File: docs/CHANGELOG.md

Recommend this page to a friend!

docs/CHANGELOG.md

File:	`docs/CHANGELOG.md`
Role:	Auxiliary data
Content type:	`text/markdown`
Description:	Auxiliary data
Class:	PHP CRUD API Generator Create an API to access MySQL database record
Author:	By Adrian M
Last change:
Date:	3 months ago
Size:	`17,326 bytes`

Download

Changelog

2.0.1 - Type Safety & CI Hardening (2025-11-12)

? What changed

Static analysis: Reduced PHPStan issues to zero with precise generics, array-shape docs, and guards across core modules.
App hardening: Cleaned up Router, RBAC, Cache, Authenticator, ApiController, Monitor, and middlewares for stricter typing and better error handling.
Tests cleanup: Modernized tests to remove always-true assertions, add return types, guard glob/file reads, and align with updated return shapes.
CI ready: Ensured the test suite runs green on clean environments.

? Highlights

RBAC: Normalized user roles mapping and removed unused state.
ApiController: Simplified cache-key logic and removed redundant checks; consistent return tuples.
Monitor & RequestLogger: Safer I/O guards; added minimal reads to satisfy analyzer without behavior change.
Cache: Tightened typing in manager and drivers; safer key generation and headers handling.
Middlewares: Fixed unreachable code in rate limiting; typed CORS config.
Config: Added explicit types and normalizations in `ApiConfig` and `CacheConfig` getters.

? CI (GitHub Actions)

Added workflow to run Composer install, PHPStan, and PHPUnit on pushes/PRs.
Provisioned MySQL service (database: `test`) so DB-backed tests run reliably in CI.
Matrix on PHP 8.2 and 8.3.

Result

PHPStan: 0 errors.
PHPUnit: All tests passing.

2.0.0 - Performance & Architecture Revolution (2025-11-10)

? Major New Features

Response Caching System (10-100x Performance Boost)

File-based caching with zero dependencies - works everywhere
Per-table TTL configuration - cache users for 1 minute, products for 10 minutes
Smart invalidation - automatic cache clearing on create/update/delete operations
User-specific caching - different cache per API key or user ID
Cache statistics - track hits, misses, file count, total size
HTTP headers - `X-Cache-Hit`, `X-Cache-TTL`, `X-Cache-Stored` for debugging

Performance Impact: - First request: ~50-200ms (database query) - Cached requests: ~2-10ms (file read) - 10-100x faster for read-heavy APIs

New Files: - src/Cache/CacheInterface.php - PSR-compliant cache interface - src/Cache/CacheManager.php - Main cache orchestrator - src/Cache/Drivers/FileCache.php - File-based cache driver - config/cache.php - User-friendly cache configuration - tests/cache_test.php - Comprehensive cache tests (9 tests passing)

PSR-4 Config Classes (Type-Safe Configuration)

Type-safe getters - `getAuthMethod()` instead of `$config['auth_method']`
IDE autocomplete - full IntelliSense support
Validation - catch config errors early
100% backward compatible - `toArray()` method for legacy code

Architecture:

User edits: config/api.php (simple PHP array)
     ?
Framework loads: ApiConfig::fromFile()
     ?
Code uses: $apiConfig->getAuthMethod()

New Files: - src/Config/ApiConfig.php - Type-safe wrapper for api.php - src/Config/CacheConfig.php - Type-safe wrapper for cache.php

Enhanced Authentication

JSON body support - Login endpoint now accepts `Content-Type: application/json`
Multiple request formats - JSON, Form Data, Multipart
Complete login response - Returns `{token, expires_at, user, role}`
Fallback mechanism - Database auth ? Config file auth

? Critical Bug Fixes

Router Array Access Bug

Fixed: Array access on ApiConfig object (line 785)

// BEFORE (ERROR)
$method = $this->apiConfig['auth_method'];

// AFTER (FIXED)  
$method = $this->apiConfig->getAuthMethod();

Login Endpoint Not Reading JSON Bodies

Fixed: Added php://input reading for application/json content type

Incomplete Login Response

Fixed: Enhanced response with full metadata

{
    "token": "eyJ0eXAiOiJKV1QiLCJhbGc...",
    "expires_at": "2025-11-10T16:30:00+00:00",
    "user": "admin",
    "role": "admin"
}

? Documentation Overhaul

New Documentation: 1. docs/COMPARISON.md - vs PHP-CRUD-API v2 (when to use each) 2. docs/DASHBOARD_SECURITY.md - Securing admin dashboard (5 methods) 3. docs/SECURITY.md - Security policy and responsible disclosure 4. docs/ROADMAP.md - 10 must-have features + 8 integrations 5. docs/CACHING_IMPLEMENTATION.md - Technical cache analysis 6. docs/CONFIG_FLOW.md - Configuration architecture 7. docs/CONFIGURATION.md - Config classes usage guide

Updated Documentation: - README.md - Added cache info, security warnings - docs/AUTHENTICATION.md - Complete Postman/HTTPie/cURL examples for all auth methods - config/api.php - Helpful comments explaining config flow - config/apiexample.php - In sync with latest features

Fixed Documentation: - ? Corrected ALL endpoint URLs from http://localhost/api.php to http://localhost:8000 - ? Fixed 50+ incorrect URL references across 8 documentation files - ? Updated production URL examples (api.example.com)

? Testing & Quality

New Test Suites: - tests/cache_test.php - 9 comprehensive cache tests ? All passing - tests/test_all.php - Pre-merge test suite (6 tests) ? All passing

Test Coverage: - Cache: Write/Read, TTL, invalidation, statistics, cleanup - Config: Classes loading, type safety, validation - Auth: Database connection, authenticator, router - Structure: File permissions, directory structure

Code Quality: - ? Zero PHP errors or warnings - ? PSR-4 autoloading working - ? All imports resolved - ? Type-safe throughout

?? Configuration Enhancements

config/cache.php (New):

'enabled' => true,
'driver' => 'file',
'ttl' => 300,  // Default 5 minutes
'perTable' => [
    'users' => 60,      // 1 minute
    'products' => 600,  // 10 minutes
],
'excludeTables' => ['sessions', 'logs'],

config/api.php (Enhanced): - Added comprehensive header documentation - Explained config flow architecture - Added references to docs

? Migration Guide

From v1.x to v2.0: 1. ? 100% Backward Compatible - No breaking changes 2. ? All existing code works without modification 3. ? Optional: Enable caching in config/cache.php 4. ? Optional: Use new Config classes (automatic via framework)

New Features (Opt-in): - Enable caching: Set 'enabled' => true in config/cache.php - JSON login: Just send Content-Type: application/json - Config classes: Framework uses them automatically

? Performance Benchmarks

Caching Impact:

Endpoint: GET ?table=users&page=1
First request:  120ms (database query)
Cached request:   5ms (file read)
Speedup:         24x faster

Suitable for: - File driver: <10K requests/day - Future Redis: Millions of requests/day

? Future Enhancements (Planned)

Cache Drivers: - RedisCache (10-1000x faster than file) - MemcachedCache (distributed caching) - APCuCache (in-memory, single server)

From ROADMAP: - ? Response caching - IMPLEMENTED - ? Webhooks/callbacks - ? Export/import (CSV, JSON, XML) - ? Field-level permissions - ? API versioning

? File Structure

New Directories:

src/Cache/          - Caching system
src/Config/         - Type-safe config classes
storage/cache/      - Cache file storage

New Files: 15+ Updated Files: 20+ Documentation: 7 new docs, 5 updated

? Release Checklist

[x] All 15 tests passing
[x] Zero errors or warnings
[x] Documentation complete
[x] Cache system tested
[x] Authentication tested
[x] Config classes tested
[x] Backward compatibility verified
[x] Performance benchmarked
[x] Security reviewed
[x] Ready for production

? Summary

Version 2.0 represents a major architectural upgrade with: - 10-100x performance improvement via intelligent caching - Modern architecture with PSR-4 Config classes - Better DX - type safety, IDE support, autocomplete - Enhanced auth - JSON support, complete responses - Comprehensive docs - 7 new guides, corrected URLs throughout - Production ready - tested, documented, secure

1.4.1 - Phoenix Documentation Edition (2025-10-22)

Documentation Improvements

? Quick Start Guide: Added comprehensive 5-minute setup guide (`docs/QUICK_START.md`) - Step-by-step installation instructions - Two installation methods clearly explained - Configuration examples with exact file locations - Testing and verification steps
? JWT Authentication Guide: Added detailed JWT authentication documentation (`docs/JWT_EXPLAINED.md`) - Complete JWT workflow explanation - Login endpoint usage - Token structure and validation - Security best practices - Client implementation examples (JavaScript, Python, PHP, cURL)
? README Improvements: Updated main README with clearer installation options - Library method: Copy 3 files, modify 2 lines - Standalone method: Complete project, 0 modifications - Exact line numbers and code changes specified - Better organization and navigation

Installation Clarity

Library Installation: Now clearly shows which 2 lines to modify (line ~51 in index.php) - FROM: `require __DIR__ . '/../config/db.php'` - TO: `require __DIR__ . '/vendor/bitshost/php-crud-api-generator/config/db.php'`
Standalone Installation: Emphasized zero-modification approach - `composer create-project` method documented - Complete project structure explained - Configuration steps simplified

Testing & Validation

Tested both installation methods from Packagist
Verified all 7 core API operations work correctly
Confirmed JWT authentication flow
Validated RBAC enforcement
Performance verified (all responses <100ms)

User Benefits

? Faster Setup: 5-minute installation guide
? Better Documentation: Three comprehensive guides added
? Clear Instructions: No guesswork, exact steps provided
? Multiple Methods: Choose library or standalone based on needs

1.4.0 - Phoenix

Major Update

Complete framework restructure and improvements
Enhanced stability and performance
Multiple feature additions and bug fixes
Merged 1.4.0-Phoenix branch with extensive updates

1.3.0 - Request Logging and Monitoring

New Features

? Request Logging: Comprehensive request/response logging system - Automatic logging of all API requests and responses - Multiple log levels (debug, info, warning, error) - Sensitive data redaction (passwords, tokens, API keys) - Authentication attempt logging - Rate limit hit logging - Error logging with stack traces - Log rotation and cleanup - Statistics and analytics - Zero configuration required (works out of the box)

Improvements

Enhanced security with comprehensive audit logging
Better debugging capabilities with detailed request/response logging
Performance monitoring with execution time tracking
Security monitoring with authentication and rate limit logging
Automatic sensitive data redaction in logs
Added log statistics for monitoring
Improved Router integration with automatic logging

Logging Features

Request Details: Method, action, table, IP, user, query params, headers, body
Response Details: Status code, execution time, response size, body (optional)
Authentication Logging: Success/failure with reasons
Rate Limit Logging: Tracks rate limit violations
Error Logging: Comprehensive error details with context
Sensitive Data Redaction: Automatic redaction of passwords, tokens, API keys
Log Rotation: Automatic rotation when file exceeds size limit
Cleanup: Automatic removal of old log files
Statistics: Daily statistics (requests, errors, warnings, etc.)

Configuration

Added logging section to api.example.php: - `enabled` - Enable/disable logging - `log_dir` - Log directory path - `log_level` - Minimum log level (debug, info, warning, error) - `log_headers` - Log request headers - `log_body` - Log request body - `log_query_params` - Log query parameters - `log_response_body` - Log response body (optional) - `max_body_length` - Maximum body length to log - `sensitive_keys` - Keys to redact in logs - `rotation_size` - Size threshold for log rotation - `max_files` - Maximum log files to retain

Documentation

Added `docs/REQUEST_LOGGING.md` (coming soon)
Updated README with logging information
Added logging demo script
Added comprehensive test coverage

Testing

Added comprehensive RequestLoggerTest with 11 test cases
Tests cover: request logging, sensitive data redaction, auth logging, rate limit logging, error logging, statistics, rotation, cleanup

Migration Notes

? 100% Backward Compatible - No breaking changes
Logging is enabled by default but can be disabled in config
Logs are stored in `/logs` directory (auto-created)
Recommended: Review log settings for production use

1.2.0 - Rate Limiting and Production Security

New Features

? Rate Limiting: Built-in rate limiting to prevent API abuse - Configurable request limits (default: 100 requests per 60 seconds) - Smart identification (user, API key, or IP address) - Standard HTTP headers (X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Reset) - File-based storage (easily extensible to Redis/Memcached) - Automatic cleanup of old rate limit data - 429 Too Many Requests response with retry information - Per-user/IP rate limiting with sliding window algorithm - Zero configuration required (works out of the box)

Improvements

Enhanced security with rate limiting layer
Added comprehensive rate limiting documentation
Added storage directory structure for rate limit data
Improved Router class with rate limit integration
Added rate limit headers to all API responses
Better protection against DoS and brute force attacks

Documentation

Added `docs/RATE_LIMITING.md` with comprehensive guide
Updated README with rate limiting information
Added client implementation examples (JavaScript, Python, PHP)
Added benchmarks and performance considerations
Added troubleshooting guide

Testing

Added comprehensive RateLimiterTest with 11 test cases
Tests cover: basic limiting, request counting, window expiration, headers, cleanup

Configuration

Added rate_limit section to api.example.php: - `enabled` - Enable/disable rate limiting - `max_requests` - Maximum requests per window - `window_seconds` - Time window in seconds - `storage_dir` - Storage directory for rate limit data

Migration Notes

? 100% Backward Compatible - No breaking changes
Rate limiting is enabled by default but can be disabled in config
Existing APIs will continue to work without modification
Recommended: Review and adjust rate limits for your use case

1.1.0 - Enhanced Query Capabilities and Bulk Operations

New Features

Advanced Filter Operators: Support for comparison operators (eq, neq, gt, gte, lt, lte, like, in, notin, null, notnull)
Field Selection: Select specific fields in list queries using the `fields` parameter
Count Endpoint: New `count` action to get record counts with optional filtering (no pagination overhead)
Bulk Operations: - `bulk_create` - Create multiple records in a single transaction - `bulk_delete` - Delete multiple records by IDs in a single query
Input Validation: Added comprehensive input validation for table names, column names, IDs, and query parameters
Response Helper: Added Response class for standardized API responses (for future use)
Backward Compatibility: Old filter format (`col:value`) still works alongside new format (`col:op:value`)

Improvements

Fixed SQL injection vulnerability in filter parameter by using parameterized queries with unique parameter names
Added Validator class for centralized input validation and sanitization
Improved error messages with proper HTTP status codes
Enhanced documentation with detailed examples of new features
Transaction support for bulk create operations

Filter Operators

`eq` - Equals
`neq`/`ne` - Not equals
`gt` - Greater than
`gte`/`ge` - Greater than or equal
`lt` - Less than
`lte`/`le` - Less than or equal
`like` - Pattern matching
`in` - In list (pipe-separated values)
`notin`/`nin` - Not in list
`null` - Is NULL
`notnull` - Is NOT NULL

Examples

Field selection: `/index.php?action=list&table=users&fields=id,name,email`
Advanced filtering: `/index.php?action=list&table=users&filter=age:gt:18,status:eq:active`
IN operator: `/index.php?action=list&table=orders&filter=status:in:pending|processing|shipped`
Count records: `/index.php?action=count&table=users&filter=status:eq:active`
Bulk create: `POST /index.php?action=bulk_create&table=users` with JSON array
Bulk delete: `POST /index.php?action=bulk_delete&table=users` with `{"ids":[1,2,3]}`