fix(borne): passerelle /api same-origin sur le vhost kiosk #62

Merged

Corentin merged 1 commit from feat/p4-borne-api-same-origin into dev

2026-06-19 16:15:41 +02:00

Corentin commented

2026-06-19 16:12:06 +02:00

Owner

No description provided.

Corentin added 1 commit 2026-06-19 16:12:07 +02:00

fix(borne): passerelle /api same-origin sur le vhost kiosk

CI / static-tests (push) Successful in 52s

Details

CI / php-lint (pull_request) Successful in 23s

Details

CI / secret-scan (push) Successful in 12s

Details

CI / php-lint (push) Successful in 24s

Details

CI / js-tests (push) Successful in 27s

Details

CI / secret-scan (pull_request) Successful in 10s

Details

CI / static-tests (pull_request) Successful in 53s

Details

CI / js-tests (pull_request) Successful in 27s

Details

988c1bbbdd

La borne consommait /api en chemin relatif sur sa propre origine
(APP_HOST_KIOSK), ou aucune API n'est routee : le fallback SPA du vhost
kiosk renvoyait index.html (HTML) -> data.js plantait sur res.json() ->
catalogue vide ("pas cable"). Le middleware CORS livre en #61 n'etait donc
jamais sollicite (la borne ne sortait pas vers l'origine API).

Fix : le vhost kiosk relaie /api/* au front controller admin via PHP-FPM.
ProxyFCGISetEnvIf force SCRIPT_FILENAME sur public/admin/index.php (sinon FPM
rejette en "Access denied" : l'extension != .php). REQUEST_URI est preserve,
le Router route correctement. data.js inchange (URLs relatives desormais
correctes en same-origin). Seul /api est relaye : le back-office (/login,
/admin/*) reste hors de l'origine borne. CORS conserve en defense en
profondeur (doc conventions section 10).

Verifie sur la vraie stack : /api/categories|products|menus|products/{id}|
menus/{id} depuis l'origine borne -> 200 application/json ; /login et
/admin/dashboard cote borne -> SPA borne (pas le back-office) ; admin direct
+ home borne sans regression.

Corentin scheduled this pull request to auto merge when all checks succeed 2026-06-19 16:12:07 +02:00