Refactor auth endpoints to /api and add login API

Moved change-password and logout PHP endpoints to /api for better organization. Added a new /api/login.php endpoint to handle login logic, including brute-force protection and session management. Updated frontend code and templates to use the new API routes.

Author: TRC-Loop

src/public/change-password.php src/public/api/change-password.phpsrc/public/change-password.php renamed to src/public/api/change-password.php

@@ -1,8 +1,8 @@
 <?php
 
-require_once __DIR__."/../lib/orm.php";
-require_once __DIR__."/../lib/settings.php";
-require_once __DIR__."/../conf/config.php";
+require_once __DIR__."/../../lib/orm.php";
+require_once __DIR__."/../../lib/settings.php";
+require_once __DIR__."/../../conf/config.php";
 
 session_start();
 header('Content-Type: application/json; charset=utf-8');

src/public/api/login.php

@@ -0,0 +1,59 @@
+<?php
+require_once __DIR__ . "/../../lib/orm.php";
+require_once __DIR__ . "/../../conf/config.php";
+
+session_start();
+
+function json_response(array $data, int $status = 200) {
+    http_response_code($status);
+    header('Content-Type: application/json; charset=utf-8');
+    echo json_encode($data);
+    exit;
+}
+
+if ($_SERVER['REQUEST_METHOD'] !== 'POST') {
+    json_response(['ok' => false, 'error' => 'method_not_allowed'], 405);
+}
+
+$pwd = $_POST['password'] ?? '';
+
+if (!isset($_SESSION['login_attempts'])) {
+    $_SESSION['login_attempts'] = 0;
+    $_SESSION['lockout_until'] = 0;
+}
+
+$now = time();
+$maxAttempts = 5;
+$lockoutSeconds = 10;
+
+if ($_SESSION['lockout_until'] > $now) {
+    $remaining = $_SESSION['lockout_until'] - $now;
+    json_response(['ok' => false, 'error' => 'locked', 'locked_for' => $remaining], 429);
+}
+
+// ORM usage: get password hash
+$settingsManager = new PersistentEntityManager(KeyValue::class, $logger, DB, 'settings');
+$passwordObject = $settingsManager->find(["key" => "passwordHash"]);
+$passwordConfig = $passwordObject->value ?? '';
+
+if (!password_verify($pwd, $passwordConfig)) {
+    $_SESSION['login_attempts']++;
+    if ($_SESSION['login_attempts'] >= $maxAttempts) {
+        $_SESSION['lockout_until'] = $now + $lockoutSeconds;
+        $_SESSION['login_attempts'] = 0;
+        json_response(['ok' => false, 'error' => 'locked', 'locked_for' => $lockoutSeconds], 429);
+    }
+    json_response(['ok' => false, 'error' => 'invalid', 'attempts_left' => $maxAttempts - $_SESSION['login_attempts']], 401);
+}
+
+session_regenerate_id(true);
+$_SESSION['user'] = [
+    'username' => 'admin',
+    'logged_in_at' => $now
+];
+
+$_SESSION['login_attempts'] = 0;
+$_SESSION['lockout_until'] = 0;
+
+json_response(['ok' => true, 'redirect' => '/home.php']);
+?>

src/public/logout.php src/public/api/logout.phpsrc/public/logout.php renamed to src/public/api/logout.php

@@ -1,88 +1,13 @@
 <?php
-require_once __DIR__ . "/../lib/orm.php";
 require_once __DIR__ . "/../conf/config.php";
-
 session_start();
 
 if (isset($_SESSION['user']) && !empty($_SESSION['user'])) {
     header('Location: /home.php'); 
     exit;
 }
 
-// default template variables used when rendering the page (GET)
-$login_error = false;
-
-// If this is a POST -> handle login API and return JSON
-if ($_SERVER['REQUEST_METHOD'] === 'POST') {
-
-    // basic JSON response helper
-    function json_response(array $data, int $status = 200) {
-        http_response_code($status);
-        header('Content-Type: application/json; charset=utf-8');
-        echo json_encode($data);
-        exit;
-    }
-
-    // read password from POST
-    $pwd = isset($_POST['password']) ? (string) $_POST['password'] : '';
-
-    // simple brute-force protection stored in session
-    if (!isset($_SESSION['login_attempts'])) {
-        $_SESSION['login_attempts'] = 0;
-        $_SESSION['lockout_until'] = 0;
-    }
-
-    $now = time();
-    $maxAttempts = 5;
-    $lockoutSeconds = 10; // lockout length after max attempts
-
-    if ($_SESSION['lockout_until'] > $now) {
-        $remaining = $_SESSION['lockout_until'] - $now;
-        json_response(['ok' => false, 'error' => 'locked', 'locked_for' => $remaining], 429);
-    }
-
-    // load password from settings table (your ORM usage)
-    $settingsManager = new PersistentEntityManager(KeyValue::class, $logger, DB, 'settings');
-    $passwordObject = $settingsManager->find(["key" => "passwordHash"]);
-    $passwordConfig = $passwordObject->value ?? '';
-
-
-    $ok = false;
-    $ok = password_verify($pwd, $passwordConfig);
-
-    if (! $ok) {
-        $_SESSION['login_attempts'] += 1;
-        if ($_SESSION['login_attempts'] >= $maxAttempts) {
-            $_SESSION['lockout_until'] = $now + $lockoutSeconds;
-            $_SESSION['login_attempts'] = 0; // reset attempts after enforcing lockout
-            json_response(['ok' => false, 'error' => 'locked', 'locked_for' => $lockoutSeconds], 429);
-        } else {
-            json_response(['ok' => false, 'error' => 'invalid', 'attempts_left' => $maxAttempts - $_SESSION['login_attempts']], 401);
-        }
-    }
-
-    // success: start session (already started) and set session vars
-    session_regenerate_id(true);
-    $_SESSION['user'] = [
-        'username' => 'admin',
-        'logged_in_at' => $now
-    ];
-
-    // reset attempts on success
-    $_SESSION['login_attempts'] = 0;
-    $_SESSION['lockout_until'] = 0;
-
-    // respond with success
-    json_response(['ok' => true, 'redirect' => '/home.php']);
-    // json_response already exits
-}
-
-// If it's not POST, execution continues and your template is rendered.
-// You can set $login_error here based on query params or session if you want:
-if (isset($_GET['error']) && $_GET['error'] === '1') {
-    $login_error = true;
-}
-
+$login_error = isset($_GET['error']) && $_GET['error'] === '1';
 ?>
 {% extends 'templates/base.j2' %}
 {% block title %}CronDNS Login{% endblock %}
@@ -114,18 +39,15 @@ function json_response(array $data, int $status = 200) {
 {% endblock %}
 
 {% block scripts %}
-/* ---------- Password visibility toggle ---------- */
 const pwdInput = document.getElementById('pwd');
 const toggleBtn = document.getElementById('togglePwd');
-
 toggleBtn.addEventListener('click', () => {
   const type = pwdInput.type === 'password' ? 'text' : 'password';
   pwdInput.type = type;
   toggleBtn.classList.toggle('ti-eye-off', type === 'text');
   toggleBtn.classList.toggle('ti-eye', type === 'password');
 });
 
-/* ---------- Login: replace simulated handler with real fetch ---------- */
 const loginBtn = document.getElementById('loginBtn');
 const loginForm = document.getElementById('loginForm');
 let lockoutTimer = null;
@@ -143,7 +65,7 @@ function json_response(array $data, int $status = 200) {
     const form = new FormData();
     form.append('password', pwd);
 
-    const resp = await fetch('/login.php', {
+    const resp = await fetch('/api/login.php', {
       method: 'POST',
       body: form,
       credentials: 'same-origin'
@@ -152,7 +74,7 @@ function json_response(array $data, int $status = 200) {
     const data = await resp.json();
 
     if (resp.ok && data.ok) {
-      window.location.href = data.redirect || '/dashboard';
+      window.location.href = data.redirect || '/home.php';
       return;
     }
 

src/public/index.php

@@ -114,7 +114,7 @@
     pwdError.style.display = 'none';
 
     // send to server via fetch
-    fetch('/change-password.php', {
+    fetch('/api/change-password.php', {
       method: 'POST',
       headers: { 'Content-Type': 'application/json' },
       body: JSON.stringify({ password: p1 })

src/public/settings.php

@@ -26,7 +26,7 @@ if (!isset($_SESSION['user']) || empty($_SESSION['user'])) {
     <div class="sidebar-spacer"></div>
 
     <div class="sidebar-footer">
-      <a href="/logout.php" class="sidebar-logout">
+      <a href="/api/logout.php" class="sidebar-logout">
         <i class="ti ti-logout"></i> Logout
       </a>
       <div class="sidebar-version">v{{ cfg.version }}</div>