exists($username, $store)) { $hash = (string)($store[$username]['hash'] ?? ''); if ($hash !== '' && password_verify($password, $hash)) { // ok -> normaler Login $token = bin2hex(random_bytes(32)); token_add($token, 30 * 24 * 60 * 60); echo json_encode(["success" => true, "token" => $token, "user" => $username]); exit; } // hat schon Hash, aber PW falsch http_response_code(401); echo json_encode(["success" => false, "message" => "Ungültige Zugangsdaten"]); exit; } // 2) Nutzer hat *noch* keinen Hash -> nur Default-Zugang erlaubt if (!array_key_exists($username, $USERS_DEFAULT)) { http_response_code(401); echo json_encode(["success" => false, "message" => "Ungültige Zugangsdaten"]); exit; } if ($USERS_DEFAULT[$username] !== $password) { http_response_code(401); echo json_encode(["success" => false, "message" => "Ungültige Zugangsdaten"]); exit; } // 3) Default-Passwort korrekt -> Passwortwechsel erzwingen echo json_encode([ "success" => true, "user" => $username, "must_change_password" => true, "message" => "Bitte Passwort ändern." ]);