From a247e547093be39fc1b7dca47f56e7eea9d80180 Mon Sep 17 00:00:00 2001 From: creme332 <65414576+creme332@users.noreply.github.com> Date: Thu, 29 Aug 2024 21:31:23 +0400 Subject: [PATCH] remove jwt, add more details in session and user endpoints --- docs/API.md | 30 +++++++++++++++--------------- src/controllers/api/Sessions.php | 21 ++++++++++----------- 2 files changed, 25 insertions(+), 26 deletions(-) diff --git a/docs/API.md b/docs/API.md index c5c07cb..a1dffc9 100644 --- a/docs/API.md +++ b/docs/API.md @@ -20,25 +20,24 @@ tests for API. There are two types of endpoints: -1. **Public endpoints** : They return a public resource that can be accessed **without a token**. -2. **Protected endpoints** : They return a protected resource that can only be accessed **with a valid JWT token**. +1. **Public endpoints** : They return a public resource that can be accessed by anyone. +2. **Protected endpoints** : They return a protected resource that can only be accessed by administrators. ### Session -| Endpoint | Description | Protected | -|-------------------------|--------------------------------------------------|-----------| -| `POST /api/v1/sessions` | Authenticates admin and creates a session token. | No | +PHP sessions are used for authentication so all session information are stored on server. -Note: - -- Only administrators can receive a session token. -- Only administrators can access protected endpoints. +| Endpoint | Description | Protected | +|-------------------------|----------------------------------------------------------------------------------------------------------|-----------| +| `POST /api/v1/sessions` | Authenticates admin and creates a session token. The request body should contain `email` and `password`. | No | ### User -| Endpoint | Description | Protected | -|-----------------------------------|-----------------------------------------------------|-----------| -| `GET /api/v1/users` | Get the list of all users. | Yes | +A user can be a client or an administrator. + +| Endpoint | Description | Protected | Query string parameters | +|-----------------------------------|-----------------------------------------------------|-----------|-------------------------| +| `GET /api/v1/users` | Get the list of all users. | Yes | `user-type` | | `GET /api/v1/users/[id]` | Get the details of a specific user by their ID. | Yes | | `POST /api/v1/users` | Create a new user entry in the database. | Yes | | `DELETE /api/v1/users/[id]` | Delete a user with the specified ID. | Yes | @@ -86,9 +85,10 @@ Note: ## Query string parameters -| Parameter | Possible values | Description | -|-----------|-----------------|---------------------------------------| -| `sort` | `asc`, `desc` | Sort in ascending or descending order | +| Parameter | Possible values | Description | +|-------------|-------------------|---------------------------------------------------| +| `sort` | `asc`, `desc` | Sort in ascending or descending order | +| `user-type` | `client`, `admin` | For user endpoints, return only clients or admins | # References diff --git a/src/controllers/api/Sessions.php b/src/controllers/api/Sessions.php index 39a8101..6738ae0 100644 --- a/src/controllers/api/Sessions.php +++ b/src/controllers/api/Sessions.php @@ -11,17 +11,21 @@ */ class Sessions { - public static array $routes = [ 'POST' => [ '/sessions' => 'handleLogin', ] ]; + /** + * Create a new session for an administrator if credentials are valid. + * @return void + */ public function handleLogin(): void { - $email = trim($_POST['email'] ?? ""); - $password = trim($_POST['password'] ?? ""); + $data = (object)json_decode(file_get_contents("php://input"), true); + $email = trim($data->email ?? ""); + $password = trim($data->password ?? ""); if (empty($email) || empty($password)) { http_response_code(400); @@ -31,19 +35,14 @@ public function handleLogin(): void // fetch administrator account $admin = Administrator::getByEmail($email); - // validate email - if (!$admin) { - http_response_code(401); - die(); - } - - // validate password - if (!$admin->verifyPassword($password)) { + // validate credentials + if (!$admin || !$admin->verifyPassword($password)) { http_response_code(401); die(); } $_SESSION['admin_email'] = $email; session_regenerate_id(); + http_response_code(201); } } \ No newline at end of file