session = $session; $this->authService = $authService; } /** * Authenticate session or JWT bearer token. */ public function handle(Request $request, Response $response, callable $next): void { $path = $request->getPath(); // 1. API Route Authentication (JWT verification) if (str_starts_with($path, '/api')) { $authHeader = $request->getHeader('Authorization'); if (!$authHeader || !str_starts_with($authHeader, 'Bearer ')) { throw new Exception("Unauthorized. Bearer token missing.", 401); } $token = substr($authHeader, 7); $user = $this->authService->verifyJwt($token); if (!$user) { throw new Exception("Unauthorized. Invalid or expired token.", 401); } // Inject the authenticated user into route parameters for controller access $request->setRouteParams(array_merge($request->getRouteParams(), ['_authenticated_user' => $user])); $next(); return; } // 2. Web Route Authentication (Session verification) $userId = $this->session->get('user_id'); if (!$userId) { $this->session->setFlash('error', 'Please login to access this page.'); $response->redirect('/login'); return; } $user = $this->authService->getUserById($userId); if (!$user) { $this->session->destroy(); $response->redirect('/login'); return; } // Inject the authenticated user $request->setRouteParams(array_merge($request->getRouteParams(), ['_authenticated_user' => $user])); $next(); } }