create-prisma-php-app 4.0.0-alpha.19 → 4.0.0-alpha.20

package/dist/src/Lib/Middleware/CorsMiddleware.php

@@ -0,0 +1,158 @@
+<?php
+
+declare(strict_types=1);
+
+namespace Lib\Middleware;
+
+/**
+ * CORS middleware driven by .env allow-list.
+ *
+ * Env keys (CSV or JSON array for origins):
+ *   CORS_ALLOWED_ORIGINS=["http://localhost:5173","https://*.example.com"]
+ *   CORS_ALLOW_CREDENTIALS=true
+ *   CORS_ALLOWED_METHODS=GET,POST,PUT,PATCH,DELETE,OPTIONS
+ *   CORS_ALLOWED_HEADERS=Content-Type,Authorization,X-Requested-With
+ *   CORS_EXPOSE_HEADERS=
+ *   CORS_MAX_AGE=86400
+ *
+ * Call as early as possible (after Dotenv::load, before session_start).
+ */
+final class CorsMiddleware
+{
+    /** Entry point */
+    public static function handle(?array $overrides = null): void
+    {
+        // Not a CORS request
+        $origin = $_SERVER['HTTP_ORIGIN'] ?? '';
+        if ($origin === '') {
+            return;
+        }
+
+        // Resolve config (env → overrides)
+        $cfg = self::buildConfig($overrides);
+
+        // Not allowed? Do nothing (browser will block)
+        if (!self::isAllowedOrigin($origin, $cfg['allowedOrigins'])) {
+            return;
+        }
+
+        // Compute which value to send for Access-Control-Allow-Origin
+        // If credentials are disabled and '*' is in list, we can send '*'
+        $sendWildcard = (!$cfg['allowCredentials'] && self::listHasWildcard($cfg['allowedOrigins']));
+        $allowOriginValue = $sendWildcard ? '*' : self::normalize($origin);
+
+        // Vary for caches
+        header('Vary: Origin, Access-Control-Request-Method, Access-Control-Request-Headers');
+
+        header('Access-Control-Allow-Origin: ' . $allowOriginValue);
+        if ($cfg['allowCredentials']) {
+            header('Access-Control-Allow-Credentials: true');
+        }
+
+        if ($_SERVER['REQUEST_METHOD'] === 'OPTIONS') {
+            // Preflight response
+            $requestedHeaders = $_SERVER['HTTP_ACCESS_CONTROL_REQUEST_HEADERS'] ?? '';
+            $allowedHeaders = $cfg['allowedHeaders'] !== ''
+                ? $cfg['allowedHeaders']
+                : ($requestedHeaders ?: 'Content-Type, Authorization, X-Requested-With');
+
+            header('Access-Control-Allow-Methods: ' . $cfg['allowedMethods']);
+            header('Access-Control-Allow-Headers: ' . $allowedHeaders);
+            if ($cfg['maxAge'] > 0) {
+                header('Access-Control-Max-Age: ' . (string) $cfg['maxAge']);
+            }
+
+            // Optional: Private Network Access preflights (Chrome)
+            if (!empty($_SERVER['HTTP_ACCESS_CONTROL_REQUEST_PRIVATE_NETWORK'])) {
+                header('Access-Control-Allow-Private-Network: true');
+            }
+
+            http_response_code(204);
+            header('Content-Length: 0');
+            exit;
+        }
+
+        // Simple/actual request
+        if ($cfg['exposeHeaders'] !== '') {
+            header('Access-Control-Expose-Headers: ' . $cfg['exposeHeaders']);
+        }
+    }
+
+    /** Read env + normalize + apply overrides */
+    private static function buildConfig(?array $overrides): array
+    {
+        $allowed = self::parseList($_ENV['CORS_ALLOWED_ORIGINS'] ?? '');
+        $cfg = [
+            'allowedOrigins'   => $allowed,
+            'allowCredentials' => filter_var($_ENV['CORS_ALLOW_CREDENTIALS'] ?? 'false', FILTER_VALIDATE_BOOLEAN),
+            'allowedMethods'   => $_ENV['CORS_ALLOWED_METHODS'] ?? 'GET, POST, PUT, PATCH, DELETE, OPTIONS',
+            'allowedHeaders'   => trim($_ENV['CORS_ALLOWED_HEADERS'] ?? ''),
+            'exposeHeaders'    => trim($_ENV['CORS_EXPOSE_HEADERS'] ?? ''),
+            'maxAge'           => (int)($_ENV['CORS_MAX_AGE'] ?? 86400),
+        ];
+
+        if (is_array($overrides)) {
+            foreach ($overrides as $k => $v) {
+                if (array_key_exists($k, $cfg)) {
+                    $cfg[$k] = $v;
+                }
+            }
+        }
+
+        // Normalize patterns
+        $cfg['allowedOrigins'] = array_map([self::class, 'normalize'], $cfg['allowedOrigins']);
+        return $cfg;
+    }
+
+    /** CSV or JSON array → array<string> */
+    private static function parseList(string $raw): array
+    {
+        $raw = trim($raw);
+        if ($raw === '') return [];
+
+        if ($raw[0] === '[') {
+            $arr = json_decode($raw, true);
+            if (is_array($arr)) {
+                return array_values(array_filter(array_map('strval', $arr), 'strlen'));
+            }
+        }
+        return array_values(array_filter(array_map('trim', explode(',', $raw)), 'strlen'));
+    }
+
+    private static function normalize(string $origin): string
+    {
+        return rtrim($origin, '/');
+    }
+
+    private static function isAllowedOrigin(string $origin, array $list): bool
+    {
+        $o = self::normalize($origin);
+
+        foreach ($list as $pattern) {
+            $p = self::normalize($pattern);
+
+            // literal "*"
+            if ($p === '*') return true;
+
+            // allow literal "null" for file:// or sandboxed if explicitly listed
+            if ($o === 'null' && strtolower($p) === 'null') return true;
+
+            // wildcard like https://*.example.com
+            if (strpos($p, '*') !== false) {
+                $regex = '/^' . str_replace('\*', '[^.]+', preg_quote($p, '/')) . '$/i';
+                if (preg_match($regex, $o)) return true;
+            } else {
+                if (strcasecmp($p, $o) === 0) return true;
+            }
+        }
+        return false;
+    }
+
+    private static function listHasWildcard(array $list): bool
+    {
+        foreach ($list as $p) {
+            if (trim($p) === '*') return true;
+        }
+        return false;
+    }
+}

package/dist/src/Lib/PHPX/Fragment.php

@@ -0,0 +1,32 @@
+<?php
+
+declare(strict_types=1);
+
+namespace Lib\PHPX;
+
+use Lib\PHPX\PHPX;
+
+class Fragment extends PHPX
+{
+    /** @property ?string $as = div|span|section|article|nav|header|footer|main|aside */
+    public ?string $as = null;
+    public ?string $class = '';
+
+    public function __construct(array $props = [])
+    {
+        parent::__construct($props);
+    }
+
+    public function render(): string
+    {
+        if ($this->as !== null) {
+            $attributes = $this->getAttributes();
+            $class = $this->getMergeClasses($this->class);
+            $classAttr = $class ? "class=\"{$class}\"" : '';
+
+            return "<{$this->as} {$classAttr} {$attributes}>{$this->children}</{$this->as}>";
+        }
+
+        return $this->children;
+    }
+}

package/dist/src/Lib/PHPX/PHPX.php

@@ -26,9 +26,19 @@ class PHPX implements IPHPX
      */
     protected array $attributesArray = [];
 
+    /**
+     * @var array|null Component hierarchy set during rendering
+     */
+    protected static ?array $currentHierarchy = null;
+
+    /**
+     * @var string|null Current component ID
+     */
+    protected static ?string $currentComponentId = null;
+
     /**
      * Constructor to initialize the component with the given properties.
-     * 
+     *
      * @param array<string, mixed> $props Optional properties to customize the component.
      */
     public function __construct(array $props = [])
@@ -37,6 +47,112 @@ class PHPX implements IPHPX
         $this->children = $props['children'] ?? '';
     }
 
+    /**
+     * Convert a property name to a JavaScript variable path.
+     *
+     * This method generates a JavaScript variable path for the given property name,
+     * based on the current component hierarchy. It is used to access properties in
+     * the JavaScript context of the component.
+     *
+     * @param string $name The property name to convert.
+     * @return string The JavaScript variable path for the property.
+     */
+    protected function propsAsVar(string $name): string
+    {
+        if (empty($name)) {
+            return '';
+        }
+
+        $hierarchy = $this->getComponentHierarchy();
+
+        if (count($hierarchy) > 1 && end($hierarchy) === self::$currentComponentId) {
+            array_pop($hierarchy);
+        }
+
+        return "pphp.props." . implode('.', $hierarchy) . ".{$name}";
+    }
+
+    /**
+     * Emit a client-side dispatch call.
+     *
+     * @param non-empty-string|null $name  Reactive key (e.g. "myVar", "voucher.total", or "app.s9ggniz.myVar").
+     * @param string                $value Raw JS inserted verbatim (variable, expression, or pre-JSON-encoded value).
+     * @param array{
+     *   scope?: 'current'|'parent'|'root'|string[]
+     * }                              $options Dispatch options (defaults to ['scope' => 'current']).
+     *
+     * @return string JavaScript snippet like: pphp.dispatchEvent("myVar", 123, {"scope":"current"});
+     */
+    protected function dispatchEvent(?string $name, string $value, array $options = []): string
+    {
+        $name = trim((string) $name);
+        if ($name === '') {
+            return '';
+        }
+
+        // normalize options
+        $opts = $options;
+        if (!array_key_exists('scope', $opts)) {
+            $opts['scope'] = 'current';
+        } else {
+            if (is_string($opts['scope'])) {
+                $allowed = ['current', 'parent', 'root'];
+                if (!in_array($opts['scope'], $allowed, true)) {
+                    $opts['scope'] = 'current';
+                }
+            } elseif (is_array($opts['scope'])) {
+                $opts['scope'] = array_values(array_map('strval', $opts['scope']));
+            } else {
+                $opts['scope'] = 'current';
+            }
+        }
+
+        // safely encode name/options; value is inserted verbatim
+        $jsName = json_encode($name, JSON_UNESCAPED_UNICODE | JSON_UNESCAPED_SLASHES);
+        $jsOpts = json_encode($opts, JSON_UNESCAPED_UNICODE | JSON_UNESCAPED_SLASHES);
+
+        return "pphp.dispatchEvent({$jsName}, {$value}, {$jsOpts});";
+    }
+
+    /**
+     * Set the component hierarchy and current component ID (called by TemplateCompiler during rendering)
+     *
+     * @param array $hierarchy The component hierarchy
+     * @param string $currentId The current component ID
+     */
+    public static function setRenderingContext(array $hierarchy, string $currentId): void
+    {
+        self::$currentHierarchy = $hierarchy;
+        self::$currentComponentId = $currentId;
+    }
+
+    /**
+     * Get the parent component ID from the current hierarchy.
+     *
+     * @return string|null The parent component ID, or null if no parent exists
+     */
+    protected function getParentComponent(): ?string
+    {
+        $fullHierarchy = $this->getComponentHierarchy();
+
+        if (count($fullHierarchy) >= 2) {
+            return $fullHierarchy[count($fullHierarchy) - 2];
+        }
+
+        return null;
+    }
+
+    /**
+     * Get the full component hierarchy as an array.
+     * Useful for building complete hierarchy paths for JavaScript.
+     *
+     * @return array Array of component IDs from root to current
+     */
+    protected function getComponentHierarchy(): array
+    {
+        return self::$currentHierarchy ?? ['app'];
+    }
+
     /**
      * Combines and returns the CSS classes for the component.
      *
@@ -68,7 +184,7 @@ class PHPX implements IPHPX
         unset($chunk);
 
         $merged = PrismaPHPSettings::$option->tailwindcss
-            ? TwMerge::mergeClasses(...$all)
+            ? TwMerge::merge(...$all)
             : $this->mergeClasses(...$all);
 
         return str_replace(array_keys($expr), array_values($expr), $merged);
@@ -118,9 +234,7 @@ class PHPX implements IPHPX
             array_flip(array_merge($reserved, $exclude))
         );
 
-        foreach ($params as $k => $v) {
-            $props[$k] = $v;
-        }
+        $props = array_merge($params, $props);
 
         $pairs = array_map(
             static fn($k, $v) => sprintf(

package/dist/src/Lib/PHPX/TemplateCompiler.php

@@ -108,12 +108,14 @@ class TemplateCompiler
         );
 
         if (!isset($_SERVER['HTTP_X_PPHP_NAVIGATION'])) {
-            $htmlContent = preg_replace(
-                '/<body([^>]*)>/i',
-                '<body$1 hidden>',
-                $htmlContent,
-                1
-            );
+            if (!PrismaPHPSettings::$option->backendOnly) {
+                $htmlContent = preg_replace(
+                    '/<body([^>]*)>/i',
+                    '<body$1 hidden>',
+                    $htmlContent,
+                    1
+                );
+            }
         }
 
         $bodyClosePattern = '/(<\/body\s*>)/i';
@@ -202,9 +204,12 @@ class TemplateCompiler
 
     private static function protectInlineScripts(string $html): string
     {
-        return preg_replace_callback(
-            '#<script\b([^>]*?)>(.*?)</script>#is',
-            static function ($m) {
+        if (stripos($html, '<script') === false) {
+            return $html;
+        }
+
+        $processScripts = static function (string $content): string {
+            $callback = static function (array $m): string {
                 if (preg_match('/\bsrc\s*=/i', $m[1])) {
                     return $m[0];
                 }
@@ -233,9 +238,33 @@ class TemplateCompiler
                 $code = str_replace(']]>', ']]]]><![CDATA[>', $m[2]);
 
                 return "<script{$m[1]}><![CDATA[\n{$code}\n]]></script>";
-            },
-            $html
-        );
+            };
+
+            $result = preg_replace_callback(
+                '#<script\b([^>]*?)>(.*?)</script>#is',
+                $callback,
+                $content
+            );
+
+            if ($result === null) {
+                $result = preg_replace_callback(
+                    '#<script\b([^>]*?)>(.*?)</script>#is',
+                    $callback,
+                    $content
+                );
+
+                return $result ?? $content;
+            }
+
+            return $result;
+        };
+
+        if (preg_match('/^(.*?<body\b[^>]*>)(.*?)(<\/body>.*)$/is', $html, $parts)) {
+            [$all, $beforeBody, $body, $afterBody] = $parts;
+            return $beforeBody . $processScripts($body) . $afterBody;
+        }
+
+        return $processScripts($html);
     }
 
     public static function innerXml(DOMNode $node): string
@@ -381,23 +410,35 @@ class TemplateCompiler
         string $componentName,
         array $incomingProps
     ): string {
-        $mapping       = self::selectComponentMapping($componentName);
-        $instance      = self::initializeComponentInstance($mapping, $incomingProps);
+        $mapping  = self::selectComponentMapping($componentName);
+
+        $baseId = 's' . base_convert(sprintf('%u', crc32($mapping['className'])), 10, 36);
+        $idx = self::$componentInstanceCounts[$baseId] ?? 0;
+        self::$componentInstanceCounts[$baseId] = $idx + 1;
+        $sectionId = $idx === 0 ? $baseId : "{$baseId}{$idx}";
+
+        $originalStack = self::$sectionStack;
+        self::$sectionStack[] = $sectionId;
+
+        PHPX::setRenderingContext($originalStack, $sectionId);
+
+        $instance = self::initializeComponentInstance($mapping, $incomingProps);
 
         $childHtml = '';
         foreach ($node->childNodes as $c) {
             $childHtml .= self::processNode($c);
         }
 
-        $instance->children = $childHtml;
+        self::$sectionStack = $originalStack;
 
-        $baseId   = 's' . base_convert(sprintf('%u', crc32($mapping['className'])), 10, 36);
-        $idx      = self::$componentInstanceCounts[$baseId] ?? 0;
-        self::$componentInstanceCounts[$baseId] = $idx + 1;
-        $sectionId = $idx === 0 ? $baseId : "{$baseId}{$idx}";
+        $instance->children = trim($childHtml);
+
+        PHPX::setRenderingContext($originalStack, $sectionId);
+
+        $html = $instance->render();
+        $html = self::preprocessFragmentSyntax($html);
 
-        $html     = $instance->render();
-        $fragDom  = self::convertToXml($html);
+        $fragDom = self::convertToXml($html);
         $root = $fragDom->documentElement;
         foreach ($root->childNodes as $c) {
             if ($c instanceof DOMElement) {
@@ -407,6 +448,14 @@ class TemplateCompiler
         }
 
         $htmlOut = self::innerXml($fragDom);
+        $htmlOut = preg_replace_callback(
+            '/<([a-z0-9-]+)([^>]*)\/>/i',
+            fn($m) => in_array(strtolower($m[1]), self::$selfClosingTags, true)
+                ? $m[0]
+                : "<{$m[1]}{$m[2]}></{$m[1]}>",
+            $htmlOut
+        );
+
         if (
             str_contains($htmlOut, '{{') ||
             self::hasComponentTag($htmlOut) ||
@@ -418,6 +467,14 @@ class TemplateCompiler
         return $htmlOut;
     }
 
+    private static function preprocessFragmentSyntax(string $content): string
+    {
+        $content = preg_replace('/<>/', '<Fragment>', $content);
+        $content = preg_replace('/<\/>/', '</Fragment>', $content);
+
+        return $content;
+    }
+
     private static function selectComponentMapping(string $componentName): array
     {
         if (!isset(self::$classMappings[$componentName])) {