Merge pull request #24 from SproutPHP/dev_yanik

Dev yanik

Author: yanikkumar

CHANGELOG.md

@@ -58,3 +58,26 @@ These were single-shot development releases with no progressive alpha/beta cycle
 ---
 
 **From v0.1.7-alpha.2 onward, all releases will follow a structured, progressive SemVer pre-release cycle.**
+
+## [v0.1.7-beta.1] - 2024-06-09
+
+### Added
+- Dynamic route parameter support (e.g., `/user/{id}`, `/blog/{slug}`) for CRUD and flexible routing
+- Robust CSRF protection via middleware and helpers (works for forms, AJAX, and HTMX)
+- SPA-like file upload and form handling with HTMX (including indicators and grid UI)
+- Secure private file upload/download (no direct links, internal access only)
+- Consistent CSRF token management (single session key, helpers, and middleware)
+
+### Improved
+- UI/UX for validation and file upload forms (two-column grid, spinner, SPA feel)
+- Path resolution for storage (public/private separation, symlink support)
+- Code structure: CSRF logic moved to helpers/middleware, no raw PHP in entry
+
+### Fixed
+- Issues with file download on PHP built-in server (now uses query param for compatibility)
+- Consistency in CSRF token usage across the framework
+
+### Removed
+- Exposed raw CSRF logic from entry point
+
+---

DOCS.md

@@ -1,5 +1,35 @@
 # SproutPHP Documentation
 
+## [v0.1.7-beta.1] - 2024-06-09
+
+### New Features & Improvements
+
+- **Dynamic Route Parameters:** Define routes with parameters (e.g., `/user/{id}`, `/blog/{slug}`) for flexible CRUD and API endpoints.
+- **Robust CSRF Protection:** Middleware-based CSRF protection for all state-changing requests (forms, AJAX, HTMX). Use `{{ csrf_field()|raw }}` in forms and `{{ csrf_token() }}` for AJAX/HTMX headers. All tokens use the `_csrf_token` session key.
+- **SPA-like Interactivity with HTMX:** Use HTMX attributes for seamless, partial updates (e.g., form submissions, file uploads) and request indicators (spinners). Example:
+  ```html
+  <form
+    hx-post="/validation-test"
+    hx-target="#form-container"
+    hx-swap="innerHTML"
+    hx-indicator="#spinner"
+    hx-trigger="submit delay:500ms"
+  >
+    ...
+  </form>
+  ```
+- **Private File Handling:** Upload files to private storage (not web-accessible). Download private files only via internal controller methods (no direct links). Example:
+  ```php
+  // Upload
+  Storage::put($file, '', 'private');
+  // Download (controller)
+  $path = Storage::path($filename, 'private');
+  ```
+- **Storage Improvements:** Storage paths are now always resolved relative to the project root. Public/private separation, symlink support for serving public files, and compatibility with the PHP built-in server for downloads.
+- **UI/UX:** Two-column grid for validation and file upload forms, spinner/indicator support, and SPA feel for user interactions.
+
+---
+
 ## Included by Default
 
 - **HTMX** for modern, interactive UIs (already loaded in your base template)
@@ -543,6 +573,7 @@ To make uploaded files accessible via the web, create a symlink:
 ```bash
 php sprout symlink:create
 ```
+
 - This links `public/storage` to `storage/app/public`.
 - On Windows, a directory junction is created for compatibility.
 
@@ -577,6 +608,7 @@ if ($request->hasFile('avatar')) {
 ```
 
 ### Notes
+
 - Always use the `Storage` helper for uploads and URLs.
 - The storage root is now absolute for reliability.
 - No need to set or override the storage root in `.env` unless you have a custom setup.

RELEASE_NOTES.md

@@ -1,31 +1,27 @@
-# SproutPHP v0.1.7-alpha.3 Release Notes
+# Release Notes: v0.1.7-beta.1 (2024-06-09)
 
-## 🎉 New Features & Improvements
+## Highlights
 
-- **Absolute Storage Path:** Storage root is now set to an absolute path by default for reliability; no need to set in .env for most use cases.
-- **Updated Storage Helper:** Improved documentation and usage for file uploads and URL generation.
-- **Symlink Command:** Enhanced for better cross-platform compatibility (Windows junctions, Linux/macOS symlinks).
-- **Documentation:** DOCS.md updated to reflect new storage system, usage, and best practices.
-- **Bugfix:** Prevented duplicate/nested storage paths in uploads.
-- **General Improvements:** Codebase and documentation refinements.
+- **First Beta Release!** SproutPHP is now feature-complete and ready for broader testing and feedback.
+- **Dynamic Routing:** Support for route parameters (e.g., `/user/{id}`, `/file/{filename:.+}`) enables full CRUD and flexible APIs.
+- **CSRF Protection:** Robust, middleware-based CSRF protection for all state-changing requests (forms, AJAX, HTMX).
+- **SPA-like UX:** HTMX-powered forms and file uploads for a modern, seamless user experience.
+- **Private File Handling:** Secure upload/download of private files, accessible only via internal methods.
+- **Cleaner Codebase:** All CSRF logic is now in helpers/middleware, not exposed in entry scripts.
 
-## 🛠️ Upgrade Guide
+## Upgrade Notes
 
-- Use the new absolute storage root (no .env override needed).
-- Run `php sprout symlink:create` to ensure correct symlink/junction for uploads.
-- See DOCS.md for updated usage and examples.
+- All CSRF tokens now use the `_csrf_token` session key. Update any custom code to use the new helpers.
+- File downloads now use a query parameter (`?file=...`) for compatibility with the PHP built-in server.
+- If you use custom routes, you can now use `{param}` and `{param:regex}` patterns.
 
-## 📅 Release Date
+## What's New
 
-2024-06-13
+- Two-column grid UI for validation and file upload forms
+- SPA feel with HTMX indicators and partial updates
+- Consistent and secure CSRF handling everywhere
+- Improved storage path resolution and symlink support
 
-## 📦 Framework Version
+## Thank You!
 
-v0.1.7-alpha.3
-
----
-
-**Release Date**: 2024-06-13  
-**Framework Version**: v0.1.7-alpha.3  
-**PHP Version**: 8.1+  
-**Composer**: 2.0+
+Thank you for testing and contributing to SproutPHP. Please report any issues or feedback as we move toward a stable release.

app/Controllers/ValidationTestController.php

@@ -18,11 +18,36 @@ public function index()
             ]);
         }
 
-        return view('validation-test', ['title' => 'ValidationTestController Index']);
+        // List private files for the right grid
+        $privateFiles = $this->getPrivateFiles();
+
+        return view('validation-test', [
+            'title' => 'ValidationTestController Index',
+            'privateFiles' => $privateFiles,
+        ]);
+    }
+
+    /**
+     * Helper to get private files list
+     */
+    protected function getPrivateFiles()
+    {
+        $privateDir = Storage::path('', 'private');
+        $privateFiles = [];
+
+        if (is_dir($privateDir)) {
+            foreach (scandir($privateDir) as $file) {
+                if ($file !== '.' && $file !== '..' && is_file($privateDir . '/' . $file)) {
+                    $privateFiles[] = $file;
+                }
+            }
+        }
+        return $privateFiles;
     }
 
     public function handleForm()
     {
+        sleep(1); // 1 second delay
         $request = Request::capture();
 
         $data = [
@@ -70,4 +95,76 @@ public function handleForm()
             'avatar_url' => isset($path) ? Storage::url($path) : null,
         ]);
     }
+
+    /**
+     * Handle private file upload
+     */
+    public function handlePrivateUpload()
+    {
+        $request = Request::capture();
+        $error = null;
+        $path = null;
+        if ($request->hasFile('private_file')) {
+            $file = $request->file('private_file');
+            $path = Storage::put($file, '', 'private');
+            if (!$path) {
+                $error = 'Private file upload failed.';
+            }
+        } else {
+            $error = 'Please select a file to upload.';
+        }
+
+        // HTMX: return only the private files list fragment
+        if (isset($_SERVER['HTTP_HX_REQUEST']) && $_SERVER['HTTP_HX_REQUEST'] === 'true') {
+            $privateFiles = $this->getPrivateFiles();
+            return view('partials/private-files-list', [
+                'privateFiles' => $privateFiles,
+                'error' => $error,
+            ]);
+        }
+
+        // Fallback: redirect back
+        header('Location: ' . $_SERVER['HTTP_REFERER']);
+        exit;
+    }
+
+    /**
+     * Render private files list fragment (for HTMX)
+     */
+    public function privateFilesListFragment()
+    {
+        $privateFiles = $this->getPrivateFiles();
+        return view('partials/private-files-list', [
+            'privateFiles' => $privateFiles,
+        ]);
+    }
+
+    /**
+     * Securely download a private file
+     */
+    public function downloadPrivateFile()
+    {
+        $filename = isset($_GET['file']) ? urldecode($_GET['file']) : null;
+        if (!$filename) {
+            http_response_code(400);
+            echo 'Missing file parameter.';
+            exit;
+        }
+        $privatePath = Storage::path($filename, 'private');
+        if (!is_file($privatePath)) {
+            http_response_code(404);
+            echo 'File not found.';
+            exit;
+        }
+        // Set headers for download
+        header('Content-Description: File Transfer');
+        header('Content-Type: application/octet-stream');
+        header('Content-Disposition: attachment; filename="' . basename($filename) . '"');
+        header('Expires: 0');
+        header('Cache-Control: must-revalidate');
+        header('Pragma: public');
+        header('Content-Length: ' . filesize($privatePath));
+        readfile($privatePath);
+        exit;
+    }
 }

app/Views/partials/private-files-list.twig

@@ -0,0 +1,13 @@
+<h3 style="margin-top:2rem;">Private Files</h3>
+{% if privateFiles and privateFiles|length > 0 %}
+	<ul style="list-style: none; padding-left: 0;">
+		{% for file in privateFiles %}
+			<li style="display: flex; align-items: center; gap: 0.5rem; margin-bottom: 0.5rem;">
+				<span>{{ file|e }}</span>
+				<a href="/validation-test/private-download?file={{ file|url_encode }}" target="_blank">Download</a>
+			</li>
+		{% endfor %}
+	</ul>
+{% else %}
+	<p>No private files uploaded yet.</p>
+{% endif %}

app/Views/partials/validation-form.twig

@@ -1,44 +1,43 @@
 {% include "components/spinner.twig" %}
-<form 
-    hx-post="/validation-test" 
-    hx-target="#form-container" 
-    hx-swap="innerHTML"
-    hx-indicator="#spinner"
-    method="POST"
-    autocomplete="off"
-    enctype="multipart/form-data"
->
-    {# CSRF TOKEN #}
-    {{ csrf_field()|raw }}
-    <div>
-        <label for="name">Name:</label>
-        <input type="text" name="name" id="name" value="{{ old.name|e }}">
-        {% if errors.name %}
-            <div class="error" for="name" style="color: red;">{{ errors.name }}</div>
-        {% endif %}
-    </div>
-    <div>
-        <label for="email">Email:</label>
-        <input type="email" name="email" id="email" value="{{ old.email|e }}">
-        {% if errors.email %}
-            <div class="error" for="email" style="color: red;">{{ errors.email }}</div>
-        {% endif %}
-    </div>
-    <div>
-      <label for="avatar">Avatar:</label>
-      <input type="file" name="avatar" id="avatar" accept="image/*" />
-      {% if errors.avatar %}
-        <div class="error" for="avatar" style="color: red;">{{ errors.avatar }}</div>
-      {% endif %}
-    </div>
-    <button type="submit">Submit
-    </button>
+<form
+	hx-post="/validation-test" hx-target="#form-container" hx-swap="innerHTML" hx-indicator="#spinner" method="POST" autocomplete="off" enctype="multipart/form-data">
+	{# CSRF TOKEN #}
+	{{ csrf_field()|raw }}
+	<div>
+		<label for="name">Name:</label>
+		<input type="text" name="name" id="name" value="{{ old.name|e }}">
+		{% if errors.name %}
+			<div class="error" for="name" style="color: red;">{{ errors.name }}</div>
+		{% endif %}
+	</div>
+	<div>
+		<label for="email">Email:</label>
+		<input type="email" name="email" id="email" value="{{ old.email|e }}">
+		{% if errors.email %}
+			<div class="error" for="email" style="color: red;">{{ errors.email }}</div>
+		{% endif %}
+	</div>
+	<div>
+		<label for="avatar">Avatar:</label>
+		<input type="file" name="avatar" id="avatar" accept="image/*"/>
+		{% if errors.avatar %}
+			<div class="error" for="avatar" style="color: red;">{{ errors.avatar }}</div>
+		{% endif %}
+	</div>
+	<button type="submit">Submit
+	</button>
 </form>
 <script>
-document.addEventListener('focusin', function(e) {
-  if (e.target.form && e.target.name) {
-    const error = e.target.form.querySelector(`.error[for="${e.target.name}"]`);
-    if (error) error.remove();
-  }
+	document.addEventListener('focusin', function (e) {
+if (e.target.form && e.target.name) {
+const error = e.target.form.querySelector(`.error[for="${
+e.target.name
+}"]`);
+if (error) 
+error.remove();
+
+
+
+}
 });
-</script>
+</script>

app/Views/partials/validation-success.twig

@@ -1,9 +1,12 @@
 <div class="success">
-    <h2>Form Submitted Successfully!</h2>
-    <p>Name: {{ name|e }}</p>
-    <p>Email: {{ email|e }}</p>
-    {% if avatar_url %}
-        <p>Avatar: <img src="{{ avatar_url }}" alt="Avatar" style="max-width:100px;max-height:100px;"></p>
-    {% endif %}
-    <button hx-get="/validation-test" hx-target="#main-content" hx-push-url="true">Submit Another</button>
-</div>
+	<h2>Form Submitted Successfully!</h2>
+	<p>Name:
+		{{ name|e }}</p>
+	<p>Email:
+		{{ email|e }}</p>
+	{% if avatar_url %}
+		<p>Avatar:
+			<img src="{{ avatar_url }}" alt="Avatar" style="max-width:100px;max-height:100px;"></p>
+	{% endif %}
+	<button hx-get="/validation-test" hx-target="#form-container" hx-push-url="true">Submit Another</button>
+</div>

app/Views/validation-test.twig

@@ -1,9 +1,26 @@
 {% extends "layouts/base.twig" %}
-{% block title %}validation-test{% endblock %}
+{% block title %}validation-test
+{% endblock %}
 
 {% block content %}
-    <h1>Validation Test Form</h1>
-    <div id="form-container">
-        {% include "partials/validation-form.twig" %}
-    </div>
+	<div style="display: grid; grid-template-columns: 1fr 1fr; gap: 2rem; align-items: start;">
+		<div id="form-container">
+			<h1>Validation Test Form</h1>
+			{% include "partials/validation-form.twig" %}
+		</div>
+		<div id="private-upload-container" style="border-left: 1px solid #eee; padding-left: 2rem;">
+			<h2>Private File Upload</h2>
+			<form method="POST" action="/validation-test/private-upload" enctype="multipart/form-data" hx-post="/validation-test/private-upload" hx-target="#private-files-list" hx-swap="outerHTML">
+				{{ csrf_field()|raw }}
+				<div>
+					<label for="private_file">Select file:</label>
+					<input type="file" name="private_file" id="private_file" required/>
+				</div>
+				<button type="submit">Upload Private File</button>
+			</form>
+			<div id="private-files-list">
+				{% include "partials/private-files-list.twig" %}
+			</div>
+		</div>
+	</div>
 {% endblock %}