From 6c7bd421e334441d5a4ca5d6a3552804c064bbdc Mon Sep 17 00:00:00 2001 From: infosave2007 Date: Fri, 24 Apr 2026 06:44:08 +0300 Subject: [PATCH] refactor: migrate client management endpoints to web session auth and improve status validation --- public/index.php | 59 +++++++++++++++++++++++++++++++++++++ templates/clients/view.twig | 10 +++---- 2 files changed, 64 insertions(+), 5 deletions(-) diff --git a/public/index.php b/public/index.php index b5f8b75..651b356 100644 --- a/public/index.php +++ b/public/index.php @@ -1613,6 +1613,65 @@ Router::post('/clients/{id}/sync-stats', function ($params) { } }); +// Set client expiration (web session auth) +Router::post('/clients/{id}/set-expiration', function ($params) { + requireAuth(); + header('Content-Type: application/json'); + $clientId = (int) $params['id']; + $raw = file_get_contents('php://input'); + $data = json_decode($raw, true); + + $expiresAt = $data['expires_at'] ?? null; + + try { + $client = new VpnClient($clientId); + $clientData = $client->getData(); + + $user = Auth::user(); + if ($clientData['user_id'] != $user['id'] && !Auth::isAdmin()) { + http_response_code(403); + echo json_encode(['success' => false, 'error' => 'Forbidden']); + return; + } + + VpnClient::setExpiration($clientId, $expiresAt); + echo json_encode(['success' => true, 'expires_at' => $expiresAt]); + } catch (Exception $e) { + http_response_code(500); + echo json_encode(['success' => false, 'error' => $e->getMessage()]); + } +}); + +// Set client traffic limit (web session auth) +Router::post('/clients/{id}/set-traffic-limit', function ($params) { + requireAuth(); + header('Content-Type: application/json'); + $clientId = (int) $params['id']; + $raw = file_get_contents('php://input'); + $data = json_decode($raw, true); + + $limitBytes = isset($data['traffic_limit']) ? (int) $data['traffic_limit'] : null; + + try { + $client = new VpnClient($clientId); + $clientData = $client->getData(); + + $user = Auth::user(); + if ($clientData['user_id'] != $user['id'] && !Auth::isAdmin()) { + http_response_code(403); + echo json_encode(['success' => false, 'error' => 'Forbidden']); + return; + } + + $pdo = DB::conn(); + $stmt = $pdo->prepare('UPDATE vpn_clients SET traffic_limit = ? WHERE id = ?'); + $stmt->execute([$limitBytes, $clientId]); + echo json_encode(['success' => true, 'traffic_limit' => $limitBytes]); + } catch (Exception $e) { + http_response_code(500); + echo json_encode(['success' => false, 'error' => $e->getMessage()]); + } +}); // Sync all stats for server Router::post('/servers/{id}/sync-stats', function ($params) { requireAuth(); diff --git a/templates/clients/view.twig b/templates/clients/view.twig index a46a2a6..e917499 100644 --- a/templates/clients/view.twig +++ b/templates/clients/view.twig @@ -239,7 +239,7 @@ async function updateExpiration(event, clientId) { } try { - const response = await fetch(`/api/clients/${clientId}/set-expiration`, { + const response = await fetch(`/clients/${clientId}/set-expiration`, { method: 'POST', credentials: 'same-origin', headers: { @@ -250,7 +250,7 @@ async function updateExpiration(event, clientId) { const data = await response.json(); - if (data.success !== false) { + if (response.ok && data.success === true) { alert('Expiration updated successfully'); document.getElementById('currentExpiration').textContent = displayText; // Reset form @@ -293,18 +293,18 @@ async function updateTrafficLimit(event, clientId) { } try { - const response = await fetch(`/api/clients/${clientId}/set-traffic-limit`, { + const response = await fetch(`/clients/${clientId}/set-traffic-limit`, { method: 'POST', credentials: 'same-origin', headers: { 'Content-Type': 'application/json' }, - body: JSON.stringify({ limit_bytes: limitBytes }) + body: JSON.stringify({ traffic_limit: limitBytes }) }); const data = await response.json(); - if (data.success !== false) { + if (response.ok && data.success === true) { alert('Traffic limit updated successfully'); // Reload page to show updated traffic info window.location.reload();