core/php-api
8
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 1
php-api/changelog/2026/jan/features.md
Snider 931974645b monorepo sepration
2026-01-26 20:57:08 +00:00

3.4 KiB
Raw Blame History

Core-API - January 2026

Features Implemented

Webhook Signing (Outbound)

HMAC-SHA256 signatures with timestamp for replay attack protection.

Files:

  • Services/WebhookSignature.php - Sign/verify service
  • Models/WebhookEndpoint.php - Signature methods
  • Models/WebhookDelivery.php - Headers in payload

Headers:

Header Description
X-Webhook-Signature HMAC-SHA256 (64 hex chars)
X-Webhook-Timestamp Unix timestamp
X-Webhook-Event Event type
X-Webhook-Id Unique delivery ID

Verification:

$signature = hash_hmac('sha256', $timestamp . '.' . $payload, $secret);
hash_equals($signature, $headerSignature);

API Key Security

Secure bcrypt hashing with backward compatibility for legacy SHA-256 keys.

Files:

  • Models/ApiKey.php - Secure hashing, rotation, grace periods
  • Migrations/2026_01_27_* - Added hash_algorithm column

Features:

  • New keys use Hash::make() (bcrypt)
  • Legacy keys continue working
  • Key rotation with grace periods
  • Scopes: legacyHash(), secureHash(), inGracePeriod()

Rate Limiting

Granular rate limiting with sliding window algorithm.

Files:

  • RateLimit/RateLimitService.php - Sliding window service
  • RateLimit/RateLimitResult.php - Result DTO
  • RateLimit/RateLimit.php - PHP 8 attribute
  • Middleware/RateLimitApi.php - Enhanced middleware
  • Exceptions/RateLimitExceededException.php

Features:

  • Per-endpoint limits via #[RateLimit] attribute or config
  • Per-workspace isolation
  • Tier-based limits (free/starter/pro/agency/enterprise)
  • Burst allowance (e.g., 20% over limit)
  • Headers: X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Reset

Usage:

#[RateLimit(limit: 100, window: 60, burst: 1.2)]
public function index() { ... }

OpenAPI/Swagger Documentation

Auto-generated API documentation with multiple UI options.

Files:

  • Documentation/OpenApiBuilder.php - Spec generator
  • Documentation/DocumentationController.php - Routes
  • Documentation/Attributes/ - ApiTag, ApiResponse, ApiSecurity, ApiParameter, ApiHidden
  • Documentation/Extensions/ - WorkspaceHeader, RateLimit, ApiKeyAuth
  • Documentation/Views/ - Swagger, Scalar, ReDoc

Routes:

Route Description
GET /api/docs Default UI (Scalar)
GET /api/docs/swagger Swagger UI
GET /api/docs/scalar Scalar API Reference
GET /api/docs/redoc ReDoc
GET /api/docs/openapi.json OpenAPI spec (JSON)
GET /api/docs/openapi.yaml OpenAPI spec (YAML)

Usage:

#[ApiTag('Users')]
#[ApiResponse(200, UserResource::class)]
#[ApiParameter('page', 'query', 'integer')]
public function index() { ... }

Config: API_DOCS_ENABLED, API_DOCS_TITLE, API_DOCS_REQUIRE_AUTH

Documentation Genericization

Removed vendor-specific branding from API documentation.

Files:

  • Website/Api/View/Blade/guides/authentication.blade.php
  • Website/Api/View/Blade/guides/errors.blade.php
  • Website/Api/View/Blade/guides/index.blade.php
  • Website/Api/View/Blade/guides/qrcodes.blade.php
  • Website/Api/View/Blade/guides/quickstart.blade.php

Changes:

  • Replaced "Host UK API" with generic "API"
  • Removed specific domain references (lt.hn)
  • Replaced sign-up URLs with generic account requirements
  • Made example URLs vendor-neutral

Impact: Framework documentation is now vendor-agnostic and suitable for open-source distribution.