From a5e4f90982271e43c6c8541f681934e3e04bebeb Mon Sep 17 00:00:00 2001 From: Cedric Date: Thu, 18 Jun 2026 16:56:43 +0200 Subject: [PATCH] Actualiser api.php --- api.php | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/api.php b/api.php index cf7fc74..f1bd0a4 100644 --- a/api.php +++ b/api.php @@ -4,6 +4,10 @@ header("Access-Control-Allow-Origin: *"); header("Access-Control-Allow-Methods: GET, POST, DELETE, OPTIONS"); header("Access-Control-Allow-Headers: Content-Type, Authorization"); +// NOUVEAU : Interdire formellement au navigateur de mettre en cache les requêtes API +header("Cache-Control: no-store, no-cache, must-revalidate, max-age=0"); +header("Pragma: no-cache"); + if ($_SERVER['REQUEST_METHOD'] === 'OPTIONS') { http_response_code(200); exit; @@ -17,7 +21,6 @@ try { PDO::ATTR_DEFAULT_FETCH_MODE => PDO::FETCH_ASSOC ]); - // Création automatique des tables si elles n'existent pas $pdo->exec("CREATE TABLE IF NOT EXISTS users ( id INT PRIMARY KEY, username VARCHAR(50) NOT NULL, @@ -64,7 +67,13 @@ function checkAuth($pdo) { $stmtCheck = $pdo->query("SELECT COUNT(*) FROM users"); if ($stmtCheck->fetchColumn() == 0) return true; + // NOUVEAU : Récupération du token sécurisée contre les serveurs Apache récalcitrants $token = $_SERVER['HTTP_AUTHORIZATION'] ?? ''; + if (empty($token) && function_exists('apache_request_headers')) { + $headers = apache_request_headers(); + $token = $headers['Authorization'] ?? $headers['authorization'] ?? ''; + } + if ($token !== md5(ENCRYPTION_KEY . 'session')) { http_response_code(403); echo json_encode(["error" => "Accès interdit."]); @@ -142,7 +151,7 @@ switch ($action) { } echo json_encode(["success" => true]); break; - + case 'delete_film': checkAuth($pdo); $type = $_GET['type'] ?? 'critique'; @@ -178,6 +187,7 @@ case 'delete_film': $stmt->execute($ids); echo json_encode(["success" => true]); } else { + http_response_code(400); echo json_encode(["success" => false, "error" => "Aucun élément sélectionné."]); } break;