Home Explore Help
Register Sign In
Valavuo
/
inventory
2
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Tree: 223739e41f
Branches Tags
inventory
/
backend
/
middleware
/
auth.php

auth.php 5.3 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173 
  1. <?php
    2. 

  2. /**
    3. 

  3.  * Authentication and Authorization Middleware
    4. 

  4.  * Handles user authentication and role-based access control
    5. 

  5.  */
    6. 

  6. 

  7. class AuthMiddleware {
    8. 

  8.     private $db;
    9. 

  9.     private $user;
    10. 

  10.     
    11. 

  11.     public function __construct($db) {
    12. 

  12.         $this->db = $db;
    13. 

  13.         require_once __DIR__ . '/../models/User.php';
    14. 

  14.         $this->user = new User($db);
    15. 

  15.     }
    16. 

  16.     
    17. 

  17.     /**
    18. 

  18.      * Authenticate user from JWT token or session
    19. 

  19.      * @return array|null User data or null if not authenticated
    20. 

  20.      */
    21. 

  21.     public function authenticate() {
    22. 

  22.         // Check for Authorization header
    23. 

  23.         $headers = getallheaders();
    24. 

  24.         $auth_header = $headers['Authorization'] ?? $headers['authorization'] ?? '';
    25. 

  25.         
    26. 

  26.         if ($auth_header) {
    27. 

  27.             // Extract token from "Bearer <token>" format
    28. 

  28.             $token = str_replace('Bearer ', '', $auth_header);
    29. 

  29.             return $this->validateToken($token);
    30. 

  30.         }
    31. 

  31.         
    32. 

  32.         // Fallback to session-based authentication
    33. 

  33.         if (session_status() === PHP_SESSION_NONE) {
    34. 

  34.             session_start();
    35. 

  35.         }
    36. 

  36.         
    37. 

  37.         if (isset($_SESSION['user_id'])) {
    38. 

  38.             $this->user->id = $_SESSION['user_id'];
    39. 

  39.             $this->user->readOne();
    40. 

  40.             
    41. 

  41.             if ($this->user->username) {
    42. 

  42.                 return [
    43. 

  43.                     'id' => $this->user->id,
    44. 

  44.                     'username' => $this->user->username,
    45. 

  45.                     'email' => $this->user->email,
    46. 

  46.                     'first_name' => $this->user->first_name,
    47. 

  47.                     'last_name' => $this->user->last_name,
    48. 

  48.                     'role' => $this->user->role,
    49. 

  49.                     'is_active' => $this->user->is_active
    50. 

  50.                 ];
    51. 

  51.             }
    52. 

  52.         }
    53. 

  53.         
    54. 

  54.         return null;
    55. 

  55.     }
    56. 

  56.     
    57. 

  57.     /**
    58. 

  58.      * Validate JWT token (simplified implementation)
    59. 

  59.      * @param string $token JWT token
    60. 

  60.      * @return array|null User data or null if invalid
    61. 

  61.      */
    62. 

  62.     private function validateToken($token) {
    63. 

  63.         // For now, implement a simple token validation
    64. 

  64.         // In production, use a proper JWT library
    65. 

  65.         try {
    66. 

  66.             $payload = json_decode(base64_decode($token), true);
    67. 

  67.             
    68. 

  68.             if (isset($payload['user_id']) && isset($payload['expires'])) {
    69. 

  69.                 if ($payload['expires'] > time()) {
    70. 

  70.                     $this->user->id = $payload['user_id'];
    71. 

  71.                     $this->user->readOne();
    72. 

  72.                     
    73. 

  73.                     if ($this->user->username && $this->user->is_active) {
    74. 

  74.                         return [
    75. 

  75.                             'id' => $this->user->id,
    76. 

  76.                             'username' => $this->user->username,
    77. 

  77.                             'email' => $this->user->email,
    78. 

  78.                             'first_name' => $this->user->first_name,
    79. 

  79.                             'last_name' => $this->user->last_name,
    80. 

  80.                             'role' => $this->user->role,
    81. 

  81.                             'is_active' => $this->user->is_active
    82. 

  82.                         ];
    83. 

  83.                     }
    84. 

  84.                 }
    85. 

  85.             }
    86. 

  86.         } catch (Exception $e) {
    87. 

  87.             // Token is invalid
    88. 

  88.         }
    89. 

  89.         
    90. 

  90.         return null;
    91. 

  91.     }
    92. 

  92.     
    93. 

  93.     /**
    94. 

  94.      * Check if user has admin role
    95. 

  95.      * @param array $user User data
    96. 

  96.      * @return bool True if user is admin
    97. 

  97.      */
    98. 

  98.     public function isAdmin($user) {
    99. 

  99.         return $user && $user['role'] === 'admin';
    100. 

  100.     }
    101. 

  101.     
    102. 

  102.     /**
    103. 

  103.      * Check if user can access resource
    104. 

  104.      * @param array $user User data
    105. 

  105.      * @param string $required_role Required role (admin/user)
    106. 

  106.      * @param int|null $resource_owner_id Resource owner ID (for profile access)
    107. 

  107.      * @return bool True if user can access
    108. 

  108.      */
    109. 

  109.     public function canAccess($user, $required_role = null, $resource_owner_id = null) {
    110. 

  110.         if (!$user || !$user['is_active']) {
    111. 

  111.             return false;
    112. 

  112.         }
    113. 

  113.         
    114. 

  114.         // Admin can access everything
    115. 

  115.         if ($user['role'] === 'admin') {
    116. 

  116.             return true;
    117. 

  117.         }
    118. 

  118.         
    119. 

  119.         // Check if specific role is required
    120. 

  120.         if ($required_role && $user['role'] !== $required_role) {
    121. 

  121.             return false;
    122. 

  122.         }
    123. 

  123.         
    124. 

  124.         // Check if user is accessing their own resource (profile management)
    125. 

  125.         if ($resource_owner_id && $user['id'] == $resource_owner_id) {
    126. 

  126.             return true;
    127. 

  127.         }
    128. 

  128.         
    129. 

  129.         // Default: allow access for regular users to their own resources
    130. 

  130.         return !$resource_owner_id;
    131. 

  131.     }
    132. 

  132.     
    133. 

  133.     /**
    134. 

  134.      * Generate simple JWT token
    135. 

  135.      * @param array $user User data
    136. 

  136.      * @return string JWT token
    137. 

  137.      */
    138. 

  138.     public function generateToken($user) {
    139. 

  139.         $payload = [
    140. 

  140.             'user_id' => $user['id'],
    141. 

  141.             'username' => $user['username'],
    142. 

  142.             'role' => $user['role'],
    143. 

  143.             'expires' => time() + (24 * 60 * 60) // 24 hours
    144. 

  144.         ];
    145. 

  145.         
    146. 

  146.         return base64_encode(json_encode($payload));
    147. 

  147.     }
    148. 

  148.     
    149. 

  149.     /**
    150. 

  150.      * Send unauthorized response
    151. 

  151.      */
    152. 

  152.     public function sendUnauthorizedResponse() {
    153. 

  153.         http_response_code(401);
    154. 

  154.         echo json_encode([
    155. 

  155.             'success' => false,
    156. 

  156.             'message' => 'Unauthorized access. Please login.'
    157. 

  157.         ]);
    158. 

  158.         exit;
    159. 

  159.     }
    160. 

  160.     
    161. 

  161.     /**
    162. 

  162.      * Send forbidden response
    163. 

  163.      */
    164. 

  164.     public function sendForbiddenResponse() {
    165. 

  165.         http_response_code(403);
    166. 

  166.         echo json_encode([
    167. 

  167.             'success' => false,
    168. 

  168.             'message' => 'Access denied. Insufficient permissions.'
    169. 

  169.         ]);
    170. 

  170.         exit;
    171. 

  171.     }
    172. 

  172. }
    173. 

  173. ?>
    174.