lukman-ss/intisari-api
Composer 安装命令:
composer create-project lukman-ss/intisari-api
包简介
Lightweight RESTful API starter based on IntisariPHP
README 文档
README
A lightweight RESTful API starter built on top of IntisariPHP.
Requirements
- PHP 8.2 or higher
- SQLite PDO extension
- Composer
Installation
Create a new project using Composer:
composer create-project lukman-ss/intisari-api your-project-name
cd your-project-name
Environment Setup
Copy the example environment file:
cp .env.example .env
Important: The default .env.example is secured for production. To run the API locally, open your .env file, comment out the production database and CORS settings, and uncomment the LOCAL DEVELOPMENT OVERRIDES section at the bottom.
Ensure the local SQLite database file exists (if using local development overrides):
touch database/api.sqlite
(Alternatively, you can run make install if you are on a Unix-based system to handle both setup steps.)
Run Development Server
To start the built-in PHP development server, use the composer script:
composer serve
The API will be available at http://localhost:8000.
Database Migration
Run the database migrations to set up the default tables (users, posts, api_tokens):
composer migrate
If you need to refresh the database (drop and re-run all migrations) and optionally seed initial data:
composer fresh composer seed
Authentication Flow
This project uses a simple Bearer Token authentication mechanism.
- Register: Send a
POSTrequest to/api/auth/registerwithname,email, andpassword. You will receive a token in the response. - Login: Send a
POSTrequest to/api/auth/loginwithemailandpasswordto obtain a new token. - Usage: Include the token in the
Authorizationheader of subsequent requests:Authorization: Bearer YOUR_TOKEN_HERE - Logout: Send a
POSTrequest to/api/auth/logoutto revoke your current token.
Example API Request
Here is an example of creating a new post:
curl -X POST http://localhost:8000/api/posts \ -H "Authorization: Bearer YOUR_TOKEN_HERE" \ -H "Content-Type: application/json" \ -d '{ "title": "My First Post", "content": "Hello World", "status": "published" }'
Testing
The project is fully tested using PHPUnit, with automatic in-memory SQLite isolation for feature tests.
To run the test suite:
composer test
To run syntax checks and code validation:
composer source:check
Project Structure
app/: Core application code (Controllers, Middleware, Exceptions, Support, Repositories).bootstrap/: Application and container bootstrapping.config/: Application configuration files.database/: SQLite database file and migration scripts.docs/: OpenAPI specifications and Markdown documentation.public/: Web server entry point (index.php).routes/: Route definitions (api.php,console.php).tests/: Feature and Unit tests.scripts/: Development and maintenance scripts.
Secure Deployment
To ensure this API operates securely in a production environment, strictly adhere to the following baseline requirements. For complete details, see our SECURITY.md.
- Environment Config: Never commit
.envto Git. EnsureAPP_DEBUG=falseto prevent sensitive stack trace leaks. - HTTPS & Proxy: Production traffic must run over HTTPS. If placed behind a reverse proxy (e.g., Nginx), ensure headers like
X-Forwarded-Forare trusted securely. - Database Credentials: MySQL/PostgreSQL require explicit, strong credentials. Do not fallback to root or empty passwords.
- CORS Allowlist: Do not use
*forCORS_ALLOWED_ORIGINSin production. Specify exact frontend domains explicitly. - Rate Limiting: The built-in file-based rate limiter is for low-traffic/local use. For production, switch to a robust Redis/Memcached backend or handle throttling at the reverse proxy.
- Token Least-Privilege: Grant API tokens only the absolute minimum abilities required. Never default to wildcard (
*) abilities for user-facing tokens. - Storage Permissions: Ensure that
storage/and any SQLite database directories are writable by the web server but never accessible directly via the public web root. - Composer Audit: Regularly run
composer security:check(which includescomposer audit --locked) in your CI pipeline to catch vulnerable dependencies. - Logging & Secrets: Use the built-in redaction for sensitive keys (
password,token, etc.) instorage/logs/app.log. Manage secrets using secure environment managers or vaults. - Migrations: Run
composer migratecautiously in production. Use--forcemechanisms appropriately to prevent accidental destructive migrations. - Backup: Regularly back up your database and
.envsecurely off-site.
License
This project is open-sourced software licensed under the MIT license.
统计信息
- 总下载量: 2
- 月度下载量: 0
- 日度下载量: 0
- 收藏数: 0
- 点击次数: 9
- 依赖项目数: 0
- 推荐数: 0
其他信息
- 授权协议: MIT
- 更新时间: 2026-07-09