refactor: migrate client management endpoints to web session auth and improve status validation

public/index.php

@@ -1613,6 +1613,65 @@ Router::post('/clients/{id}/sync-stats', function ($params) {
     }
 });
 
+// Set client expiration (web session auth)
+Router::post('/clients/{id}/set-expiration', function ($params) {
+    requireAuth();
+    header('Content-Type: application/json');
+    $clientId = (int) $params['id'];
+    $raw = file_get_contents('php://input');
+    $data = json_decode($raw, true);
+
+    $expiresAt = $data['expires_at'] ?? null;
+
+    try {
+        $client = new VpnClient($clientId);
+        $clientData = $client->getData();
+
+        $user = Auth::user();
+        if ($clientData['user_id'] != $user['id'] && !Auth::isAdmin()) {
+            http_response_code(403);
+            echo json_encode(['success' => false, 'error' => 'Forbidden']);
+            return;
+        }
+
+        VpnClient::setExpiration($clientId, $expiresAt);
+        echo json_encode(['success' => true, 'expires_at' => $expiresAt]);
+    } catch (Exception $e) {
+        http_response_code(500);
+        echo json_encode(['success' => false, 'error' => $e->getMessage()]);
+    }
+});
+
+// Set client traffic limit (web session auth)
+Router::post('/clients/{id}/set-traffic-limit', function ($params) {
+    requireAuth();
+    header('Content-Type: application/json');
+    $clientId = (int) $params['id'];
+    $raw = file_get_contents('php://input');
+    $data = json_decode($raw, true);
+
+    $limitBytes = isset($data['traffic_limit']) ? (int) $data['traffic_limit'] : null;
+
+    try {
+        $client = new VpnClient($clientId);
+        $clientData = $client->getData();
+
+        $user = Auth::user();
+        if ($clientData['user_id'] != $user['id'] && !Auth::isAdmin()) {
+            http_response_code(403);
+            echo json_encode(['success' => false, 'error' => 'Forbidden']);
+            return;
+        }
+
+        $pdo = DB::conn();
+        $stmt = $pdo->prepare('UPDATE vpn_clients SET traffic_limit = ? WHERE id = ?');
+        $stmt->execute([$limitBytes, $clientId]);
+        echo json_encode(['success' => true, 'traffic_limit' => $limitBytes]);
+    } catch (Exception $e) {
+        http_response_code(500);
+        echo json_encode(['success' => false, 'error' => $e->getMessage()]);
+    }
+});
 // Sync all stats for server
 Router::post('/servers/{id}/sync-stats', function ($params) {
     requireAuth();

templates/clients/view.twig

@@ -239,7 +239,7 @@ async function updateExpiration(event, clientId) {
   }
   
   try {
-    const response = await fetch(`/api/clients/${clientId}/set-expiration`, {
+    const response = await fetch(`/clients/${clientId}/set-expiration`, {
       method: 'POST',
       credentials: 'same-origin',
       headers: {
@@ -250,7 +250,7 @@ async function updateExpiration(event, clientId) {
     
     const data = await response.json();
     
-    if (data.success !== false) {
+    if (response.ok && data.success === true) {
       alert('Expiration updated successfully');
       document.getElementById('currentExpiration').textContent = displayText;
       // Reset form
@@ -293,18 +293,18 @@ async function updateTrafficLimit(event, clientId) {
   }
   
   try {
-    const response = await fetch(`/api/clients/${clientId}/set-traffic-limit`, {
+    const response = await fetch(`/clients/${clientId}/set-traffic-limit`, {
       method: 'POST',
       credentials: 'same-origin',
       headers: {
         'Content-Type': 'application/json'
       },
-      body: JSON.stringify({ limit_bytes: limitBytes })
+      body: JSON.stringify({ traffic_limit: limitBytes })
     });
     
     const data = await response.json();
     
-    if (data.success !== false) {
+    if (response.ok && data.success === true) {
       alert('Traffic limit updated successfully');
       // Reload page to show updated traffic info
       window.location.reload();