🔧 Updated site to use [.env] file for auth

.gitignore

@@ -8,3 +8,6 @@ sites/
 .DS_Store
 Desktop.ini
 Thumbs.db
+
+# Enviroment Variable Files
+.env

README.md

@@ -7,6 +7,17 @@ This repository contains playground website for FastSitePHP. The UI (User Interf
 * __Playground UI__: <a href="https://www.fastsitephp.com/en/playground" target="_blank">https://www.fastsitephp.com/en/playground</a>
 * __Playground Server__: <a href="https://playground.fastsitephp.com/" target="_blank">https://playground.fastsitephp.com/</a>
 
+## :desktop_computer: Running Locally
+
+Download this repository then run the install script. This will also generate a new `app_data/.env` file which is used for authentication.
+
+~~~
+cd {root-directory}
+php ./scripts/install.php
+~~~
+
+Or to install using Composer: `composer require fastsitephp/fastsitephp`. Then copy `app_data/.env.example` to `app_data/.env`.
+
 ## ⚙️ How it works
 
 <p align="center">

app/app.php

@@ -6,6 +6,7 @@
 // Classes used in this file. Classes are not loaded unless used.
 // ------------------------------------------------------------------
 
+use FastSitePHP\Environment\DotEnv;
 use FastSitePHP\FileSystem\Search;
 use FastSitePHP\FileSystem\Security;
 use FastSitePHP\Security\Crypto;
@@ -20,20 +21,6 @@
 $app->not_found_template = '404.htm';
 $app->show_detailed_errors = true;
 
-// The key for signing is hard-coded. The value below can be used for testing
-// while the actual production server has a different value. See API docs for
-// [Security\Crypto\SignedData] as new keys can be generated on the playground.
-// The config key is used with [Crypto::sign()] and [Crypto::verify()].
-/*
-$app->get('/get-key', function() use ($app) {
-    $csd = new \FastSitePHP\Security\Crypto\SignedData();
-	$key = $csd->generateKey();
-	$app->header('Content-Type', 'text/plain');
-    return $key;
-});
-*/
-$app->config['SIGNING_KEY'] = '85ef7bb21b3ee94b9e3e953c9aea23cf6ed03ba3252e19afe7210c788739eb87';
-
 // Allow CORS with Headers for posting data with Auth.
 // This allows the web service to run from any site.
 if (isset($_SERVER['HTTP_ORIGIN']) && $_SERVER['HTTP_ORIGIN'] !== 'null') {
@@ -132,6 +119,16 @@ function fileNameIsValid($name) {
 }
 
 
+// Load the site key from the [app_data/.env] file. It is used by
+// [Security\Crypto\SignedData] with [Crypto::sign()] and [Crypto::verify()].
+// When running the install script the file will be generated.
+function loadSiteKey() {
+    $dir = __DIR__ . '/../app_data';
+    $required_vars = ['SIGNING_KEY'];
+    DotEnv::load($dir, $required_vars);
+}
+
+
 // Route Filter Function to get and validate the submitted site.
 // This is the core security function that prevents users from modifying
 // content on a site that they do not have the key for.
@@ -149,6 +146,7 @@ function fileNameIsValid($name) {
     }
 
     // Validate Token
+    loadSiteKey();
     $token = str_replace('Bearer ', '', $token);
     $site = Crypto::verify($token);
     if ($site === null) {
@@ -260,6 +258,7 @@ function fileNameIsValid($name) {
     // Return site info (site string and expires time) as signed data.
     // Signed data is similar to JWT but uses a different format.
     // By default [Crypto::sign()] uses a 1 hour timeout.
+    loadSiteKey();
     return [
         'site' => Crypto::sign($site),
     ];

app_data/.env.example

@@ -0,0 +1 @@
+SIGNING_KEY=85ef7bb21b3ee94b9e3e953c9aea23cf6ed03ba3252e19afe7210c788739eb87

docs/Playground Server Setup.txt

@@ -169,15 +169,12 @@ rm /var/www/html/index.html
 sudo chown ubuntu:www-data -R /var/www
 sudo chmod 0775 -R /var/www
 
-# Generate a new key and update [app.php]
+# Generate a new key and create the [.env] file
 # For info on key generation with (xxd...urandom) see:
 #     https://www.fastsitephp.com/en/documents/file-encryption-bash
-xxd -l 32 -c 32 -p /dev/urandom
-# Example Output (don't use this, generate your own key):
-#   85ef7bb21b3ee94b9e3e953c9aea23cf6ed03ba3252e19afe7210c788739eb87
-# Copy the key to the clipboard and update the PHP file
-nano /var/www/app/app.php
-# View the file using [nano] one more time after saving to verify the key changed
+echo "SIGNING_KEY=`xxd -l 32 -c 32 -p /dev/urandom`" | sudo tee /var/www/app_data/.env
+# Example File (don't use this, generate your own key):
+#   SIGNING_KEY=85ef7bb21b3ee94b9e3e953c9aea23cf6ed03ba3252e19afe7210c788739eb87
 
 # Update Local Playground JavaScript File with the new URL
 # Seach for "localhost:3000" or "urlRoot:" in the file and make related changes

scripts/install.php

@@ -10,6 +10,9 @@
  * third-party tools. Composer handles already downloaded projects so you
  * can use this file first and then later switch to Composer if adding
  * additional dependencies to your site.
+ * 
+ * This specific install script is for the playground and is used
+ * to generate a required [app_data/.env] file.
  *
  * All files downloaded including the FastSitePHP Framework are
  * relatively small in size so this script runs quickly.
@@ -375,6 +378,20 @@ function main($downloads) {
         copy($source, $autoload_path);
     }
 
+    // Generate a new [.env] file if needed
+    echo str_repeat('-', 80) . LINE_BREAK;
+    $env_file = __DIR__ . '/../app_data/.env';
+    if (is_file($env_file)) {
+        echo 'Using existing [.env] file: ' . realpath($env_file) . LINE_BREAK;
+    } else {
+        echo 'Generating [.env] file' . LINE_BREAK;
+        include $autoload_path;
+        $csd = new \FastSitePHP\Security\Crypto\SignedData();
+        $key = $csd->generateKey();
+        file_put_contents($env_file, 'SIGNING_KEY=' . $key);
+        echo realpath($env_file) . LINE_BREAK;
+    }
+
     // PHP continues code execution by default when there is
     // an error so make sure there were no errors.
     echo str_repeat('=', 80) . LINE_BREAK;

scripts/sync-server-from-github.sh

@@ -6,28 +6,24 @@
 #  and is used to sync the latest changes from GitHub. It runs manually from
 #  the author once published changes are confirmed.
 #
-#  Only site templates and Framework are synced, any other code changes 
-#  require manual updates. This is due to the fact that the playground server
-#  uses a hard-coded security key for authentication which only exists on the 
-#  server. A hard-coded key is used over a [.env] file for performance
-#  (to avoid loading extra classes and files).
-#
 #  To run:
 #      bash /var/www/scripts/sync-server-from-github.sh
 #
 #  For testing with [rsync] use [-n = --dry-run]
 #  Example:
-#      rsync -nrcv --delete ~/playground-master/app_data/template/ /var/www/app_data/template
+#      rsync -nrcv --delete ~/playground-master/app/ /var/www/app
 #
 # -----------------------------------------------------------------------------
 
 wget https://github.com/fastsitephp/playground/archive/master.zip -O /home/ubuntu/master.zip
 unzip -q master.zip
 rm master.zip
-wget https://github.com/fastsitephp/fastsitephp/archive/1.0.0.zip -O /home/ubuntu/1.0.0.zip
-unzip -q 1.0.0.zip
-rm 1.0.0.zip
+wget https://github.com/fastsitephp/fastsitephp/archive/master.zip -O /home/ubuntu/master.zip
+unzip -q master.zip
+rm master.zip
+rsync -rcv --delete ~/playground-master/app/ /var/www/app
 rsync -rcv --delete ~/playground-master/app_data/template/ /var/www/app_data/template
-rsync -rcv --delete ~/fastsitephp-1.0.0/src/ /var/www/vendor/fastsitephp/src
+rsync -rcv --delete --exclude sites ~/playground-master/htm/ /var/www/htm
+rsync -rcv --delete ~/fastsitephp-master/src/ /var/www/vendor/fastsitephp/src
 rm -r playground-master
-rm -r fastsitephp-1.0.0
+rm -r fastsitephp-master