214d96ee8d
- C1: Hash refresh tokens before DB storage (sha256) - C2: Remove JWT_SECRET fallback, fail hard if missing - H1: Enforce HTTP methods per route (405 on mismatch) - H2: CORS with origin whitelist from CORS_ORIGIN env var - H3: Redact sensitive fields (tokens, passwords) from logs - M1: Build HmacMiddleware with replay attack prevention - M2: Fix rate limiter race condition with flock LOCK_EX - M3: Guard dd() — suppressed in production - M4: Remove .env from git tracking, strengthen .gitignore - I1: Add HSTS header (max-age=31536000)
48 lines
1.4 KiB
PHP
48 lines
1.4 KiB
PHP
<?php
|
|
/**
|
|
* Simple Router & Entry Point
|
|
*/
|
|
|
|
require_once __DIR__ . '/../app/bootstrap/init.php';
|
|
|
|
// Global Request Logging (non-sensitive)
|
|
error_log("Incoming Request: " . ($_SERVER['REQUEST_METHOD'] ?? 'GET') . " " . ($_SERVER['REQUEST_URI'] ?? '/'));
|
|
|
|
$uri = parse_url($_SERVER['REQUEST_URI'], PHP_URL_PATH);
|
|
$route = $_GET['route'] ?? str_replace('/api/', '', $uri);
|
|
$route = trim($route, '/');
|
|
|
|
error_log("Router: Resolved route '{$route}'");
|
|
|
|
// Route map: route => [allowed_method, module_file]
|
|
$routes = [
|
|
'v1/auth/login' => ['POST', 'auth/login.php'],
|
|
'v1/auth/refresh' => ['POST', 'auth/refresh.php'],
|
|
'v1/auth/logout' => ['POST', 'auth/logout.php'],
|
|
'v1/users' => ['GET', 'users/index.php'],
|
|
];
|
|
|
|
if (isset($routes[$route])) {
|
|
[$allowedMethod, $moduleFile] = $routes[$route];
|
|
|
|
// H1 Fix: Enforce HTTP Method
|
|
if ($_SERVER['REQUEST_METHOD'] !== $allowedMethod) {
|
|
header("Allow: {$allowedMethod}");
|
|
json_error("Method Not Allowed. Use {$allowedMethod}.", 405);
|
|
}
|
|
|
|
$file = APP_PATH . '/modules_app/' . $moduleFile;
|
|
if (file_exists($file)) {
|
|
require_once $file;
|
|
} else {
|
|
json_error("Endpoint file missing: {$route}", 500);
|
|
}
|
|
} else {
|
|
if (str_starts_with($route, 'v1/')) {
|
|
json_error("Not Found: {$route}", 404);
|
|
} else {
|
|
include __DIR__ . '/shell.php';
|
|
exit;
|
|
}
|
|
}
|