create-prisma-php-app 4.0.0-alpha.5 → 4.0.0-alpha.51

package/dist/.htaccess

@@ -1,38 +1,45 @@
 # Turn on rewrite engine
 RewriteEngine On
 
-# Prevent access to sensitive files
+# ------------------------------------------------------------------------------
+# Block sensitive files (Apache 2.2 + 2.4 compatible)
+# ------------------------------------------------------------------------------
 <FilesMatch "(^\.htaccess|\.git|\.env|composer\.(json|lock)|package(-lock)?\.json|phpunit\.xml)$">
+  <IfModule mod_authz_core.c>
+    Require all denied
+  </IfModule>
+  <IfModule !mod_authz_core.c>
     Order allow,deny
     Deny from all
+  </IfModule>
 </FilesMatch>
 
-# Allow cross-origin requests (CORS) for all routes
-<IfModule mod_headers.c>
-    Header set Access-Control-Allow-Origin "*"
-    Header set Access-Control-Allow-Methods "GET, POST, PUT, DELETE, PATCH, HEAD, OPTIONS"
-    Header set Access-Control-Allow-Headers "Content-Type, Authorization, X-Requested-With"
-</IfModule>
+# ------------------------------------------------------------------------------
+# CORS: handled in PHP via Lib\Middleware\CorsMiddleware
+# (Remove any Apache-level Access-Control-* headers to avoid conflicts)
+# ------------------------------------------------------------------------------
 
-# Set Content-Type with charset UTF-8 for HTML, CSS, and JS files
+# ------------------------------------------------------------------------------
+# Content-Type with charset UTF-8 for HTML, CSS, and JS files
+# ------------------------------------------------------------------------------
 <IfModule mod_headers.c>
-    # For HTML files
-    <FilesMatch "\.(html|htm)$">
-        Header set Content-Type "text/html; charset=UTF-8"
-    </FilesMatch>
-
-    # For CSS files
-    <FilesMatch "\.(css)$">
-        Header set Content-Type "text/css; charset=UTF-8"
-    </FilesMatch>
-
-    # For JavaScript files
-    <FilesMatch "\.(js)$">
-        Header set Content-Type "application/javascript; charset=UTF-8"
-    </FilesMatch>
+  # HTML
+  <FilesMatch "\.(html|htm)$">
+    Header set Content-Type "text/html; charset=UTF-8"
+  </FilesMatch>
+  # CSS
+  <FilesMatch "\.(css)$">
+    Header set Content-Type "text/css; charset=UTF-8"
+  </FilesMatch>
+  # JS
+  <FilesMatch "\.(js)$">
+    Header set Content-Type "application/javascript; charset=UTF-8"
+  </FilesMatch>
 </IfModule>
 
-# Set Content Security Policy (CSP) headers to prevent XSS attacks while allowing CDNs
+# ------------------------------------------------------------------------------
+# Content Security Policy
+# ------------------------------------------------------------------------------
 <IfModule mod_headers.c>
   Header set Content-Security-Policy "\
     default-src 'self' https:; \
@@ -44,32 +51,38 @@ RewriteEngine On
     object-src  'none';"
 </IfModule>
 
-# Add important security headers
+# ------------------------------------------------------------------------------
+# Security headers
+# ------------------------------------------------------------------------------
 <IfModule mod_headers.c>
-    # Enforce HTTPS and prevent protocol downgrade attacks
-    Header set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
+  # HSTS (only meaningful over HTTPS)
+  Header set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
 
-    # Protect against Cross-Site Scripting (XSS) attacks
-    Header set X-XSS-Protection "1; mode=block"
+  # XSS Protection (legacy but harmless)
+  Header set X-XSS-Protection "1; mode=block"
 
-    # Prevent MIME-type sniffing
-    Header set X-Content-Type-Options "nosniff"
+  # Prevent MIME-type sniffing
+  Header set X-Content-Type-Options "nosniff"
 
-    # Clickjacking protection
-    Header always set X-Frame-Options "DENY"
+  # Clickjacking protection
+  Header always set X-Frame-Options "DENY"
 
-    # Set a strict Referrer Policy
-    Header set Referrer-Policy "strict-origin-when-cross-origin"
+  # Referrer Policy
+  Header set Referrer-Policy "strict-origin-when-cross-origin"
 
-    # Control browser permissions (optional but recommended)
-    Header set Permissions-Policy "geolocation=(), microphone=(), camera=(), autoplay=()"
+  # Permissions Policy (tune as needed)
+  Header set Permissions-Policy "geolocation=(), microphone=(), camera=(), autoplay=()"
 </IfModule>
 
-# Exclude static files from being redirected
+# ------------------------------------------------------------------------------
+# Preflight: route all OPTIONS to bootstrap so CorsMiddleware can reply 204
+# ------------------------------------------------------------------------------
+RewriteCond %{REQUEST_METHOD} =OPTIONS
+RewriteRule ^ bootstrap.php [QSA,L]
+
+# ------------------------------------------------------------------------------
+# Front controller: exclude static files, everything else -> bootstrap.php
+# ------------------------------------------------------------------------------
 RewriteCond %{REQUEST_URI} !\.(css|js|png|jpe?g|gif|svg|webp|woff2?|ttf|eot|ico|pdf|mp4|webm|mp3|ogg)$ [NC]
 RewriteCond %{REQUEST_URI} !^/bootstrap.php
 RewriteRule ^(.*)$ bootstrap.php [QSA,L]
-
-# Ensure OPTIONS requests are handled correctly
-RewriteCond %{REQUEST_METHOD} OPTIONS
-RewriteRule ^ - [R=200,L]

package/dist/bootstrap.php

@@ -2,26 +2,34 @@
 
 declare(strict_types=1);
 
-if (session_status() === PHP_SESSION_NONE) {
-    session_start();
-}
-
 require_once __DIR__ . '/vendor/autoload.php';
 require_once __DIR__ . '/settings/paths.php';
 
 use Dotenv\Dotenv;
-use PPHP\Request;
-use PPHP\PrismaPHPSettings;
-use PPHP\StateManager;
-use PPHP\Middleware\AuthMiddleware;
-use PPHP\Auth\Auth;
-use PPHP\MainLayout;
+use Lib\Middleware\CorsMiddleware;
+
+// Load environment variables
+Dotenv::createImmutable(DOCUMENT_PATH)->load();
+
+// CORS must run before sessions/any output
+CorsMiddleware::handle();
+
+if (session_status() === PHP_SESSION_NONE) {
+    session_start();
+}
+
+use Lib\Request;
+use Lib\PrismaPHPSettings;
+use Lib\StateManager;
+use Lib\Middleware\AuthMiddleware;
+use Lib\Auth\Auth;
+use Lib\MainLayout;
 use PPHP\PHPX\TemplateCompiler;
-use PPHP\CacheHandler;
-use PPHP\ErrorHandler;
+use Lib\CacheHandler;
+use Lib\ErrorHandler;
 use Firebase\JWT\JWT;
 use Firebase\JWT\Key;
-use PPHP\PartialRenderer;
+use Lib\PartialRenderer;
 
 final class Bootstrap extends RuntimeException
 {
@@ -56,9 +64,6 @@ final class Bootstrap extends RuntimeException
 
     public static function run(): void
     {
-        // Load environment variables
-        Dotenv::createImmutable(DOCUMENT_PATH)->load();
-
         // Set timezone
         date_default_timezone_set($_ENV['APP_TIMEZONE'] ?? 'UTC');
 
@@ -84,6 +89,13 @@ final class Bootstrap extends RuntimeException
         // Set a function call key as a cookie
         self::functionCallNameEncrypt();
 
+        self::$secondRequestC69CD = Request::$data['secondRequestC69CD'] ?? false;
+
+        // Check if the request is for a local store callback
+        if (Request::$isWire && !self::$secondRequestC69CD) {
+            self::isLocalStoreCallback();
+        }
+
         $contentInfo = self::determineContentToInclude();
         self::$contentToInclude = $contentInfo['path'] ?? '';
         self::$layoutsToInclude = $contentInfo['layouts'] ?? [];
@@ -114,7 +126,6 @@ final class Bootstrap extends RuntimeException
             self::$isContentIncluded = true;
         }
 
-        self::$secondRequestC69CD = Request::$data['secondRequestC69CD'] ?? false;
         self::$isPartialRequest =
             !empty(Request::$data['pphpSync71163'])
             && !empty(Request::$data['selectors'])
@@ -128,6 +139,31 @@ final class Bootstrap extends RuntimeException
         ErrorHandler::checkFatalError();
     }
 
+    private static function isLocalStoreCallback(): void
+    {
+        $data = self::getRequestData();
+
+        if (empty($data['callback'])) {
+            self::jsonExit(['success' => false, 'error' => 'Callback not provided', 'response' => null]);
+        }
+
+        try {
+            $aesKey = self::getAesKeyFromJwt();
+        } catch (RuntimeException $e) {
+            self::jsonExit(['success' => false, 'error' => $e->getMessage()]);
+        }
+
+        try {
+            $callbackName = self::decryptCallback($data['callback'], $aesKey);
+        } catch (RuntimeException $e) {
+            self::jsonExit(['success' => false, 'error' => $e->getMessage()]);
+        }
+
+        if ($callbackName === PrismaPHPSettings::$localStoreKey) {
+            self::jsonExit(['success' => true, 'response' => 'localStorage updated']);
+        }
+    }
+
     private static function functionCallNameEncrypt(): void
     {
         $hmacSecret = $_ENV['FUNCTION_CALL_SECRET'] ?? '';
@@ -588,108 +624,117 @@ final class Bootstrap extends RuntimeException
 
     public static function wireCallback(): void
     {
-        $response = [
-            'success'  => false,
-            'error'    => 'Callback not provided',
-            'response' => null,
-        ];
+        $data = self::getRequestData();
 
-        if (!empty($_FILES)) {
-            $data = $_POST;
-            foreach ($_FILES as $key => $file) {
-                if (is_array($file['name'])) {
-                    $files = [];
-                    foreach ($file['name'] as $i => $name) {
-                        $files[] = [
-                            'name'     => $name,
-                            'type'     => $file['type'][$i],
-                            'tmp_name' => $file['tmp_name'][$i],
-                            'error'    => $file['error'][$i],
-                            'size'     => $file['size'][$i],
-                        ];
-                    }
-                    $data[$key] = $files;
-                } else {
-                    $data[$key] = $file;
-                }
-            }
-        } else {
-            $raw = file_get_contents('php://input');
-            $data = json_decode($raw, true);
-            if (json_last_error() !== JSON_ERROR_NONE) {
-                $data = $_POST;
-            }
+        if (empty($data['callback'])) {
+            self::jsonExit(['success' => false, 'error' => 'Callback not provided', 'response' => null]);
         }
 
-        if (empty($data['callback'])) {
-            echo json_encode($response, JSON_UNESCAPED_UNICODE);
-            exit;
+        try {
+            $aesKey = self::getAesKeyFromJwt();
+        } catch (RuntimeException $e) {
+            self::jsonExit(['success' => false, 'error' => $e->getMessage()]);
+        }
+
+        try {
+            $callbackName = self::decryptCallback($data['callback'], $aesKey);
+        } catch (RuntimeException $e) {
+            self::jsonExit(['success' => false, 'error' => $e->getMessage()]);
         }
 
+        $args = self::convertToArrayObject($data);
+        $out  = str_contains($callbackName, '->') || str_contains($callbackName, '::')
+            ? self::dispatchMethod($callbackName, $args)
+            : self::dispatchFunction($callbackName, $args);
+
+        if ($out !== null) {
+            self::jsonExit($out);
+        }
+        exit;
+    }
+
+    private static function getAesKeyFromJwt(): string
+    {
         $token     = $_COOKIE['pphp_function_call_jwt'] ?? null;
         $jwtSecret = $_ENV['FUNCTION_CALL_SECRET'] ?? null;
+
         if (!$token || !$jwtSecret) {
-            echo json_encode(['success' => false, 'error' => 'Missing session key or secret'], JSON_UNESCAPED_UNICODE);
-            exit;
+            throw new RuntimeException('Missing session key or secret');
         }
+
         try {
             $decoded = JWT::decode($token, new Key($jwtSecret, 'HS256'));
         } catch (Throwable) {
-            echo json_encode(['success' => false, 'error' => 'Invalid session key'], JSON_UNESCAPED_UNICODE);
-            exit;
+            throw new RuntimeException('Invalid session key');
         }
+
         $aesKey = base64_decode($decoded->k, true);
         if ($aesKey === false || strlen($aesKey) !== 32) {
-            echo json_encode(['success' => false, 'error' => 'Bad key length'], JSON_UNESCAPED_UNICODE);
-            exit;
+            throw new RuntimeException('Bad key length');
         }
 
-        $parts = explode(':', $data['callback'], 2);
+        return $aesKey;
+    }
+
+    private static function jsonExit(array $payload): void
+    {
+        echo json_encode($payload, JSON_UNESCAPED_UNICODE);
+        exit;
+    }
+
+    private static function decryptCallback(string $encrypted, string $aesKey): string
+    {
+        $parts = explode(':', $encrypted, 2);
         if (count($parts) !== 2) {
-            echo json_encode(['success' => false, 'error' => 'Malformed callback payload'], JSON_UNESCAPED_UNICODE);
-            exit;
+            throw new RuntimeException('Malformed callback payload');
         }
-        [$iv_b64, $ct_b64] = $parts;
-        $iv = base64_decode($iv_b64, true);
-        $ct = base64_decode($ct_b64, true);
+        [$ivB64, $ctB64] = $parts;
+
+        $iv = base64_decode($ivB64, true);
+        $ct = base64_decode($ctB64, true);
+
         if ($iv === false || strlen($iv) !== 16 || $ct === false) {
-            echo json_encode(['success' => false, 'error' => 'Invalid callback payload'], JSON_UNESCAPED_UNICODE);
-            exit;
+            throw new RuntimeException('Invalid callback payload');
         }
+
         $plain = openssl_decrypt($ct, 'AES-256-CBC', $aesKey, OPENSSL_RAW_DATA, $iv);
         if ($plain === false) {
-            echo json_encode(['success' => false, 'error' => 'Decryption failed'], JSON_UNESCAPED_UNICODE);
-            exit;
+            throw new RuntimeException('Decryption failed');
         }
 
-        $callbackName = preg_replace('/[^a-zA-Z0-9_:\->]/', '', $plain);
-        if ($callbackName === '' || $callbackName[0] === '_') {
-            echo json_encode(['success' => false, 'error' => 'Invalid callback'], JSON_UNESCAPED_UNICODE);
-            exit;
+        $callback = preg_replace('/[^a-zA-Z0-9_:\->]/', '', $plain);
+        if ($callback === '' || $callback[0] === '_') {
+            throw new RuntimeException('Invalid callback');
         }
 
-        if (
-            isset($data['callback']) &&
-            $callbackName === PrismaPHPSettings::$localStoreKey
-        ) {
-            echo json_encode([
-                'success'  => true,
-                'response' => 'localStorage updated',
-            ], JSON_UNESCAPED_UNICODE);
-            exit;
-        }
+        return $callback;
+    }
 
-        $args = self::convertToArrayObject($data);
-        if (strpos($callbackName, '->') !== false || strpos($callbackName, '::') !== false) {
-            $out = self::dispatchMethod($callbackName, $args);
-        } else {
-            $out = self::dispatchFunction($callbackName, $args);
+    private static function getRequestData(): array
+    {
+        if (!empty($_FILES)) {
+            $data = $_POST;
+            foreach ($_FILES as $key => $file) {
+                $data[$key] = is_array($file['name'])
+                    ? array_map(
+                        fn($i) => [
+                            'name'     => $file['name'][$i],
+                            'type'     => $file['type'][$i],
+                            'tmp_name' => $file['tmp_name'][$i],
+                            'error'    => $file['error'][$i],
+                            'size'     => $file['size'][$i],
+                        ],
+                        array_keys($file['name'])
+                    )
+                    : $file;
+            }
+            return $data;
         }
 
-        if ($out !== null) {
-            echo json_encode($out, JSON_UNESCAPED_UNICODE);
-        }
-        exit;
+        $raw  = file_get_contents('php://input');
+        $json = json_decode($raw, true);
+
+        return (json_last_error() === JSON_ERROR_NONE) ? $json : $_POST;
     }
 
     private static function dispatchFunction(string $fn, mixed $args)
@@ -993,13 +1038,6 @@ try {
             Bootstrap::createUpdateRequestData();
         }
 
-        // If there’s caching
-        if (isset(Bootstrap::$requestFilesData[Request::$decodedUri])) {
-            if ($_ENV['CACHE_ENABLED'] === 'true') {
-                CacheHandler::serveCache(Request::$decodedUri, intval($_ENV['CACHE_TTL']));
-            }
-        }
-
         // For wire calls, re-include the files if needed
         if (Request::$isWire && !Bootstrap::$secondRequestC69CD) {
             if (isset(Bootstrap::$requestFilesData[Request::$decodedUri])) {
@@ -1019,6 +1057,13 @@ try {
             Bootstrap::wireCallback();
         }
 
+        // If there’s caching
+        if ((!Request::$isWire && !Bootstrap::$secondRequestC69CD) && isset(Bootstrap::$requestFilesData[Request::$decodedUri])) {
+            if ($_ENV['CACHE_ENABLED'] === 'true') {
+                CacheHandler::serveCache(Request::$decodedUri, intval($_ENV['CACHE_TTL']));
+            }
+        }
+
         MainLayout::$children = MainLayout::$childLayoutChildren . Bootstrap::getLoadingsFiles();
 
         ob_start();
@@ -1029,7 +1074,7 @@ try {
         MainLayout::$html = "<!DOCTYPE html>\n" . MainLayout::$html;
 
         if (
-            http_response_code() === 200 && isset(Bootstrap::$requestFilesData[Request::$decodedUri]['fileName']) && $_ENV['CACHE_ENABLED'] === 'true'
+            http_response_code() === 200 && isset(Bootstrap::$requestFilesData[Request::$decodedUri]['fileName']) && $_ENV['CACHE_ENABLED'] === 'true' && (!Request::$isWire && !Bootstrap::$secondRequestC69CD)
         ) {
             CacheHandler::saveCache(Request::$decodedUri, MainLayout::$html);
         }