false, 'message' => 'Token is required']); exit; } $validator = new JWTValidator( $config['sso']['tenant_id'], $config['sso']['client_id'] ); $result = $validator->validate($token); if (!$result['valid']) { http_response_code(401); echo json_encode(['success' => false, 'message' => $result['error'] ?? 'Invalid token']); exit; } // Register user role on first login $email = strtolower($result['claims']['preferred_username'] ?? $result['claims']['upn'] ?? ''); if ($email) { $roleManager = new UserRoleManager(); $roleManager->getRole($email); // triggers auto-promotion for admin_emails } // Store the raw idToken in a secure HttpOnly cookie (24h) $cookieOptions = [ 'expires' => time() + (24 * 60 * 60), 'path' => '/', 'domain' => '', 'secure' => isset($_SERVER['HTTPS']), 'httponly' => true, 'samesite' => 'Lax' ]; setcookie('auth_token', $token, $cookieOptions); echo json_encode(['success' => true]); exit; } // GET logout — clear cookie, redirect if ($_SERVER['REQUEST_METHOD'] === 'GET' && $action === 'logout') { setcookie('auth_token', '', time() - 3600, '/'); unset($_COOKIE['auth_token']); // Build Azure AD logout URL $tenantId = $config['sso']['tenant_id']; $postLogoutRedirect = urlencode('https://ai-sandbox.oliver.solutions/loreal-global-kickoff'); $logoutUrl = "https://login.microsoftonline.com/{$tenantId}/oauth2/v2.0/logout?post_logout_redirect_uri={$postLogoutRedirect}"; header('Location: ' . $logoutUrl); exit; } // GET default — redirect to index (handles MSAL redirect_uri) header('Location: index.php'); exit;