PostERG/xamxam
1
0
Fork 0
mirror of https://codeberg.org/PostERG/xamxam.git synced 2026-05-06 11:09:18 +02:00
Code Issues Packages Projects Releases Wiki Activity

Add src/App.php foundation class and flash-messages partial

Browse Source 
Create the central App helper that eliminates ~170 lines of duplicated
bootstrap/auth/CSRF preamble across 24 page and action handler files.

src/App.php provides:
- boot(): loads Database + ensures CSRF token (public pages)
- adminGuard(): requires AdminAuth login + boot (admin pages)
- verifyCsrf() / rotateCsrf(): centralised CSRF lifecycle
- flash() / consumeFlash(): unified flash messages with legacy key drain
  (error, success, admin_error, admin_success, edit_error, edit_success,
  form_error all consumed transparently for incremental migration)
- redirect(): flash + Location header + exit in one call
- render(): head → header → content → footer pipeline with auto admin
  footer selection

App.php is auto-loaded from config/bootstrap.php so all existing pages
get the class for free without any changes.

templates/partials/flash-messages.php uses App::consumeFlash() to replace
the 5+ copy-pasted flash blocks across admin templates.

All existing tests pass. No existing page files modified — this is a
non-breaking addition that enables incremental controller extraction.
This commit is contained in:
Pontoporeia
2026-04-01 12:25:08 +02:00
parent 7aace2a551
commit eb67e6d499
5 changed files with 205 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

168
src/App.php Normal file
View File

@@ -0,0 +1,168 @@
<?php
/**
* Thin application helper — centralises bootstrap, auth gating, CSRF lifecycle,
* flash messages, redirect, and template rendering.
*
* Eliminates the ~6-8 lines of identical preamble repeated across every page
* and action handler. See REFACTORING_RECOMMENDATIONS.md §1 + §3.
*/
class App
{
private static bool $booted = false;
// ── Bootstrap ─────────────────────────────────────────────────────────────
/**
* Boot once per request: load Database, ensure CSRF token exists.
* Suitable for public pages (no auth required).
*/
public static function boot(): Database
{
if (!self::$booted) {
require_once APP_ROOT . '/src/Database.php';
self::$booted = true;
}
self::ensureCsrf();
return Database::getInstance();
}
/**
* Gate for admin pages: require auth + CSRF token + load Database.
*/
public static function adminGuard(): Database
{
require_once APP_ROOT . '/src/AdminAuth.php';
AdminAuth::requireLogin();
return self::boot();
}
// ── CSRF lifecycle ────────────────────────────────────────────────────────
/**
* Ensure a CSRF token exists in the session.
* Called automatically by boot() / adminGuard().
*/
private static function ensureCsrf(): void
{
if (empty($_SESSION['csrf_token'])) {
$_SESSION['csrf_token'] = bin2hex(random_bytes(32));
}
}
/**
* Validate the CSRF token on a POST request.
* Halts with 403 if the token is missing or invalid.
*/
public static function verifyCsrf(): void
{
if ($_SERVER['REQUEST_METHOD'] !== 'POST'
|| !isset($_POST['csrf_token'], $_SESSION['csrf_token'])
|| !hash_equals($_SESSION['csrf_token'], $_POST['csrf_token'])) {
http_response_code(403);
exit('CSRF token invalide.');
}
}
/**
* Regenerate the CSRF token after a successful mutation.
*/
public static function rotateCsrf(): void
{
$_SESSION['csrf_token'] = bin2hex(random_bytes(32));
}
// ── Flash messages ────────────────────────────────────────────────────────
/**
* Store a flash message in the session.
*
* @param 'success'|'error' $type
*/
public static function flash(string $type, string $message): void
{
$_SESSION["_flash_{$type}"] = $message;
}
/**
* Consume and return flash messages, then clear them from the session.
*
* Also drains the legacy per-page keys (error, success, admin_error,
* admin_success, edit_error, edit_success, form_error) so the transition
* to unified keys can happen incrementally.
*
* @return array{error: ?string, success: ?string}
*/
public static function consumeFlash(): array
{
// Unified keys first, fall back to any legacy key that is set.
$error = $_SESSION['_flash_error']
?? $_SESSION['error']
?? $_SESSION['admin_error']
?? $_SESSION['edit_error']
?? $_SESSION['form_error']
?? null;
$success = $_SESSION['_flash_success']
?? $_SESSION['success']
?? $_SESSION['admin_success']
?? $_SESSION['edit_success']
?? null;
// Clear all variants.
unset(
$_SESSION['_flash_error'], $_SESSION['_flash_success'],
$_SESSION['error'], $_SESSION['success'],
$_SESSION['admin_error'], $_SESSION['admin_success'],
$_SESSION['edit_error'], $_SESSION['edit_success'],
$_SESSION['form_error']
);
return ['error' => $error, 'success' => $success];
}
// ── Redirect ──────────────────────────────────────────────────────────────
/**
* Flash a message and redirect. Terminates the script.
*/
public static function redirect(string $url, ?string $success = null, ?string $error = null): never
{
if ($success !== null) {
self::flash('success', $success);
}
if ($error !== null) {
self::flash('error', $error);
}
header('Location: ' . $url);
exit;
}
// ── Template rendering ────────────────────────────────────────────────────
/**
* Render a full page: head → header → content template → footer.
*
* Expects $vars to contain the same keys the templates already rely on
* ($pageTitle, $bodyClass, $isAdmin, $extraCss, $ogTags, etc.).
* The footer variant (public vs admin) is chosen automatically based
* on $isAdmin.
*
* @param string $template Path relative to APP_ROOT/templates/
* @param array $vars Variables to expose inside the templates
*/
public static function render(string $template, array $vars = []): void
{
// Make all vars available in the template scope.
extract($vars);
include APP_ROOT . '/templates/head.php';
include APP_ROOT . '/templates/header.php';
include APP_ROOT . '/templates/' . $template;
if (!empty($isAdmin)) {
include APP_ROOT . '/templates/admin/footer.php';
} else {
include APP_ROOT . '/templates/footer.php';
}
}
}