Update: 2026-05-03 20:56:55

.env

@@ -17,7 +17,8 @@ REDIS_PORT=6379
 REDIS_PASSWORD=
 
 # JWT
-JWT_SECRET=ec7f91fe8a83c3889902d8e678dfda9cbeba48576b49b2027dcbd010c3d2bbf4
+JWT_SECRET=751139b2b6feb81d5a208a22a624a2f13269eef71044d6147484c85c1111c359
+HMAC_SECRET_KEY=6eae97d9aa6c6732c1882a4eb62da79e7530d8a0dc93f7d03b6e80b15c6f9c55
 ENCRYPTION_KEY_B64=0AEcpckd2g6eMA3ofBXRpgrDbV6ExWkB+D1Hl5pE+I0=
 JWT_ACCESS_EXPIRY=900
 JWT_REFRESH_EXPIRY=604800

app/bootstrap/init.php

@@ -1,11 +1,20 @@
 <?php
 /**
- * Simple Bootstrap Initialization
+ * Application Bootstrap Initialization
  */
 
 declare(strict_types=1);
 
-// 1. Error Reporting (Secure for production)
+// 1. Basic Constants
+define('ROOT_PATH', dirname(__DIR__, 2));
+define('APP_PATH', ROOT_PATH . '/app');
+define('STORAGE_PATH', ROOT_PATH . '/storage');
+
+// 2. Load Environment Loader & Helpers FIRST
+require_once APP_PATH . '/bootstrap/env.php';
+require_once APP_PATH . '/helpers/helpers.php';
+
+// 3. Error Reporting (Secure for production - Now we can use env())
 if (env('APP_DEBUG', 'false') === 'true') {
     error_reporting(E_ALL);
     ini_set('display_errors', '1');
@@ -14,24 +23,13 @@ if (env('APP_DEBUG', 'false') === 'true') {
     ini_set('display_errors', '0');
 }
 
-// 2. Security Headers
+// 4. Security Headers
 header("X-Content-Type-Options: nosniff");
 header("X-Frame-Options: DENY");
 header("X-XSS-Protection: 1; mode=block");
 header("Referrer-Policy: strict-origin-when-cross-origin");
 
-// 3. Constants
-define('ROOT_PATH', dirname(__DIR__, 2));
-define('APP_PATH', ROOT_PATH . '/app');
-define('STORAGE_PATH', ROOT_PATH . '/storage');
-
-// 3. Environment Loader
-require_once APP_PATH . '/bootstrap/env.php';
-
-// 3. Common Helpers
-require_once APP_PATH . '/helpers/helpers.php';
-
-// 4. Core Classes (Manual autoload for simplicity)
+// 5. Intelligent Autoloader (Case-Insensitive for directories)
 spl_autoload_register(function ($class) {
     $prefix = 'App\\';
     $base_dir = APP_PATH . '/';
@@ -53,8 +51,8 @@ spl_autoload_register(function ($class) {
     }
 });
 
-// 5. Response Utility
+// 6. Response Utility
 require_once APP_PATH . '/bootstrap/response.php';
 
-// 6. Auth Session/State (Simple)
+// 7. Global Auth Helper
 require_once APP_PATH . '/bootstrap/auth.php';

app/core/Security.php

@@ -28,4 +28,15 @@ final class Security
     {
         return bin2hex(random_bytes($length / 2));
     }
+
+    public static function sign(string $data, string $secret): string
+    {
+        return hash_hmac('sha256', $data, $secret);
+    }
+
+    public static function verifySignature(string $data, string $signature, string $secret): bool
+    {
+        $expected = self::sign($data, $secret);
+        return hash_equals($expected, $signature);
+    }
 }