# Local Development – Ordio Loop Affiliate

**Last Updated:** 2026-02-05

Guidance for running the affiliate partner system locally so admin features (e.g. assign admin) work correctly.

## Same-origin requirement

The admin page and all admin APIs must be served from the **same origin** (same scheme, host, and port).

- **Why:** Session cookies are sent only to the same origin when using `credentials: 'same-origin'` in fetch. Different ports (e.g. page on `localhost:8003`, API on `localhost:8081`) are different origins, so the browser will not send the session cookie to the API. The API then sees no session and returns 401 or redirects to login; in some setups you may see 403 if session storage is partially shared.
- **In local dev:** Run a **single** server so both `/partner/admin` and `/v2/api/affiliate-admin-*.php` are on the same host and port.

Example (PHP built-in server from repo root):

```bash
php -S localhost:8003
```

Then open `http://localhost:8003/partner/admin`. All admin API requests will go to `http://localhost:8003/v2/api/...` (same origin).

## If the request goes to a different port

If in DevTools → Network you see the PATCH (or GET) to an admin API going to a **different port** than the page (e.g. page on 8003, request to 8081):

1. **Fix the dev setup:** Use one server/port for the whole app (see above), or remove any proxy that splits the page and API to different ports.
2. **If you must use two ports:** You would need to (a) add the API origin to a CORS allowlist and send `Access-Control-Allow-Credentials: true` with a specific `Access-Control-Allow-Origin`, and (b) ensure PHP session storage is **shared** (same `session.save_path`) across both processes. Prefer one port to avoid this.

## Session storage

If you run more than one PHP process (e.g. two built-in servers on different ports), each has its own default `session.save_path`. Session data is then not shared, so the API process may not see the session created when you logged in on the page process. Use one server so one process serves both the page and the API.

## Troubleshooting 403 on assign admin

See [TROUBLESHOOTING.md](TROUBLESHOOTING.md#troubleshooting-403-when-assigning-admin) for steps when you see “Keine Admin-Rechte” (403).