Skip to content

v1.9.4

Choose a tag to compare

View all tags
@TimAnthonyAlexander TimAnthonyAlexander released this 10 Jun 23:45
· 2 commits to main since this release
Immutable release. Only release title and notes can be modified.
v1.9.4
69707e3

Auth fixes for fresh installations

This release fixes four auth bugs that every new project scaffolded from this template inherited, and upgrades the framework to baseapi/baseapi v1.9.4.

Fixed

  • Session login never persisted. LoginController/SignupController wrote $this->request->session['user_id'] — a by-value copy of $_SESSION that PHP never persists — so a successful login was silently dropped on the very next request. They now write $_SESSION directly.
  • Login crashed on an unknown email. User::firstWhere() returns null for an unknown email, and checkPassword() was called on it, causing a fatal null-method error instead of a 401. Now guarded with instanceof User.
  • Password hash leaked in responses. BaseModel::jsonSerialize() serializes every public property, including the bcrypt password — exposed in login/signup/me responses and the $request->user payload. User now overrides jsonSerialize() to strip it.
  • /me rejected API-token auth. MeController read $_SESSION only, returning 401 for valid Bearer token requests (the SPA path). It now reads $request->user set by CombinedAuthMiddleware, working for both session and token auth.

Changed

  • Upgraded baseapi/baseapi v1.9.0v1.9.4.

Known issue

  • The bundled example/health Feature tests assume a { data } response envelope while the template ships response.wrap_data=false. These failures are pre-existing and unrelated to this release.
Assets 3
Loading