fix: index.php entry point — server-side 302 to login.php, no JS required; _app.html is the actual app

This commit is contained in:
2026-06-01 09:28:39 +00:00
parent 69673685d9
commit 50452753dc
2 changed files with 2387 additions and 0 deletions
+28
View File
@@ -0,0 +1,28 @@
<?php
// Entry point — server-side session check, no JavaScript required.
// If not logged in: HTTP 302 to /login.php (Cloudflare cannot interfere).
// If logged in: serve the app with token already in sessionStorage.
session_name('jarvis_main');
session_start();
if (empty($_SESSION['jarvis_token'])) {
header('Location: /login.php');
exit;
}
$token = $_SESSION['jarvis_token'];
$name = $_SESSION['jarvis_name'] ?? '';
// Serve _app.html with the session token injected before any other script
$html = file_get_contents(__DIR__ . '/_app.html');
// Strip the old data-cfasync guard (no longer needed — PHP handles auth now)
$html = preg_replace('/<script data-cfasync="false">if\(!sessionStorage[^<]+<\/script>\n?/', '', $html);
// Inject token into sessionStorage right after <head> so it's available
// before any other script runs — including Rocket Loader
$inject = '<script>sessionStorage.setItem("jarvis_token",' . json_encode($token) . ');'
. 'sessionStorage.setItem("jarvis_user",' . json_encode($name) . ');</script>';
$html = str_replace('<head>', '<head>' . $inject, $html);
echo $html;