create-prisma-php-app 5.0.0-alpha.3 → 5.0.0-alpha.30

package/dist/src/Lib/Auth/Auth.php

@@ -22,6 +22,7 @@ class Auth
     public const PAYLOAD_NAME = 'payload_name_8639D';
     public const ROLE_NAME = 'role';
     public const PAYLOAD_SESSION_KEY = 'payload_session_key_2183A';
+    private const OAUTH_STATE_SESSION_KEY = 'oauth_state_61e4a';
 
     public static string $cookieName = '';
 
@@ -32,7 +33,10 @@ class Auth
 
     private function __construct()
     {
-        $this->secretKey = Env::string('AUTH_SECRET', 'CD24eEv4qbsC5LOzqeaWbcr58mBMSvA4Mkii8GjRiHkt');
+        $this->secretKey = Env::string('AUTH_SECRET', '');
+        if ($this->secretKey === '') {
+            throw new InvalidArgumentException('AUTH_SECRET is required for authentication.');
+        }
         self::$cookieName = self::getCookieName();
     }
 
@@ -117,7 +121,7 @@ class Auth
 
         $jwt = $_COOKIE[self::$cookieName];
         $verifyToken = $this->verifyToken($jwt);
-        if ($verifyToken === false) {
+        if ($verifyToken === null) {
             return false;
         }
 
@@ -258,8 +262,8 @@ class Auth
     {
         $secret = Env::string('FUNCTION_CALL_SECRET', '');
 
-        if (empty($secret)) {
-            return;
+        if ($secret === '') {
+            throw new InvalidArgumentException('FUNCTION_CALL_SECRET is required for CSRF protection.');
         }
 
         $nonce = bin2hex(random_bytes(16));
@@ -386,26 +390,34 @@ class Auth
     {
         $dynamicRouteParams = Request::$dynamicParams[self::PPAUTH] ?? [];
 
-        if (Request::$isGet && in_array('signin', $dynamicRouteParams)) {
+        if (Request::$isGet && in_array('signin', $dynamicRouteParams, true)) {
             foreach ($providers as $provider) {
-                if ($provider instanceof GithubProvider && in_array('github', $dynamicRouteParams)) {
-                    $githubAuthUrl = "https://github.com/login/oauth/authorize?scope=user:email%20read:user&client_id={$provider->clientId}";
+                if ($provider instanceof GithubProvider && in_array('github', $dynamicRouteParams, true)) {
+                    $state = $this->createOAuthState('github');
+                    $githubAuthUrl = "https://github.com/login/oauth/authorize?scope=user:email%20read:user&client_id={$provider->clientId}&state=" . urlencode($state);
                     Request::redirect($githubAuthUrl);
-                } elseif ($provider instanceof GoogleProvider && in_array('google', $dynamicRouteParams)) {
+                } elseif ($provider instanceof GoogleProvider && in_array('google', $dynamicRouteParams, true)) {
+                    $state = $this->createOAuthState('google');
                     $googleAuthUrl = "https://accounts.google.com/o/oauth2/v2/auth?"
                         . "scope=" . urlencode('email profile') . "&"
                         . "response_type=code&"
                         . "client_id=" . urlencode($provider->clientId) . "&"
-                        . "redirect_uri=" . urlencode($provider->redirectUri);
+                        . "redirect_uri=" . urlencode($provider->redirectUri) . "&"
+                        . "state=" . urlencode($state);
                     Request::redirect($googleAuthUrl);
                 }
             }
         }
 
         $authCode = Validator::string($_GET['code'] ?? '');
+        $authState = Validator::string($_GET['state'] ?? '', false);
+
+        if (Request::$isGet && in_array('callback', $dynamicRouteParams, true) && $authCode !== '') {
+            if (in_array('github', $dynamicRouteParams, true)) {
+                if (!$this->consumeOAuthState('github', $authState)) {
+                    exit("Error occurred. Please try again.");
+                }
 
-        if (Request::$isGet && in_array('callback', $dynamicRouteParams) && isset($authCode)) {
-            if (in_array('github', $dynamicRouteParams)) {
                 $provider = $this->findProvider($providers, GithubProvider::class);
 
                 if (!$provider) {
@@ -413,7 +425,11 @@ class Auth
                 }
 
                 return $this->githubProvider($provider, $authCode);
-            } elseif (in_array('google', $dynamicRouteParams)) {
+            } elseif (in_array('google', $dynamicRouteParams, true)) {
+                if (!$this->consumeOAuthState('google', $authState)) {
+                    exit("Error occurred. Please try again.");
+                }
+
                 $provider = $this->findProvider($providers, GoogleProvider::class);
 
                 if (!$provider) {
@@ -554,6 +570,31 @@ class Auth
         }
     }
 
+    private function createOAuthState(string $provider): string
+    {
+        $state = bin2hex(random_bytes(16));
+        $_SESSION[self::OAUTH_STATE_SESSION_KEY][$provider] = $state;
+
+        return $state;
+    }
+
+    private function consumeOAuthState(string $provider, string $state): bool
+    {
+        $expectedState = $_SESSION[self::OAUTH_STATE_SESSION_KEY][$provider] ?? '';
+
+        if (!is_string($expectedState) || $expectedState === '' || $state === '' || !hash_equals($expectedState, $state)) {
+            return false;
+        }
+
+        unset($_SESSION[self::OAUTH_STATE_SESSION_KEY][$provider]);
+
+        if (empty($_SESSION[self::OAUTH_STATE_SESSION_KEY])) {
+            unset($_SESSION[self::OAUTH_STATE_SESSION_KEY]);
+        }
+
+        return true;
+    }
+
     private static function getCookieName(): string
     {
         $authCookieName = Env::string('AUTH_COOKIE_NAME', 'auth_cookie_name_d36e5');

package/dist/src/Lib/Middleware/AuthMiddleware.php

@@ -123,11 +123,11 @@ final class AuthMiddleware
 
         $verifyToken = $auth->verifyToken($jwt);
 
-        if ($verifyToken === false) {
+        if ($verifyToken === null) {
             return false;
         }
 
-        return isset($verifyToken->{Auth::PAYLOAD_NAME});
+        return true;
     }
 
     protected static function hasRequiredRole(string $requestPathname): string

package/dist/src/Lib/Middleware/CorsMiddleware.php

@@ -17,6 +17,10 @@ final class CorsMiddleware
 
         $cfg = self::buildConfig($overrides);
 
+        if ($cfg['allowCredentials'] && self::listHasWildcard($cfg['allowedOrigins'])) {
+            return;
+        }
+
         if (!self::isAllowedOrigin($origin, $cfg['allowedOrigins'])) {
             return;
         }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "create-prisma-php-app",
-  "version": "5.0.0-alpha.3",
+  "version": "5.0.0-alpha.30",
   "description": "Prisma-PHP: A Revolutionary Library Bridging PHP with Prisma ORM",
   "main": "dist/index.js",
   "type": "module",

package/dist/README.md

@@ -1,213 +0,0 @@
-# Prisma PHP
-
-Prisma PHP is a modern full-stack PHP framework that combines native PHP, PulsePoint reactivity, PHPX components, and a Prisma-inspired ORM into one cohesive developer experience.
-
-Build reactive interfaces with a server-first mental model, structured routing, type-safe data access, and a project layout designed for real applications.
-
-## Getting Started
-
-Create a new Prisma PHP project:
-
-```bash
-npx create-prisma-php-app@latest my-app
-```
-
-Start the development server:
-
-```bash
-npm run dev
-```
-
-Open the local app in your browser after the dev server starts.
-
-## Prerequisites
-
-Before creating a Prisma PHP project, make sure you have:
-
-- Node.js 22.x or higher
-- PHP 8.2 or higher
-- Composer 2.x or higher
-- XAMPP or another local PHP environment
-
-If you are using XAMPP on Windows, enabling `extension=zip` in `php.ini` is recommended so Composer dependencies install correctly.
-
-## What Prisma PHP Includes
-
-Prisma PHP brings together the core pieces needed to build full-stack PHP apps:
-
-- **Native PHP + modern reactivity** with PulsePoint
-- **PHPX component system** for reusable UI composition
-- **Prisma PHP ORM** for schema-first, type-safe database access
-- **Built-in authentication patterns** for sessions, route protection, RBAC, credentials auth, and provider login
-- **File-based routing** with clear route file conventions
-- **CLI scaffolding** for new apps, starter kits, and optional features
-- **Flexible deployment options** for local development and production workflows
-
-## Common Create Commands
-
-Create a default full-stack app:
-
-```bash
-npx create-prisma-php-app@latest my-app
-```
-
-Create a project with common options:
-
-```bash
-npx create-prisma-php-app@latest my-app --tailwindcss --typescript
-```
-
-Use a starter kit:
-
-```bash
-npx create-prisma-php-app my-app --starter-kit=fullstack
-```
-
-Other documented flags may include capabilities such as WebSocket support, MCP support, backend-only mode, Swagger docs, and Prisma integration depending on the installed version.
-
-## Documentation
-
-Prisma PHP ships with local documentation for the installed project version.
-
-The installed docs live here:
-
-```txt
-node_modules/prisma-php/dist/docs
-```
-
-Treat these installed docs as the primary documentation source for the current project version.
-
-You can also explore the public docs site:
-
-```txt
-https://prismaphp.tsnc.tech/
-```
-
-## AI Quick Start
-
-If you are using AI-assisted development in a Prisma PHP project:
-
-1. Read `./prisma-php.json` first.
-2. Read the installed docs in `node_modules/prisma-php/dist/docs`.
-3. Read `AGENTS.md` for task-routing rules, framework constraints, and code-generation guidance.
-4. Inspect `vendor/tsnc/prisma-php/src` only when the docs do not answer the task.
-
-### Default interactive UI rule
-
-In Prisma PHP, AI should treat **PulsePoint as the default frontend interactivity model**.
-
-For normal full-stack page work:
-
-- render the page with `index.php`
-- manage browser-side state and UI behavior with **PulsePoint**
-- call PHP from the frontend with **`pp.fetchFunction(...)`**
-- expose callable PHP functions with **`#[Exposed]`**
-- validate incoming data on the PHP side with **`PP\Validator`**
-
-Do **not** default to PHP-only refresh cycles, handcrafted `fetch('/api/...')` patterns, or extra `route.php` handlers for normal interactive page behavior when PulsePoint plus `pp.fetchFunction(...)` already fits the task.
-
-Only prefer a more PHP-only interaction style when the **user explicitly asks for PHP-only behavior**, or when the task is clearly non-reactive.
-
-## Project Capability Manifest
-
-Prisma PHP uses `prisma-php.json` at the repository root as the source of truth for enabled framework features and local environment configuration.
-
-Use it to verify capabilities such as:
-
-- Tailwind CSS support
-- backend-only mode
-- Prisma ORM support
-- Swagger docs
-- WebSocket support
-- MCP support
-- TypeScript support
-- local development paths and BrowserSync settings
-
-Do not assume a feature is enabled unless `prisma-php.json` confirms it.
-
-## Documentation Map
-
-Use these docs as the main entry points for common work:
-
-- `index.md` for the general documentation entry point
-- `project-structure.md` for project structure, route placement, and file conventions
-- `layouts-and-pages.md` for pages, layouts, nested routes, and dynamic routes
-- `components.md` for PHPX components, props, children, fragments, icons, buttons, and composition
-- `fetching-data.md` for `pp.fetchFunction(...)`, `#[Exposed]`, and interactive backend flows
-- `prisma-php-orm.md` for Prisma ORM, `schema.prisma`, migrations, and generated PHP classes
-- `authentication.md` for auth strategy, sessions, RBAC, credentials auth, and provider flows
-- `file-manager.md` for uploads, `multipart/form-data`, `$_FILES`, and `PP\FileManager\UploadFile`
-- `route-handlers.md` for `route.php`, JSON responses, and direct server handlers
-- `error-handling.md` for expected errors, `error.php`, `not-found.php`, and validation failures
-- `caching.md` for cache behavior and `CacheHandler`
-- `metadata-and-og-images.md` for metadata, title, description, icons, and head behavior
-- `pulsepoint.md` for PulsePoint runtime usage and reactivity patterns
-- `upgrading.md` for feature enablement and project update workflows
-
-## Recommended Development Approach
-
-When working in Prisma PHP:
-
-- prefer the installed Prisma PHP docs over assumptions from other frameworks
-- use `AGENTS.md` as the strict AI operating guide
-- inspect nearby project files before generating new framework-specific code
-- inspect framework internals only when the installed docs are not enough
-
-## Route and File Conventions
-
-Prisma PHP uses file-based routing with special route files such as:
-
-- `index.php` for rendered UI routes
-- `layout.php` for shared UI wrappers
-- `route.php` for direct handlers such as JSON or API-style endpoints
-- `loading.php` for loading UI
-- `not-found.php` for route-level not-found UI
-- `error.php` for route-level or app-level error UI
-
-For task-specific route decision rules and framework generation rules, read `AGENTS.md`.
-
-## PulsePoint and Frontend Reactivity
-
-Prisma PHP uses PulsePoint for browser-side reactivity, and AI should assume this is the **default choice** for interactive UI behavior in full-stack routes.
-
-When working with runtime features such as:
-
-- `pp.state`
-- `pp.effect`
-- `pp.ref`
-- `pp-for`
-- `pp-spread`
-- `pp-ref`
-
-read the installed Prisma PHP docs for the current version first, then consult:
-
-```txt
-https://pulsepoint.tsnc.tech/llms
-```
-
-## Project Structure
-
-A generated Prisma PHP project typically includes folders like these:
-
-```text
-prisma-php-project/
-├── prisma/            # schema, migrations, seed files
-├── public/            # public entry point and assets
-├── settings/          # project configuration
-├── src/               # application source code
-├── package.json       # frontend/dev scripts
-├── composer.json      # PHP dependencies
-└── prisma-php.json    # Prisma PHP project capability manifest
-```
-
-## Updating Existing Projects
-
-When enabling features or syncing framework-managed project files:
-
-1. Update `prisma-php.json` first.
-2. Read `upgrading.md` in the installed docs.
-3. Run the documented project update workflow for the current version.
-
-## Learn More
-
-Start with the installed docs for the current project version, use the topic-specific markdown guides for focused work, and rely on `AGENTS.md` when strict AI generation rules are needed.