Api bump last login

[simonLeary42]

adds an API endpoint where you can HTTP POST to bump the last login timestamp of a user. Requires an API key.

$ curl 'http://account-portal-docker-web:8000/lan/api/expiry.php?uid=user1_org1_test'; echo ""
{"uid":"user1_org1_test","idlelock_date":"1970/08/09","disable_date":"1971/02/05"}
$ curl -X POST -H 'Authorization: Bearer dev_environment_api_key' 'http://account-portal-docker-web:8000/lan/api/bump-last-login.php?uid=user1_org1_test'
$ curl 'http://account-portal-docker-web:8000/lan/api/expiry.php?uid=user1_org1_test'; echo ""
{"uid":"user1_org1_test","idlelock_date":"2026/10/12","disable_date":"2027/04/10"}

To demonstrate this, I needed to add an API key that runs in the docker dev environment. To do that, I needed another config override. To produce the above example, I used a DNS mapping in /etc/hosts to change the value of HTTP_HOST so that it would use this new override.

[Copilot]

Pull request overview

Adds a new authenticated API endpoint to “bump” a user’s last-login timestamp and wires up test support/configuration for Bearer tokens.

Changes:

• Introduced webroot/lan/api/bump-last-login.php endpoint guarded by a new UnityHTTPD::validateAPIKey() helper.
• Extended PHPUnit HTTP helpers to send Authorization: Bearer ... headers.
• Added functional coverage + config entries for API keys.

Reviewed changes

Copilot reviewed 7 out of 7 changed files in this pull request and generated 8 comments.

Show a summary per file

File	Description
webroot/lan/api/bump-last-login.php	New POST endpoint that validates API key and records a login event for a UID
resources/lib/UnityHTTPD.php	Adds Bearer-token API key validation helper
test/phpunit-bootstrap.php	Extends http helpers to inject Bearer token + renames http_get param
test/functional/BumpLastLoginApiTest.php	Functional test for bump-last-login endpoint
deployment/overrides/phpunit/config/config.ini	Adds [api]keys for PHPUnit environment
defaults/config.ini.default	Documents [api]keys config option
CHANGELOG.md	Notes new config option for API keys

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[simonLeary42]

I tested out this theory that HTTP_HOST is insecure, and it's actually fine.

I added a mapping to my /etc/hosts so that the domain name phpstan maps to the production account portal, and then I tricked the discovery service into allowing my return path, and I got this: