Remove loader and add middleware

update-api/app/Core/AuthMiddleware.php

@@ -0,0 +1,32 @@
+<?php
+namespace App\Core;
+
+class AuthMiddleware
+{
+    public static function check(): void
+    {
+        $ip = filter_var($_SERVER['REMOTE_ADDR'] ?? '', FILTER_VALIDATE_IP);
+        if ($ip && UtilityHandler::isBlacklisted($ip)) {
+            http_response_code(403);
+            ErrorHandler::logMessage("Blacklisted IP attempted access: $ip", 'error');
+            exit();
+        }
+
+        if (!isset($_SESSION['logged_in']) || $_SESSION['logged_in'] !== true) {
+            header('Location: /login');
+            exit();
+        }
+
+        $timeoutLimit = defined('SESSION_TIMEOUT_LIMIT') ? SESSION_TIMEOUT_LIMIT : 1800;
+        $timeoutExceeded = isset($_SESSION['timeout']) && (time() - $_SESSION['timeout'] > $timeoutLimit);
+        $userAgentChanged = isset($_SESSION['user_agent']) && $_SESSION['user_agent'] !== ($_SERVER['HTTP_USER_AGENT'] ?? '');
+        if ($timeoutExceeded || $userAgentChanged) {
+            session_unset();
+            session_destroy();
+            header('Location: /login');
+            exit();
+        }
+
+        $_SESSION['timeout'] = time();
+    }
+}

update-api/app/Core/Router.php

@@ -1,11 +1,17 @@
 <?php
 namespace App\Core;
 
+use App\Core\AuthMiddleware;
+
 class Router
 {
     public function dispatch(string $uri): void
     {
         $route = strtok($uri, '?');
+
+        if ($route !== '/login') {
+            AuthMiddleware::check();
+        }
         switch ($route) {
             case '/login':
                 \App\Controllers\AuthController::handleRequest();

update-api/app/Lib/ClassLoader.php

@@ -1,29 +0,0 @@
-<?php
-
-/**
- * @package UpdateAPI
- * @author  Vontainment <services@vontainment.com>
- * @license https://opensource.org/licenses/MIT MIT License
- * @link    https://vontainment.com
- * @version 3.0.0
- *
- * File: ClassLoader.php
- * Description: WordPress Update API
- */
-
-namespace App\Lib;
-
-use App\Core\ErrorHandler;
-
-// Autoload function to include class files without namespaces
-spl_autoload_register(function ($class_name) {
-    $base = dirname(__DIR__) . '/Controllers/';
-    $target = strtolower($class_name);
-    foreach (glob($base . '*.php') as $file) {
-        if (strtolower(basename($file, '.php')) === $target) {
-            require_once $file;
-            return;
-        }
-    }
-    ErrorHandler::logMessage('Class file not found: ' . $class_name);
-});

update-api/app/Lib/Loader.php

@@ -1,64 +0,0 @@
-<?php
-
-/**
- * @package UpdateAPI
- * @author  Vontainment <services@vontainment.com>
- * @license https://opensource.org/licenses/MIT MIT License
- * @link    https://vontainment.com
- * @version 3.0.0
- *
- * File: Loader.php
- * Description: WordPress Update API
- */
-
-namespace App\Lib;
-
-use App\Core\UtilityHandler;
-use App\Core\ErrorHandler;
-
-// Validate and sanitize the IP address
-$ip = filter_var($_SERVER['REMOTE_ADDR'], FILTER_VALIDATE_IP);
-
-// Check if the user's IP address is blacklisted
-if ($ip && UtilityHandler::isBlacklisted($ip)) {
-    http_response_code(403);
-    ErrorHandler::logMessage("Blacklisted IP attempted access: $ip", 'error');
-    die(1);
-} elseif (!isset($_SESSION['logged_in']) || $_SESSION['logged_in'] !== true) {
-    // Redirect to login page if the user is not logged in
-    header('Location: login.php');
-    die(1);
-} elseif (isset($_GET['page'])) {
-    // Enforce session timeout and user agent consistency
-    $timeoutLimit = defined('SESSION_TIMEOUT_LIMIT') ? SESSION_TIMEOUT_LIMIT : 1800;
-    $timeoutExceeded = isset($_SESSION['timeout']) && (time() - $_SESSION['timeout'] > $timeoutLimit);
-    $userAgentChanged = isset($_SESSION['user_agent']) && $_SESSION['user_agent'] !== $_SERVER['HTTP_USER_AGENT'];
-    if ($timeoutExceeded || $userAgentChanged) {
-        session_unset();
-        session_destroy();
-        header('Location: login.php');
-        die(1);
-    }
-
-    // List of views that can be loaded. These correspond to the rewrite rules in
-    $allowedPages = [
-                     'home',
-                     'plupdate',
-                     'thupdate',
-                     'logs',
-                    ];
-
-    // Sanitize and validate the requested page
-    $page = filter_input(INPUT_GET, 'page', FILTER_SANITIZE_SPECIAL_CHARS);
-    if ($page && in_array($page, $allowedPages, true)) {
-        // Update session timeout
-        $_SESSION['timeout'] = time();
-        // Authenticated user: load the requested page if it exists.
-        $pageFile = dirname(__DIR__) . '/views/' . $page . '.php';
-        require $pageFile;
-    }
-} else {
-    http_response_code(404);
-    ErrorHandler::logMessage('Invalid page request.', 'warning');
-    exit();
-}

update-api/public/.htaccess

@@ -4,16 +4,17 @@ RewriteEngine On
 RewriteCond %{THE_REQUEST} \s/login\.php\s [NC]
 RewriteRule ^login\.php$ /login [R=301,L]
 
-# External redirect / or /index.php → /home
-#    (only when the raw request was exactly "/" or "/index.php")
-RewriteCond %{THE_REQUEST} \s/(?:index\.php)?\s [NC]
-RewriteRule ^(?:index\.php)?$ /home [R=301,L]
+# Redirect /index.php to root
+RewriteCond %{THE_REQUEST} \s/index\.php\s [NC]
+RewriteRule ^index\.php$ / [R=301,L]
 
 # Internal rewrite /login → login.php
 RewriteRule ^login$ login.php [L]
 
-# Internal rewrite /home, /plupdate, /thupdate, /logs → index.php?page=$1
-RewriteRule ^(home|plupdate|thupdate|logs)$ index.php?page=$1 [L,QSA]
+# Fallback to index.php for application routes
+RewriteCond %{REQUEST_FILENAME} !-f
+RewriteCond %{REQUEST_FILENAME} !-d
+RewriteRule ^ index.php [L]
 
 
 # Enable caching for certain file types

update-api/public/index.php

@@ -1,5 +1,4 @@
 <?php
-use App\Lib\Loader;
 use App\Core\Router;
 
 $secureFlag = (!empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] !== 'off');
@@ -13,7 +12,6 @@ session_regenerate_id(true);
 
 require_once '../config.php';
 require_once '../../vendor/autoload.php';
-require_once '../app/Lib/Loader.php';
 
 $router = new Router();
 $router->dispatch($_SERVER['REQUEST_URI']);