Files
WebGIS-Project/webgis-kemiskinan/php/middleware/auth.php
T
2026-06-10 17:28:32 +07:00

126 lines
4.2 KiB
PHP

<?php
// ============================================================
// Middleware Autentikasi & Otorisasi
// ============================================================
require_once __DIR__ . '/../koneksi.php';
if (session_status() === PHP_SESSION_NONE) {
session_start([
'cookie_httponly' => true,
'cookie_samesite' => 'Strict',
'use_strict_mode' => true,
]);
}
// ============================================================
// Fungsi login / logout
// ============================================================
function doLogin(PDO $pdo, string $username, string $password): array {
$stmt = $pdo->prepare("
SELECT u.*, r.nama AS role_nama
FROM users u
JOIN roles r ON r.id = u.role_id
WHERE u.username = :u AND u.aktif = 1
LIMIT 1
");
$stmt->execute([':u' => $username]);
$user = $stmt->fetch();
if (!$user || !password_verify($password, $user['password_hash'])) {
return ['success' => false, 'message' => 'Username atau password salah.'];
}
// Update last_login
$pdo->prepare("UPDATE users SET last_login = NOW() WHERE id = :id")
->execute([':id' => $user['id']]);
$_SESSION['user_id'] = $user['id'];
$_SESSION['user_nama'] = $user['nama'];
$_SESSION['role'] = $user['role_nama'];
$_SESSION['role_id'] = $user['role_id'];
$_SESSION['rumah_ibadah_id'] = $user['rumah_ibadah_id'];
session_regenerate_id(true);
logAktivitas($pdo, $user['id'], 'LOGIN', 'users', (string)$user['id']);
return ['success' => true, 'role' => $user['role_nama']];
}
function doLogout(PDO $pdo): void {
if (isset($_SESSION['user_id'])) {
logAktivitas($pdo, $_SESSION['user_id'], 'LOGOUT', 'users', (string)$_SESSION['user_id']);
}
session_destroy();
}
// ============================================================
// Guard: wajib login
// ============================================================
function requireLogin(array $allowedRoles = []): array {
if (empty($_SESSION['user_id'])) {
// Jika request API
if (!empty($_SERVER['HTTP_ACCEPT']) && strpos($_SERVER['HTTP_ACCEPT'], 'application/json') !== false) {
jsonResponse(false, 'Sesi habis. Silakan login kembali.', [], 401);
}
header('Location: ' . APP_URL . '/admin/login.php');
exit;
}
if (!empty($allowedRoles) && !in_array($_SESSION['role'], $allowedRoles, true)) {
if (!empty($_SERVER['HTTP_ACCEPT']) && strpos($_SERVER['HTTP_ACCEPT'], 'application/json') !== false) {
jsonResponse(false, 'Tidak punya akses.', [], 403);
}
header('Location: ' . APP_URL . '/admin/forbidden.php');
exit;
}
return [
'id' => (int)$_SESSION['user_id'],
'nama' => $_SESSION['user_nama'],
'role' => $_SESSION['role'],
'role_id' => (int)$_SESSION['role_id'],
'rumah_ibadah_id' => $_SESSION['rumah_ibadah_id'] ? (int)$_SESSION['rumah_ibadah_id'] : null,
];
}
// ============================================================
// Guard API: token-based (opsional, untuk mobile app nanti)
// ============================================================
function getApiUser(PDO $pdo): ?array {
// Cek session dulu
if (!empty($_SESSION['user_id'])) {
return [
'id' => (int)$_SESSION['user_id'],
'role' => $_SESSION['role'],
'role_id' => (int)$_SESSION['role_id'],
'rumah_ibadah_id' => $_SESSION['rumah_ibadah_id'] ? (int)$_SESSION['rumah_ibadah_id'] : null,
];
}
return null; // belum login = null
}
// ============================================================
// Cek izin per fitur
// ============================================================
function canEdit(?array $user): bool {
if (!$user) return false;
return in_array($user['role'], ['admin', 'pengurus'], true);
}
function canVerify(?array $user): bool {
if (!$user) return false;
return in_array($user['role'], ['admin', 'pengurus'], true);
}
function canViewAll(?array $user): bool {
if (!$user) return false;
return in_array($user['role'], ['admin', 'pengurus', 'pimpinan'], true);
}
function isAdmin(?array $user): bool {
return $user && $user['role'] === 'admin';
}