Hamza/musadaq-saas
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
abccf033a6438f3cde250174c56e3785af2f26e1
musadaq-saas/app/bootstrap/init.php
Hamza-Ayed c63d9944ee Update: 2026-05-05 16:31:41
2026-05-05 16:31:41 +03:00

91 lines
2.7 KiB
PHP
Raw Blame History

<?php
/**
* Application Bootstrap Initialization
*/
declare(strict_types=1);
// 1. Basic Constants
define('ROOT_PATH', realpath(dirname(__DIR__, 2)));
define('APP_PATH', ROOT_PATH . '/app');
define('STORAGE_PATH', ROOT_PATH . '/storage');
// 2. Load Environment & Helpers FIRST
require_once APP_PATH . '/bootstrap/env.php';
require_once APP_PATH . '/helpers/helpers.php';
// Self-healing Storage
$dirs = ['/cache', '/logs', '/invoices', '/exports'];
foreach ($dirs as $d) {
$path = STORAGE_PATH . $d;
if (!is_dir($path)) {
mkdir($path, 0777, true);
chmod($path, 0777);
}
}
// 3. Error Reporting (Secure for production)
if (env('APP_DEBUG', 'false') === 'true') {
error_reporting(E_ALL);
ini_set('display_errors', '1');
} else {
error_reporting(0);
ini_set('display_errors', '0');
}
// 4. H2 Fix: CORS — Whitelist only known origins
$allowedOrigins = array_filter(array_map('trim', explode(',', env('CORS_ORIGIN', 'https://musadaq.intaleqapp.com'))));
$requestOrigin = $_SERVER['HTTP_ORIGIN'] ?? '';
if (in_array($requestOrigin, $allowedOrigins, true)) {
header("Access-Control-Allow-Origin: {$requestOrigin}");
} else {
// Fallback to first allowed origin (for non-browser API clients)
header("Access-Control-Allow-Origin: " . ($allowedOrigins[0] ?? ''));
}
header("Access-Control-Allow-Methods: GET, POST, OPTIONS");
header("Access-Control-Allow-Headers: Content-Type, Authorization, X-HMAC-Signature, X-Timestamp");
header("Access-Control-Allow-Credentials: true");
header("Vary: Origin");
// Handle CORS preflight
if ($_SERVER['REQUEST_METHOD'] === 'OPTIONS') {
http_response_code(204);
exit;
}
// 5. Security Headers
header("X-Content-Type-Options: nosniff");
header("X-Frame-Options: SAMEORIGIN");
header("X-XSS-Protection: 1; mode=block");
header("Referrer-Policy: strict-origin-when-cross-origin");
header("Strict-Transport-Security: max-age=31536000; includeSubDomains"); // I1 Fix: HSTS
// 6. PSR-4 Autoloader (PascalCase-aware for Linux compatibility)
spl_autoload_register(function ($class) {
$prefix = 'App\\';
$base_dir = APP_PATH . '/';
$len = strlen($prefix);
if (strncmp($prefix, $class, $len) !== 0) return;
$relative_class = substr($class, $len);
$parts = explode('\\', $relative_class);
$filename = array_pop($parts) . '.php';
$dir = implode('/', $parts); // No strtolower — preserves PascalCase on Linux
$file = $base_dir . ($dir ? $dir . '/' : '') . $filename;
if (file_exists($file)) {
require $file;
}
});
// 7. Response Utility
require_once APP_PATH . '/bootstrap/response.php';
// 8. Global Auth Helper
require_once APP_PATH . '/bootstrap/auth.php';
Reference in New Issue View Git Blame Copy Permalink