Gate tools login with Caveau access

api/health.php

@@ -8,9 +8,9 @@ dbnToolsRequireMethod('GET');
 dbnToolsRequireAuth();
 
 $checks = [];
-$checks['passcode_hash'] = [
-    'ok' => (bool)dbnToolsEnv('DBN_TOOLS_PASSCODE_HASH'),
-    'detail' => dbnToolsEnv('DBN_TOOLS_PASSCODE_HASH') ? 'Configured' : 'Missing DBN_TOOLS_PASSCODE_HASH',
+$checks['caveau_auth'] = [
+    'ok' => true,
+    'detail' => 'Tools login uses Caveau client_users for tenant ' . dbnToolsClientSlug(),
 ];
 
 $azure = new DbnAzureOpenAiGateway();
@@ -42,15 +42,16 @@ try {
     $checks['db_connectivity'] = ['ok' => true, 'detail' => 'CaveauAI admin DB reachable'];
 
     $client = dbnToolsFetchClient($db);
-    $checks['dave_jr_legal_client'] = [
+    $checks['dobetter_client'] = [
         'ok' => (bool)$client,
         'detail' => $client ? 'Client id ' . $client['id'] . ' found' : 'Client slug ' . dbnToolsClientSlug() . ' not found',
     ];
 
-    $package = dbnToolsFetchPackage('family-legal', $db);
+    $packageSlug = dbnToolsRequiredPackageSlug();
+    $package = dbnToolsFetchPackage($packageSlug, $db);
     $checks['family_legal_package'] = [
-        'ok' => (bool)$package,
-        'detail' => $package ? 'Package id ' . $package['id'] . ' found' : 'family-legal package not found',
+        'ok' => (bool)$package && !empty($package['is_active']),
+        'detail' => $package ? 'Package id ' . $package['id'] . ' found' : $packageSlug . ' package not found',
     ];
 
     $subOk = $client && $package && dbnToolsHasActiveSubscription((int)$client['id'], (int)$package['id'], $db);
@@ -60,7 +61,7 @@ try {
     ];
 } catch (Throwable $e) {
     $checks['db_connectivity'] = ['ok' => false, 'detail' => $e->getMessage()];
-    $checks['dave_jr_legal_client'] = ['ok' => false, 'detail' => 'Not checked'];
+    $checks['dobetter_client'] = ['ok' => false, 'detail' => 'Not checked'];
     $checks['family_legal_package'] = ['ok' => false, 'detail' => 'Not checked'];
     $checks['family_legal_subscription'] = ['ok' => false, 'detail' => 'Not checked'];
 }

api/session.php

@@ -16,27 +16,51 @@ if ($password === '') {
     dbnToolsError('Password is required.', 422, 'missing_password');
 }
 
-$configuredEmail = dbnToolsAuthEmail();
-$hash = dbnToolsAuthPasswordHash();
+try {
+    $db = dbnToolsDb();
+    $client = dbnToolsFetchClient($db);
+    if (!$client || empty($client['is_active'])) {
+        dbnToolsError('Do Better Norge Caveau workspace is not active.', 503, 'client_unavailable');
+    }
 
-if ($configuredEmail === null || trim($configuredEmail) === '' || $hash === null || trim($hash) === '') {
-    dbnToolsError('Authentication credentials are not configured.', 503, 'auth_not_configured');
+    $user = dbnToolsFetchActiveClientUser($email, (int)$client['id'], $db);
+} catch (DbnToolsHttpException $e) {
+    dbnToolsError($e->getMessage(), $e->status, $e->errorCode, $e->extra);
+} catch (Throwable $e) {
+    error_log('DBN tools login error: ' . $e->getMessage());
+    dbnToolsError('Caveau authentication is not available.', 503, 'auth_unavailable');
 }
 
-$emailMatch = hash_equals(strtolower(trim($configuredEmail)), $email);
-$passwordMatch = password_verify($password, $hash);
-
-if (!$emailMatch || !$passwordMatch) {
+if (!$user || !password_verify($password, (string)$user['password_hash'])) {
     dbnToolsError('Email or password was not accepted.', 401, 'invalid_credentials');
 }
 
+$packageAccess = dbnToolsCanUsePackage((int)$client['id'], dbnToolsRequiredPackageSlug(), $db);
+if (empty($packageAccess['ok'])) {
+    dbnToolsError(
+        (string)$packageAccess['message'],
+        (int)$packageAccess['status'],
+        (string)$packageAccess['code']
+    );
+}
+
 session_regenerate_id(true);
 $_SESSION['dbn_tools_authenticated'] = true;
 $_SESSION['dbn_tools_authenticated_at'] = time();
 $_SESSION['dbn_tools_anon_id'] = $_SESSION['dbn_tools_anon_id'] ?? bin2hex(random_bytes(16));
+$_SESSION['dbn_tools_client_id'] = (int)$client['id'];
+$_SESSION['dbn_tools_client_slug'] = (string)$client['slug'];
+$_SESSION['dbn_tools_user_id'] = (int)$user['id'];
+$_SESSION['dbn_tools_user_email'] = (string)$user['email'];
+$_SESSION['dbn_tools_user_role'] = (string)$user['role'];
+$_SESSION['dbn_tools_package_slug'] = dbnToolsRequiredPackageSlug();
 
 dbnToolsRespond([
     'ok' => true,
     'authenticated' => true,
     'session' => dbnToolsAnonymousSessionId(),
+    'user' => [
+        'email' => (string)$user['email'],
+        'role' => (string)$user['role'],
+    ],
 ]);