Deploy: 2026-05-21 01:58:32
This commit is contained in:
Hamza-Ayed
@@ -13,6 +13,11 @@ class Request
|
||||
private array $bodyParams;
|
||||
private array $headers;
|
||||
|
||||
// Explicit properties to store authentication details to avoid deprecation warnings in PHP 8.2+
|
||||
public ?int $user_id = null;
|
||||
public ?int $company_id = null;
|
||||
public ?string $role = null;
|
||||
|
||||
public function __construct()
|
||||
{
|
||||
$this->method = strtoupper($_SERVER['REQUEST_METHOD'] ?? 'GET');
|
||||
|
||||
@@ -39,10 +39,12 @@ class Response
|
||||
$this->setStatusCode($code);
|
||||
$this->setHeader('Content-Type', 'application/json; charset=utf-8');
|
||||
|
||||
// Setup base CORS headers for our API
|
||||
$this->setHeader('Access-Control-Allow-Origin', '*');
|
||||
// Setup CORS headers — restrict origin to the configured allowed domain
|
||||
$allowedOrigin = getenv('ALLOWED_ORIGIN') ?: '*';
|
||||
$this->setHeader('Access-Control-Allow-Origin', $allowedOrigin);
|
||||
$this->setHeader('Access-Control-Allow-Methods', 'GET, POST, PUT, DELETE, OPTIONS');
|
||||
$this->setHeader('Access-Control-Allow-Headers', 'Content-Type, Authorization, X-Requested-With');
|
||||
$this->setHeader('Vary', 'Origin'); // Required when Access-Control-Allow-Origin is not *
|
||||
|
||||
$this->sendHeaders();
|
||||
http_response_code($this->statusCode);
|
||||
|
||||
@@ -75,9 +75,11 @@ class Router
|
||||
|
||||
// Handle CORS Preflight Preemptively
|
||||
if ($method === 'OPTIONS') {
|
||||
$response->setHeader('Access-Control-Allow-Origin', '*');
|
||||
$allowedOrigin = getenv('ALLOWED_ORIGIN') ?: '*';
|
||||
$response->setHeader('Access-Control-Allow-Origin', $allowedOrigin);
|
||||
$response->setHeader('Access-Control-Allow-Methods', 'GET, POST, PUT, DELETE, OPTIONS');
|
||||
$response->setHeader('Access-Control-Allow-Headers', 'Content-Type, Authorization, X-Requested-With');
|
||||
$response->setHeader('Vary', 'Origin');
|
||||
$response->setStatusCode(200);
|
||||
exit;
|
||||
}
|
||||
@@ -116,12 +118,14 @@ class Router
|
||||
return;
|
||||
}
|
||||
|
||||
$response->error("Handler error for route: {$path}", 500);
|
||||
error_log("Handler error for route: [{$method}] {$path}");
|
||||
$response->error("Internal Server Error", 500);
|
||||
return;
|
||||
}
|
||||
}
|
||||
|
||||
// Route not found
|
||||
$response->error("Route not found: [{$method}] {$path}", 404);
|
||||
error_log("Route not found: [{$method}] {$path}");
|
||||
$response->error("Not Found", 404);
|
||||
}
|
||||
}
|
||||
|
||||
@@ -14,7 +14,10 @@ class Security
|
||||
*/
|
||||
private static function getEncryptionKey(): string
|
||||
{
|
||||
$key = getenv('ENCRYPTION_KEY') ;
|
||||
$key = getenv('ENCRYPTION_KEY');
|
||||
if (!$key || strlen($key) < 16) {
|
||||
throw new \RuntimeException("ENCRYPTION_KEY environment variable is empty or too short. Cryptographic operations aborted.");
|
||||
}
|
||||
return substr(hash('sha256', $key, true), 0, 32);
|
||||
}
|
||||
|
||||
@@ -23,7 +26,11 @@ class Security
|
||||
*/
|
||||
private static function getHmacSalt(): string
|
||||
{
|
||||
return getenv('HMAC_SALT');
|
||||
$salt = getenv('HMAC_SALT');
|
||||
if (!$salt) {
|
||||
throw new \RuntimeException("HMAC_SALT environment variable is empty. Cryptographic operations aborted.");
|
||||
}
|
||||
return $salt;
|
||||
}
|
||||
|
||||
/**
|
||||
@@ -31,7 +38,11 @@ class Security
|
||||
*/
|
||||
private static function getJwtSecret(): string
|
||||
{
|
||||
return getenv('JWT_SECRET');
|
||||
$secret = getenv('JWT_SECRET');
|
||||
if (!$secret) {
|
||||
throw new \RuntimeException("JWT_SECRET environment variable is empty. Cryptographic operations aborted.");
|
||||
}
|
||||
return $secret;
|
||||
}
|
||||
|
||||
/**
|
||||
|
||||
Reference in New Issue
Block a user