90 lines
3.2 KiB
PHP
90 lines
3.2 KiB
PHP
<?php
|
|
declare(strict_types=1);
|
|
|
|
error_reporting(E_ALL);
|
|
ini_set('display_errors', '0');
|
|
ini_set('log_errors', '1');
|
|
ini_set('error_log', __DIR__ . '/error.log');
|
|
|
|
$method = $_SERVER['REQUEST_METHOD'] ?? 'GET';
|
|
$uri = $_SERVER['REQUEST_URI'] ?? '/';
|
|
$path = parse_url($uri, PHP_URL_PATH) ?: '/';
|
|
|
|
$allowedOrigins = [
|
|
'http://127.0.0.1:5500',
|
|
'http://localhost:5500',
|
|
'http://127.0.0.1:8000', // falls Frontend auch hier läuft
|
|
'http://localhost:8000',
|
|
];
|
|
|
|
$origin = $_SERVER['HTTP_ORIGIN'] ?? '';
|
|
if (in_array($origin, $allowedOrigins, true)) {
|
|
header('Access-Control-Allow-Origin: ' . $origin);
|
|
header('Vary: Origin');
|
|
}
|
|
header('Access-Control-Allow-Credentials: true');
|
|
header('Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS');
|
|
header('Access-Control-Allow-Headers: Content-Type, Authorization, X-Requested-With');
|
|
header('Content-Type: application/json; charset=UTF-8');
|
|
|
|
if ($method === 'OPTIONS') {
|
|
http_response_code(204);
|
|
exit();
|
|
}
|
|
|
|
session_set_cookie_params([
|
|
'lifetime' => 60 * 60 * 8,
|
|
'path' => '/',
|
|
'domain' => '',
|
|
'secure' => false, // in Produktion true + HTTPS
|
|
'httponly' => true,
|
|
'samesite' => 'Lax',
|
|
]);
|
|
session_start();
|
|
|
|
require_once __DIR__ . '/config/database.php';
|
|
$database = new Database();
|
|
$db = $database->getConnection();
|
|
if (!$db) {
|
|
http_response_code(500);
|
|
echo json_encode(['message' => 'Datenbankverbindung fehlgeschlagen']);
|
|
exit();
|
|
}
|
|
|
|
function currentUser(): ?array { return $_SESSION['user'] ?? null; }
|
|
function isAuthenticated(): bool { return isset($_SESSION['user']); }
|
|
function requireAuth(): void {
|
|
if (!isAuthenticated()) { http_response_code(401); echo json_encode(['message'=>'Nicht angemeldet']); exit; }
|
|
}
|
|
function requireRole(string $role): void {
|
|
requireAuth();
|
|
if (($_SESSION['user']['role'] ?? '') !== $role) {
|
|
http_response_code(403); echo json_encode(['message'=>'Zugriff verweigert']); exit;
|
|
}
|
|
}
|
|
|
|
error_log("API Request: $method $path");
|
|
|
|
// Auth
|
|
if ($method === 'POST' && $path === '/api/auth/login') { include __DIR__ . '/api/auth/login.php'; exit; }
|
|
if ($method === 'POST' && $path === '/api/auth/logout') { include __DIR__ . '/api/auth/logout.php'; exit; }
|
|
if ($method === 'GET' && $path === '/api/auth/me') { include __DIR__ . '/api/auth/me.php'; exit; }
|
|
|
|
// Public
|
|
if ($method === 'GET' && $path === '/api/kurse') { include __DIR__ . '/api/kurse/get.php'; exit; }
|
|
if ($method === 'GET' && $path === '/api/betriebe') { include __DIR__ . '/api/betriebe/get.php'; exit; }
|
|
if ($method === 'POST' && $path === '/api/anmeldung') { include __DIR__ . '/api/anmeldung/create.php'; exit; }
|
|
|
|
// Admin-only
|
|
if ($method === 'GET' && $path === '/api/berichte/teilnehmer-pro-betrieb') {
|
|
requireRole('admin'); include __DIR__ . '/api/berichte/teilnehmer_betrieb.php'; exit;
|
|
}
|
|
if ($method === 'GET' && $path === '/api/berichte/teilnehmer-pro-kurs') {
|
|
requireRole('admin'); include __DIR__ . '/api/berichte/teilnehmer_kurs.php'; exit;
|
|
}
|
|
if ($method === 'GET' && preg_match('#^/api/rechnungen/betrieb/(\d+)$#', $path, $m)) {
|
|
requireRole('admin'); $_GET['betrieb_id'] = $m[1]; include __DIR__ . '/api/rechnungen/generate.php'; exit;
|
|
}
|
|
|
|
http_response_code(404);
|
|
echo json_encode(['message' => 'Endpoint nicht gefunden', 'path' => $path, 'method' => $method]); |