create-prisma-php-app 5.0.0-alpha.2 → 5.0.0-alpha.20

package/dist/src/Lib/Auth/Auth.php

@@ -22,6 +22,7 @@ class Auth
     public const PAYLOAD_NAME = 'payload_name_8639D';
     public const ROLE_NAME = 'role';
     public const PAYLOAD_SESSION_KEY = 'payload_session_key_2183A';
+    private const OAUTH_STATE_SESSION_KEY = 'oauth_state_61e4a';
 
     public static string $cookieName = '';
 
@@ -32,7 +33,10 @@ class Auth
 
     private function __construct()
     {
-        $this->secretKey = Env::string('AUTH_SECRET', 'CD24eEv4qbsC5LOzqeaWbcr58mBMSvA4Mkii8GjRiHkt');
+        $this->secretKey = Env::string('AUTH_SECRET', '');
+        if ($this->secretKey === '') {
+            throw new InvalidArgumentException('AUTH_SECRET is required for authentication.');
+        }
         self::$cookieName = self::getCookieName();
     }
 
@@ -117,7 +121,7 @@ class Auth
 
         $jwt = $_COOKIE[self::$cookieName];
         $verifyToken = $this->verifyToken($jwt);
-        if ($verifyToken === false) {
+        if ($verifyToken === null) {
             return false;
         }
 
@@ -258,8 +262,8 @@ class Auth
     {
         $secret = Env::string('FUNCTION_CALL_SECRET', '');
 
-        if (empty($secret)) {
-            return;
+        if ($secret === '') {
+            throw new InvalidArgumentException('FUNCTION_CALL_SECRET is required for CSRF protection.');
         }
 
         $nonce = bin2hex(random_bytes(16));
@@ -386,26 +390,34 @@ class Auth
     {
         $dynamicRouteParams = Request::$dynamicParams[self::PPAUTH] ?? [];
 
-        if (Request::$isGet && in_array('signin', $dynamicRouteParams)) {
+        if (Request::$isGet && in_array('signin', $dynamicRouteParams, true)) {
             foreach ($providers as $provider) {
-                if ($provider instanceof GithubProvider && in_array('github', $dynamicRouteParams)) {
-                    $githubAuthUrl = "https://github.com/login/oauth/authorize?scope=user:email%20read:user&client_id={$provider->clientId}";
+                if ($provider instanceof GithubProvider && in_array('github', $dynamicRouteParams, true)) {
+                    $state = $this->createOAuthState('github');
+                    $githubAuthUrl = "https://github.com/login/oauth/authorize?scope=user:email%20read:user&client_id={$provider->clientId}&state=" . urlencode($state);
                     Request::redirect($githubAuthUrl);
-                } elseif ($provider instanceof GoogleProvider && in_array('google', $dynamicRouteParams)) {
+                } elseif ($provider instanceof GoogleProvider && in_array('google', $dynamicRouteParams, true)) {
+                    $state = $this->createOAuthState('google');
                     $googleAuthUrl = "https://accounts.google.com/o/oauth2/v2/auth?"
                         . "scope=" . urlencode('email profile') . "&"
                         . "response_type=code&"
                         . "client_id=" . urlencode($provider->clientId) . "&"
-                        . "redirect_uri=" . urlencode($provider->redirectUri);
+                        . "redirect_uri=" . urlencode($provider->redirectUri) . "&"
+                        . "state=" . urlencode($state);
                     Request::redirect($googleAuthUrl);
                 }
             }
         }
 
         $authCode = Validator::string($_GET['code'] ?? '');
+        $authState = Validator::string($_GET['state'] ?? '', false);
+
+        if (Request::$isGet && in_array('callback', $dynamicRouteParams, true) && $authCode !== '') {
+            if (in_array('github', $dynamicRouteParams, true)) {
+                if (!$this->consumeOAuthState('github', $authState)) {
+                    exit("Error occurred. Please try again.");
+                }
 
-        if (Request::$isGet && in_array('callback', $dynamicRouteParams) && isset($authCode)) {
-            if (in_array('github', $dynamicRouteParams)) {
                 $provider = $this->findProvider($providers, GithubProvider::class);
 
                 if (!$provider) {
@@ -413,7 +425,11 @@ class Auth
                 }
 
                 return $this->githubProvider($provider, $authCode);
-            } elseif (in_array('google', $dynamicRouteParams)) {
+            } elseif (in_array('google', $dynamicRouteParams, true)) {
+                if (!$this->consumeOAuthState('google', $authState)) {
+                    exit("Error occurred. Please try again.");
+                }
+
                 $provider = $this->findProvider($providers, GoogleProvider::class);
 
                 if (!$provider) {
@@ -554,6 +570,31 @@ class Auth
         }
     }
 
+    private function createOAuthState(string $provider): string
+    {
+        $state = bin2hex(random_bytes(16));
+        $_SESSION[self::OAUTH_STATE_SESSION_KEY][$provider] = $state;
+
+        return $state;
+    }
+
+    private function consumeOAuthState(string $provider, string $state): bool
+    {
+        $expectedState = $_SESSION[self::OAUTH_STATE_SESSION_KEY][$provider] ?? '';
+
+        if (!is_string($expectedState) || $expectedState === '' || $state === '' || !hash_equals($expectedState, $state)) {
+            return false;
+        }
+
+        unset($_SESSION[self::OAUTH_STATE_SESSION_KEY][$provider]);
+
+        if (empty($_SESSION[self::OAUTH_STATE_SESSION_KEY])) {
+            unset($_SESSION[self::OAUTH_STATE_SESSION_KEY]);
+        }
+
+        return true;
+    }
+
     private static function getCookieName(): string
     {
         $authCookieName = Env::string('AUTH_COOKIE_NAME', 'auth_cookie_name_d36e5');

package/dist/src/Lib/Middleware/AuthMiddleware.php

@@ -123,11 +123,11 @@ final class AuthMiddleware
 
         $verifyToken = $auth->verifyToken($jwt);
 
-        if ($verifyToken === false) {
+        if ($verifyToken === null) {
             return false;
         }
 
-        return isset($verifyToken->{Auth::PAYLOAD_NAME});
+        return true;
     }
 
     protected static function hasRequiredRole(string $requestPathname): string

package/dist/src/Lib/Middleware/CorsMiddleware.php

@@ -17,6 +17,10 @@ final class CorsMiddleware
 
         $cfg = self::buildConfig($overrides);
 
+        if ($cfg['allowCredentials'] && self::listHasWildcard($cfg['allowedOrigins'])) {
+            return;
+        }
+
         if (!self::isAllowedOrigin($origin, $cfg['allowedOrigins'])) {
             return;
         }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "create-prisma-php-app",
-  "version": "5.0.0-alpha.2",
+  "version": "5.0.0-alpha.20",
   "description": "Prisma-PHP: A Revolutionary Library Bridging PHP with Prisma ORM",
   "main": "dist/index.js",
   "type": "module",

package/dist/README.md

@@ -1,196 +0,0 @@
-# Prisma PHP
-
-Prisma PHP is a modern full-stack PHP framework that combines native PHP, PulsePoint reactivity, PHPX components, and a Prisma-inspired ORM into one cohesive developer experience.
-
-Build modern, reactive interfaces with a server-first mental model, type-safe data access, and a project structure designed for real applications.
-
-## Getting Started
-
-First, create a new Prisma PHP project:
-
-```bash
-npx create-prisma-php-app@latest my-app
-```
-
-Start the development server:
-
-```bash
-npm run dev
-```
-
-Open your local app in the browser after the dev server starts.
-
-## Prerequisites
-
-Before creating a Prisma PHP project, make sure you have:
-
-- Node.js 22.x or higher
-- PHP 8.2 or higher
-- Composer 2.x or higher
-- XAMPP or another local PHP environment
-
-If you are using XAMPP on Windows, enabling `extension=zip` in `php.ini` is recommended so Composer dependencies install correctly.
-
-## What Prisma PHP Includes
-
-Prisma PHP brings together the core pieces needed to build full-stack PHP apps:
-
-- **Native PHP + modern reactivity** with PulsePoint
-- **PHPX component system** inspired by JSX and React
-- **Prisma PHP ORM** for schema-first, type-safe database access
-- **CLI scaffolding** for new apps, starter kits, and optional features
-- **Flexible deployment options** for traditional hosting, CI/CD, and containerized setups
-
-## Common Create Commands
-
-Create a default full-stack app:
-
-```bash
-npx create-prisma-php-app@latest my-app
-```
-
-Create a project with common options:
-
-```bash
-npx create-prisma-php-app@latest my-app --tailwindcss --typescript
-```
-
-Use a starter kit:
-
-```bash
-npx create-prisma-php-app my-app --starter-kit=fullstack
-```
-
-Other documented flags include:
-
-- `--websocket`
-- `--mcp`
-- `--backend-only`
-- `--swagger-docs`
-- `--docker`
-
-## Project Structure
-
-A generated Prisma PHP project typically includes folders like these:
-
-```text
-prisma-php-project/
-├── prisma/            # schema, migrations, seed files
-├── public/            # public entry point and assets
-├── settings/          # project configuration
-├── src/               # application source code
-├── package.json       # frontend/dev scripts
-├── composer.json      # PHP dependencies
-└── prisma-php.json    # Prisma PHP project capability manifest
-```
-
-## Project Capability Manifest
-
-Prisma PHP uses `prisma-php.json` at the repository root as the source of truth for enabled framework features and local environment configuration.
-
-Tools, scripts, and AI agents should inspect this file before making decisions about:
-
-- frontend tooling
-- backend-only mode
-- Prisma ORM usage
-- Tailwind CSS availability
-- Swagger docs
-- Websocket support
-- MCP support
-- TypeScript support
-- local development paths and BrowserSync config
-
-A typical file looks like this:
-
-```json
-{
-  "projectName": "test-latest",
-  "projectRootPath": "C:\\xampp\\htdocs\\projects\\prisma-php\\test\\test-latest",
-  "phpEnvironment": "XAMPP",
-  "phpRootPathExe": "C:\\xampp\\php\\php.exe",
-  "bsTarget": "http://localhost/projects/prisma-php/test/test-latest/",
-  "bsPathRewrite": {
-    "^/": "/projects/prisma-php/test/test-latest/"
-  },
-  "backendOnly": false,
-  "swaggerDocs": false,
-  "tailwindcss": true,
-  "websocket": false,
-  "mcp": false,
-  "prisma": false,
-  "typescript": false,
-  "version": "4.4.9",
-  "componentScanDirs": ["src", "vendor/tsnc/prisma-php/src"],
-  "excludeFiles": []
-}
-```
-
-## AI Agent Guidance
-
-If you are using AI-assisted development in this project:
-
-- treat `prisma-php.json` as the capability manifest for the current app
-- do not assume Tailwind CSS, Prisma ORM, MCP, Swagger, TypeScript, or websocket support is enabled unless the file says so
-- read the installed Prisma PHP docs for the current version before changing routing, layouts, middleware, or framework-specific behavior
-- use `prisma-php.json` together with the installed docs to make safer decisions
-
-## PHPX and Reactivity
-
-Prisma PHP uses **PHPX**, a template system inspired by JSX and React, but designed for `.php` files. Combined with **PulsePoint**, it gives you interactive UI behavior without adopting a full JavaScript framework mental model.
-
-You can keep your application logic in PHP while using browser-resident state for fast UI updates.
-
-## ORM
-
-Prisma PHP ORM is a schema-first database toolkit for PHP. You define your models in `schema.prisma`, generate a typed PHP client, and use expressive query methods such as:
-
-- `findMany`
-- `findFirst`
-- `findUnique`
-- `create`
-- `update`
-- `delete`
-- `upsert`
-
-It also includes CLI support for workflows like:
-
-- `migrate`
-- `generate`
-- `push`
-- `reset`
-
-## Deployment
-
-Prisma PHP supports multiple deployment styles:
-
-- **Traditional deployment** using ZIP/FTP to shared hosting environments such as cPanel
-- **CI/CD deployment** with GitHub Actions
-- **Docker deployment** for containerized environments
-
-A common production flow is:
-
-```bash
-npm run build
-```
-
-Then upload or deploy the built project using your preferred hosting workflow.
-
-## Learn More
-
-To learn more about Prisma PHP, explore the official resources:
-
-- Website: [https://prismaphp.tsnc.tech](https://prismaphp.tsnc.tech)
-- Documentation: [https://prismaphp.tsnc.tech/docs](https://prismaphp.tsnc.tech/docs)
-
-## Ecosystem
-
-Prisma PHP is part of a broader ecosystem that includes:
-
-- PulsePoint
-- PHPX UI
-- PP Icons
-
-## Notes
-
-- For the best PHPX development experience in VS Code, install the **PHPX Tag Support** extension.
-- If PowerShell blocks local scripts during `npm run dev`, check your Windows execution policy.