portspoof_concentrator/purge.php

<?php
/**
 * portspoof_concentrator – HTTP purge trigger
 *
 * Runs the same purge logic as cron/purge.php when called over HTTP.
 * Deletes connections older than the retention_days setting.
 *
 * Authentication (any one of):
 *   - Active web session (logged-in browser)
 *   - Authorization: Bearer <TRIGGER_TOKEN>
 *   - ?token=<TRIGGER_TOKEN>
 *
 * Usage:
 *   GET/POST  /purge.php
 *   GET/POST  /purge.php?token=<secret>
 *   GET/POST  /purge.php   (with header: Authorization: Bearer <secret>)
 *
 * Always returns JSON.
 */

require_once __DIR__ . '/includes/auth.php';
require_once __DIR__ . '/includes/functions.php';

header('Content-Type: application/json');

// ── Auth ──────────────────────────────────────────────────────────────────────

$session_ok = false;
if (auth_enabled()) {
    if (session_status() === PHP_SESSION_NONE) {
        session_start();
    }
    $session_ok = !empty($_SESSION['authenticated']);
}

$token_ok = false;
if (TRIGGER_TOKEN !== '') {
    $provided = '';
    $auth_header = $_SERVER['HTTP_AUTHORIZATION'] ?? '';
    if (str_starts_with($auth_header, 'Bearer ')) {
        $provided = substr($auth_header, 7);
    }
    if ($provided === '' && isset($_REQUEST['token'])) {
        $provided = $_REQUEST['token'];
    }
    $token_ok = $provided !== '' && hash_equals(TRIGGER_TOKEN, $provided);
}

if (!$session_ok && !$token_ok) {
    http_response_code(401);
    echo json_encode(['error' => 'Unauthorized']);
    exit;
}

// ── Run purge ─────────────────────────────────────────────────────────────────

$started_at     = microtime(true);
$retention_days = max(1, (int)get_setting('retention_days', '7'));
$deleted        = purge_old_connections();
$elapsed_ms     = (int)round((microtime(true) - $started_at) * 1000);

echo json_encode([
    'ok'             => true,
    'elapsed_ms'     => $elapsed_ms,
    'retention_days' => $retention_days,
    'deleted'        => $deleted,
], JSON_PRETTY_PRINT);