Alpha ZealPHP is early-stage and under active development. APIs may change between minor versions until v1.0. Feedback and bug reports welcome on GitHub.
Esc
API Index — Namespaces, Packages, Reports, Indices

Auth
in package

Table of Contents

Methods

currentUser()  : array{user_id: int, username: string}|null
login()  : int|null
rateLimit()  : bool
Increment-and-check sliding window per IP. Returns false when the window is full (caller should respond with 429).
readCredentials()  : array{username: string, password: string}|null
redirectAfterAuth()  : void
Emit the post-auth response for the shared learn login/register/logout flow.
register()  : int|null
resolveAuthRedirect()  : string
Resolve the post-auth destination: the page the user acted from (htmx's HX-Current-URL, then Referer), so login keeps you in context instead of always dumping you on /learn/notes. Only a same-site absolute path is honoured (leading "/" but not the protocol-relative "//"); anything else falls back to $default. Pure + side-effect-free so it's unit-testable.
validatePassword()  : bool
validateUsername()  : bool
isLoopback()  : bool

Methods

currentUser()

public static currentUser() : array{user_id: int, username: string}|null
Return values
array{user_id: int, username: string}|null

login()

public static login(PDO $db, string $username, string $password) : int|null
Parameters
$db : PDO
$username : string
$password : string
Return values
int|null

rateLimit()

Increment-and-check sliding window per IP. Returns false when the window is full (caller should respond with 429).

public static rateLimit(string $table, string $ip, int $limit, int $window) : bool

Bypasses:

  • $limit <= 0 — explicitly disabled (production knob).
  • Loopback clients (127.0.0.1 / ::1 / ::ffff:127.0.0.1) — unless ZEALPHP_LEARN_RATE_LIMIT_LOOPBACK=1 is set. Production never sees loopback traffic (proxied requests carry the real client IP via X-Forwarded-For); the bypass exists so the integration test suite can run repeatedly without php app.php restart between runs. Opt back in via the env var if you're testing the rate limiter itself or running phpunit against a non-loopback bind.
Parameters
$table : string
$ip : string
$limit : int
$window : int
Return values
bool

readCredentials()

public static readCredentials(RequestContext $g) : array{username: string, password: string}|null
Parameters
$g : RequestContext
Return values
array{username: string, password: string}|null

redirectAfterAuth()

Emit the post-auth response for the shared learn login/register/logout flow.

public static redirectAfterAuth(RequestContext $g[, string $default = '/learn/notes' ]) : void

For an htmx request it sends HX-Location — an in-place content swap, NOT a navigation: htmx fetches the destination, selects its .lesson-content, and swaps it into the current one. No full page reload, scroll position kept, and the hx-preserved sidebar is left untouched. (The earlier HX-Redirect did a full client-side reload — correct layout, but it reset scroll and re-fetched the whole page; and a bare 302 Location is even worse: the XHR follows it transparently, so htmx swapped the redirected page into the form's tiny feedback div and dropped the sidebar — the originally reported bug.)

Non-htmx (no-JS) posts still get a normal 302 Location.

Parameters
$g : RequestContext
$default : string = '/learn/notes'

register()

public static register(PDO $db, string $username, string $password) : int|null
Parameters
$db : PDO
$username : string
$password : string
Return values
int|null

resolveAuthRedirect()

Resolve the post-auth destination: the page the user acted from (htmx's HX-Current-URL, then Referer), so login keeps you in context instead of always dumping you on /learn/notes. Only a same-site absolute path is honoured (leading "/" but not the protocol-relative "//"); anything else falls back to $default. Pure + side-effect-free so it's unit-testable.

public static resolveAuthRedirect(string|null $hxCurrentUrl, string|null $referer[, string $default = '/learn/notes' ]) : string
Parameters
$hxCurrentUrl : string|null
$referer : string|null
$default : string = '/learn/notes'
Return values
string

validatePassword()

public static validatePassword(string $p) : bool
Parameters
$p : string
Return values
bool

validateUsername()

public static validateUsername(string $u) : bool
Parameters
$u : string
Return values
bool

isLoopback()

private static isLoopback(string $ip) : bool
Parameters
$ip : string
Return values
bool
On this page