mirror of
https://github.com/myronblair/jarvis
synced 2026-06-30 17:50:23 -05:00
myron
f8aaaf725c
agent/list and agent/status are browser-facing and need $_SESSION loaded to verify auth. Only skip session_start() for machine-agent sub-actions (heartbeat, metrics, ha_state, command_result, register) that fire every 10-30s. Previous fix skipped session for all agent/* causing the agents panel to return 401 to the browser. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
124 lines
4.7 KiB
PHP
124 lines
4.7 KiB
PHP
<?php
|
|
/**
|
|
* JARVIS API Router — fault-isolated per endpoint
|
|
* A ParseError or fatal in any endpoint file returns JSON 500 for that
|
|
* endpoint only; all other endpoints continue to work normally.
|
|
*/
|
|
require_once __DIR__ . '/../api/config.php';
|
|
require_once __DIR__ . '/../api/lib/db.php';
|
|
require_once __DIR__ . '/../api/lib/kb_engine.php';
|
|
|
|
// Skip session for machine-agent calls and netscan/ping — each heartbeat would
|
|
// otherwise create an empty session file, producing millions of files that slow
|
|
// session GC for all requests. Browser-facing agent sub-actions (list/status/myip)
|
|
// still need a session to verify auth, so we only skip for machine-agent actions.
|
|
$_earlyParts = explode('/', trim(parse_url($_SERVER['REQUEST_URI'] ?? '/', PHP_URL_PATH), '/'));
|
|
if (($_earlyParts[0] ?? '') === 'api') array_shift($_earlyParts);
|
|
$_e0 = $_earlyParts[0] ?? '';
|
|
$_e1 = $_earlyParts[1] ?? '';
|
|
$_skipSession = match(true) {
|
|
$_e0 === 'ping' => true,
|
|
$_e0 === 'netscan' => true,
|
|
$_e0 === 'agent' && !in_array($_e1, ['list','status','myip'], true) => true,
|
|
default => false,
|
|
};
|
|
if (!$_skipSession) {
|
|
session_start();
|
|
}
|
|
|
|
header('Content-Type: application/json');
|
|
header('Access-Control-Allow-Origin: *');
|
|
header('Access-Control-Allow-Methods: GET, POST, OPTIONS');
|
|
header('Access-Control-Allow-Headers: Content-Type, X-Session-Token');
|
|
|
|
if ($_SERVER['REQUEST_METHOD'] === 'OPTIONS') { http_response_code(204); exit; }
|
|
|
|
$uri = $_SERVER['REQUEST_URI'] ?? '/';
|
|
$method = $_SERVER['REQUEST_METHOD'];
|
|
$path = trim(parse_url($uri, PHP_URL_PATH), '/');
|
|
$parts = explode('/', $path);
|
|
|
|
if (($parts[0] ?? '') === 'api') array_shift($parts);
|
|
$endpoint = $parts[0] ?? '';
|
|
$action = $parts[1] ?? '';
|
|
|
|
// ── Auth check (skip for auth / agent / netscan) ──────────────────────
|
|
if (!\in_array($endpoint, ['auth', 'agent', 'netscan'], true)) {
|
|
$token = $_SESSION['jarvis_token'] ?? ($_SERVER['HTTP_X_SESSION_TOKEN'] ?? '');
|
|
$isValid = !empty($token) && $token === ($_SESSION['jarvis_token'] ?? '');
|
|
if (!$isValid) {
|
|
$ip = $_SERVER['REMOTE_ADDR'] ?? '';
|
|
$isLocal = \in_array($ip, ['127.0.0.1', '::1', JARVIS_IP], true);
|
|
if (!$isLocal && $endpoint !== 'ping') {
|
|
http_response_code(401);
|
|
echo json_encode(['error' => 'Unauthorized', 'code' => 401]);
|
|
exit;
|
|
}
|
|
}
|
|
}
|
|
|
|
if ($endpoint !== 'auth') session_write_close();
|
|
|
|
$body = file_get_contents('php://input');
|
|
$data = json_decode($body, true) ?? [];
|
|
|
|
// ── Fast ping (no file dispatch needed) ──────────────────────────────
|
|
if ($endpoint === 'ping') {
|
|
echo json_encode(['status' => 'online', 'time' => date('c'), 'codename' => JARVIS_CODENAME]);
|
|
exit;
|
|
}
|
|
|
|
// ── Endpoint → file map ───────────────────────────────────────────────
|
|
$endpoints = [
|
|
'auth' => 'auth.php',
|
|
'chat' => 'chat.php',
|
|
'system' => 'system.php',
|
|
'netscan' => 'netscan.php',
|
|
'network' => 'network.php',
|
|
'proxmox' => 'proxmox.php',
|
|
'ha' => 'ha.php',
|
|
'tts' => 'tts.php',
|
|
'email' => 'email.php',
|
|
'do' => 'do_server.php',
|
|
'alerts' => 'alerts.php',
|
|
'facts' => 'facts_collector.php',
|
|
'weather' => 'weather.php',
|
|
'news' => 'news.php',
|
|
'sites' => 'sites.php',
|
|
'agent' => 'agent.php',
|
|
'planner' => 'planner.php',
|
|
'jellyfin' => 'jellyfin.php',
|
|
'history' => 'history.php',
|
|
'metrics' => 'metrics.php',
|
|
'suggestions' => 'suggestions.php',
|
|
'arc' => 'arc.php',
|
|
'directives' => 'directives.php',
|
|
'memory' => 'memory.php',
|
|
'calendar' => 'calendar_sync.php',
|
|
];
|
|
|
|
if (!isset($endpoints[$endpoint])) {
|
|
http_response_code(404);
|
|
echo json_encode(['error' => 'Unknown endpoint: ' . $endpoint]);
|
|
exit;
|
|
}
|
|
|
|
$file = __DIR__ . '/../api/endpoints/' . $endpoints[$endpoint];
|
|
|
|
// ── Fault-isolated dispatch ───────────────────────────────────────────
|
|
// ob_start() buffers any partial output so a mid-execution fatal doesn't
|
|
// send a broken response. catch(Throwable) catches ParseError, TypeError,
|
|
// and all other Errors + Exceptions in PHP 7+.
|
|
ob_start();
|
|
try {
|
|
require $file;
|
|
ob_end_flush();
|
|
} catch (\Throwable $e) {
|
|
ob_end_clean();
|
|
http_response_code(500);
|
|
echo json_encode(['error' => 'Endpoint unavailable', 'endpoint' => $endpoint, 'code' => 500]);
|
|
error_log(sprintf('JARVIS API [%s] %s: %s in %s:%d',
|
|
$endpoint, get_class($e), $e->getMessage(), $e->getFile(), $e->getLine()
|
|
));
|
|
}
|