diff --git a/TODO.md b/TODO.md index 06de3e4..a39153b 100644 --- a/TODO.md +++ b/TODO.md @@ -52,6 +52,10 @@ - [x] `admin/account.php` — admin password `confirm()` kept with `TODO` comment - [x] `admin.css` — added `.admin-dialog--sm`, `.admin-dialog__alert`, `.admin-dialog__footer` styles +## Fix 403 on HTMX tab requests in parametres.php +- [x] `AdminAuth::requireLogin()` — now sets `$_SESSION[SESSION_KEY]` when accepting nginx Basic Auth credentials (was returning early without marking the session) +- [x] `AdminAuth::isAuthenticated()` — now falls back to `PHP_AUTH_PW` verification (same logic as `requireLogin`) so HTMX requests to `system-fragment.php` authenticate even before a session exists + ## Duplicate warning display fixes - [x] `toast-fragment.php` — 204 guard now also checks `warning`; warning was silently discarded before - [x] `partage/index.php` — warning stored as plain text (no pre-escaping); `htmlspecialchars()` applied once at render; was double-encoded before diff --git a/app/src/AdminAuth.php b/app/src/AdminAuth.php index 7b70bd3..9460394 100644 --- a/app/src/AdminAuth.php +++ b/app/src/AdminAuth.php @@ -78,6 +78,7 @@ class AdminAuth } // Try to auto-authenticate from the nginx Basic Auth credentials. if (isset($_SERVER['PHP_AUTH_PW']) && self::verifyHash($_SERVER['PHP_AUTH_PW'], $storedHash)) { + $_SESSION[self::SESSION_KEY] = true; return; } header('Location: ' . self::LOGIN_URL); @@ -141,7 +142,16 @@ class AdminAuth if ($storedHash === null) { return true; // No password configured → dev mode. } - return !empty($_SESSION[self::SESSION_KEY]); + if (!empty($_SESSION[self::SESSION_KEY])) { + return true; + } + // Also accept nginx Basic Auth credentials directly (e.g. HTMX fragment + // requests that arrive before a PHP session has been established). + if (isset($_SERVER['PHP_AUTH_PW']) && self::verifyHash($_SERVER['PHP_AUTH_PW'], $storedHash)) { + $_SESSION[self::SESSION_KEY] = true; + return true; + } + return false; } /**