Authentication
Three Authentication Paths
The platform uses three distinct authentication methods depending on the client type.
1. Device Token Auth
IoT devices use X-Device-Token header. 64-char hex token generated on device creation. Stored in devices.device_token.
2. Session Auth (Web)
Browser clients use PHP session with CSRF token. Login sets $_SESSION['user_id']. All forms require CSRF validation.
3. Bearer Token (Mobile)
Mobile apps use Authorization: Bearer <token>. Token generated via /api/mobile/login. Stored hashed in api_access_tokens.
📡 Mobile Login Flow
POST /api/mobile/login
Content-Type: application/json
{ "email": "user@example.com", "password": "secure123" }
Response (200):
{
"status": "ok",
"data": {
"token": "a1b2c3d4...64chars",
"user": { "id": 1, "email": "...", "role": "admin" }
}
}
// Use token for all subsequent requests:
GET /api/mobile/devices
Authorization: Bearer a1b2c3d4...64chars
🔐 Security Features
All passwords hashed with password_hash(PASSWORD_BCRYPT, ['cost' => 12]). API tokens hashed with SHA-256 before storage — plaintext returned only once at creation. Session cookies: HttpOnly, SameSite=Strict. CSRF tokens on every POST form. Security headers: X-Frame-Options, X-Content-Type-Options, Referrer-Policy.