95 lines
3.3 KiB
PHP
95 lines
3.3 KiB
PHP
<?php
|
|
// ============================================================
|
|
// api/auth/check.php — Session check & login/logout
|
|
//
|
|
// GET /api/auth/check.php → check session
|
|
// POST /api/auth/check.php?action=login → login
|
|
// POST /api/auth/check.php?action=logout→ logout
|
|
// ============================================================
|
|
declare(strict_types=1);
|
|
require_once __DIR__ . '/../../config/bootstrap.php';
|
|
|
|
$method = $_SERVER['REQUEST_METHOD'] ?? 'CLI';
|
|
$action = $_GET['action'] ?? 'check';
|
|
|
|
// ================================================================
|
|
// CHECK — return current session state
|
|
// ================================================================
|
|
if ($method === 'GET' || $action === 'check') {
|
|
if (!empty($_SESSION['user_id']) && !empty($_SESSION['role'])) {
|
|
Response::success([
|
|
'logged_in' => true,
|
|
'user_id' => (int)$_SESSION['user_id'],
|
|
'name' => $_SESSION['name'] ?? '',
|
|
'email' => $_SESSION['email'] ?? '',
|
|
'role' => $_SESSION['role'],
|
|
]);
|
|
} else {
|
|
Response::success(['logged_in' => false]);
|
|
}
|
|
}
|
|
|
|
// ================================================================
|
|
// LOGIN
|
|
// ================================================================
|
|
if ($method === 'POST' && $action === 'login') {
|
|
$data = Validator::json();
|
|
$v = Validator::make($data, [
|
|
'email' => 'required',
|
|
'password' => 'required',
|
|
]);
|
|
$v->validate_or_fail();
|
|
|
|
$pdo = Database::get();
|
|
$stmt = $pdo->prepare(
|
|
'SELECT id, name, email, password_hash, role, is_active FROM users WHERE email = ? LIMIT 1'
|
|
);
|
|
$stmt->execute([strtolower(trim($data['email']))]);
|
|
$user = $stmt->fetch();
|
|
|
|
if (!$user || !$user['is_active']) {
|
|
AuditLog::record('auth.login_failed', 'users', null, null, ['email' => $data['email']]);
|
|
Response::error('Username atau password salah.', 401);
|
|
}
|
|
|
|
if (!password_verify($data['password'], $user['password_hash'])) {
|
|
AuditLog::record('auth.login_failed', 'users', null, null, ['email' => $data['email']]);
|
|
Response::error('Username atau password salah.', 401);
|
|
}
|
|
|
|
// Regenerate session ID to prevent fixation
|
|
session_regenerate_id(true);
|
|
|
|
$_SESSION['user_id'] = $user['id'];
|
|
$_SESSION['name'] = $user['name'];
|
|
$_SESSION['email'] = $user['email'];
|
|
$_SESSION['role'] = $user['role'];
|
|
|
|
// Update last_login_at
|
|
try {
|
|
$pdo->prepare('UPDATE users SET last_login_at = NOW() WHERE id = ?')
|
|
->execute([$user['id']]);
|
|
} catch (\Throwable) {}
|
|
|
|
AuditLog::record('auth.login', 'users', (int)$user['id']);
|
|
|
|
Response::success([
|
|
'user_id' => (int)$user['id'],
|
|
'name' => $user['name'],
|
|
'email' => $user['email'],
|
|
'role' => $user['role'],
|
|
], 'Login berhasil.');
|
|
}
|
|
|
|
// ================================================================
|
|
// LOGOUT
|
|
// ================================================================
|
|
if ($method === 'POST' && $action === 'logout') {
|
|
$userId = $_SESSION['user_id'] ?? null;
|
|
AuditLog::record('auth.logout', 'users', $userId ? (int)$userId : null);
|
|
$_SESSION = [];
|
|
session_destroy();
|
|
Response::success(null, 'Logout berhasil.');
|
|
}
|
|
|
|
Response::methodNotAllowed(); |