Implemented token expiration handling

2025-03-15 19:34:14 -04:00 · 2025-03-15 19:34:14 -04:00 · a0525e3007
parent 3c5779ce35
commit a0525e3007
2 changed files with 23 additions and 4 deletions
--- a/load-responses.php
+++ b/load-responses.php
@ -6,7 +6,8 @@ require_once __DIR__ . "/db.php";
 header("Content-Type: application/json");

 // Get user token from session or URL
-$userToken = $_SESSION['user_token'] ?? $_GET['token'] ?? null;
+$userToken = $_GET['token'] ?? null;
+

 if (!$userToken) {
    http_response_code(403);
@ -24,7 +25,7 @@ if ($conn->connect_error) {
 }

 // Fetch user ID using token
-$stmt = $conn->prepare("SELECT id FROM users WHERE auth_token = ?");
+$stmt = $conn->prepare("SELECT id, token_expires_at FROM users WHERE auth_token = ?");
 $stmt->bind_param("s", $userToken);
 $stmt->execute();
 $result = $stmt->get_result();
@ -34,8 +35,16 @@ if (!$user) {
    echo json_encode(["error" => "Invalid authentication token."]);
    exit;
 }
+// Check if token is expired
+if (strtotime($user['token_expires_at']) < time()) {
+    http_response_code(403);
+    echo json_encode(["error" => "Authentication token has expired."]);
+    exit;
+}
+
 $userId = $user['id'];

+
 // Fetch saved responses
 $stmt = $conn->prepare("SELECT * FROM questionnaire_responses WHERE user_id = ?");
 $stmt->bind_param("i", $userId);
--- a/submit.php
+++ b/submit.php
@ -13,7 +13,8 @@ if ($_SERVER["REQUEST_METHOD"] !== "POST") {
 }

 // Get user token from session or URL (whichever is applicable)
-$userToken = $_SESSION['user_token'] ?? $_GET['token'] ?? null;
+$userToken = $_POST['token'] ?? null;
+

 if (!$userToken) {
    http_response_code(403);
@ -30,7 +31,8 @@ if ($conn->connect_error) {
 }

 // Get user ID from token
-$stmt = $conn->prepare("SELECT id FROM users WHERE auth_token = ?");
+$stmt = $conn->prepare("SELECT id, token_expires_at FROM users WHERE auth_token = ?");
+
 $stmt->bind_param("s", $userToken);
 $stmt->execute();
 $result = $stmt->get_result();
@ -40,8 +42,16 @@ if (!$user) {
    echo json_encode(["error" => "Invalid authentication token."]);
    exit;
 }
+// Check if token is expired
+if (strtotime($user['token_expires_at']) < time()) {
+    http_response_code(403);
+    echo json_encode(["error" => "Authentication token has expired."]);
+    exit;
+}
+
 $userId = $user['id'];

+
 // Extract & sanitize input
 function sanitize($value) {
    return htmlspecialchars(strip_tags(trim($value)));