initial commit

auth/set-whoami.php

@@ -0,0 +1,45 @@
+<?php
+// Accepts JSON { user: "DOM\\user" } from same-origin JS and sets cookie
+  header('Content-Type: application/json; charset=utf-8');
+
+  $origin  = $_SERVER['HTTP_ORIGIN']  ?? '';
+  $referer = $_SERVER['HTTP_REFERER'] ?? '';
+  $allowed = 'https://opwsinf.appliarmony.net';
+  $ok = false;
+  if ($origin && stripos($origin, $allowed) === 0) $ok = true;
+  if ($referer && stripos($referer, $allowed) === 0) $ok = true;
+  if (!$ok) {
+    http_response_code(403);
+    echo json_encode(['error'=>'forbidden origin']);
+    exit;
+  }
+
+  $raw = file_get_contents('php://input');
+  $data = json_decode($raw, true);
+  if (!is_array($data) || empty($data['user'])) {
+    http_response_code(400);
+    echo json_encode(['error'=>'invalid payload']);
+    exit;
+  }
+
+  $user = $data['user'];
+  $ip   = $_SERVER['HTTP_X_FORWARDED_FOR'] ?? $_SERVER['REMOTE_ADDR'] ?? '';
+
+  $cookie = [
+    'user'    => $user,
+    'ip'      => $ip,
+    'created' => date('Y-m-d H:i:s'),
+    'last'    => date('Y-m-d H:i:s'),
+  ];
+
+// Cookie host-only (no Domain) ;
+  setcookie('UserInfo', json_encode($cookie), [
+    'expires'  => time() + 86400*365,
+    'path'     => '/',
+    // 'domain'   => '.appliarmony.net',
+    'secure'   => true,
+    'httponly' => true,
+    'samesite' => 'Lax',
+  ]);
+
+  echo json_encode(['ok'=>true, 'user'=>$user]);

auth/whoami.php

@@ -0,0 +1,11 @@
+<?php
+  header('Content-Type: application/json; charset=utf-8');
+
+  $user = $_SERVER['REMOTE_USER'] ?? null;
+  if (!$user) {
+    http_response_code(401);
+    echo json_encode(['error'=>'no-user']);
+    exit;
+  }
+
+  echo json_encode(['user' => $user]);