Releases · TimAnthonyAlexander/base-api-template

13 Jun 12:41

Immutable

v1.9.5

c920170

v1.9.5 Latest

Latest

chore: bump baseapi to v1.9.5

Assets 3

10 Jun 23:47

TimAnthonyAlexander

Immutable

v1.9.4.1

16ecc28

v1.9.4.1

Patch on top of v1.9.4

Test maintenance follow-up to v1.9.4. No runtime/behavior changes.

Fixed

Example & health Feature tests now pass on a clean checkout. The template ships response.wrap_data=false (the new default), but the bundled tests still asserted the legacy { data } envelope, so all 8 failed out of the box. Their assertions now target the actual top-level response shape (ok, db, cache.working), and the full suite is green (19 tests, 53 assertions).

Note

response.wrap_data stays false — only the tests were adapted.

All v1.9.4 auth fixes (session persistence, password-hash leak, /me Bearer auth, unknown-email 401) and the baseapi/baseapi v1.9.4 upgrade are included.

Assets 3

10 Jun 23:45

TimAnthonyAlexander

Immutable

v1.9.4

69707e3

v1.9.4

Auth fixes for fresh installations

This release fixes four auth bugs that every new project scaffolded from this template inherited, and upgrades the framework to baseapi/baseapi v1.9.4.

Fixed

Session login never persisted. LoginController/SignupController wrote $this->request->session['user_id'] — a by-value copy of $_SESSION that PHP never persists — so a successful login was silently dropped on the very next request. They now write $_SESSION directly.
Login crashed on an unknown email. User::firstWhere() returns null for an unknown email, and checkPassword() was called on it, causing a fatal null-method error instead of a 401. Now guarded with instanceof User.
Password hash leaked in responses. BaseModel::jsonSerialize() serializes every public property, including the bcrypt password — exposed in login/signup/me responses and the $request->user payload. User now overrides jsonSerialize() to strip it.
/me rejected API-token auth. MeController read $_SESSION only, returning 401 for valid Bearer token requests (the SPA path). It now reads $request->user set by CombinedAuthMiddleware, working for both session and token auth.

Changed

Upgraded baseapi/baseapi v1.9.0 → v1.9.4.

Known issue

The bundled example/health Feature tests assume a { data } response envelope while the template ships response.wrap_data=false. These failures are pre-existing and unrelated to this release.

Assets 3