up

Author: BitsHost

.gitignore

@@ -1,8 +1,25 @@
+# Dependencies
 /vendor/
+/composer.lock
+
+# Configuration files (contain secrets)
 /config/db.php
 /config/api.php
+/config/api.local.php
 /.env
+
+# Logs and storage
+/storage/
+/logs/
+*.log
+
+# Testing artifacts
+jwt_token.txt
+*.token
+test_*.txt
+secrets_*.txt
+
+# IDE and OS
 .DS_Store
 .idea/
-/tests/output/
-/composer.lock
+/tests/output/

README.md

@@ -91,6 +91,36 @@ return [
 
 ---
 
+## 🔒 Security Setup (Production)
+
+⚠️ **IMPORTANT:** This framework ships with **example credentials for development**.  
+You **MUST** change these before deploying to production!
+
+### Quick Security Setup:
+
+```bash
+# 1. Generate secure secrets (JWT secret + API keys)
+php scripts/generate_secrets.php
+
+# 2. Update config/api.php with generated secrets
+
+# 3. Create admin user in database
+php scripts/create_user.php admin admin@yoursite.com YourSecurePassword123! admin
+```
+
+### What to Change:
+
+- [ ] `jwt_secret` - Generate with: `php scripts/generate_jwt_secret.php`
+- [ ] `api_keys` - Use long random strings (64+ characters)
+- [ ] Default admin password in `sql/create_api_users.sql`
+- [ ] Database credentials in `config/db.php`
+
+📖 **Full security guide:** [docs/AUTHENTICATION.md](docs/AUTHENTICATION.md)
+
+---
+
+---
+
 ## 🔐 Authentication Modes
 
 - **No auth:** `'auth_enabled' => false`

scripts/generate_jwt_secret.php

@@ -0,0 +1,72 @@
+<?php
+/**
+ * JWT Secret Generator
+ * 
+ * Generates a cryptographically secure random secret for JWT token signing.
+ * Use this to create a unique secret for your production environment.
+ * 
+ * Usage:
+ *   php scripts/generate_jwt_secret.php
+ * 
+ * @package PHP-CRUD-API-Generator
+ * @version 1.0.0
+ */
+
+echo "\n";
+echo "========================================\n";
+echo "   JWT SECRET GENERATOR\n";
+echo "========================================\n";
+echo "\n";
+
+// Generate 64-character hexadecimal secret (32 bytes = 256 bits)
+$secret = bin2hex(random_bytes(32));
+
+echo "✅ Generated secure JWT secret:\n";
+echo "\n";
+echo "   " . $secret . "\n";
+echo "\n";
+echo "========================================\n";
+echo "\n";
+
+echo "📋 How to use:\n";
+echo "\n";
+echo "1. Copy the secret above\n";
+echo "\n";
+echo "2. Open: config/api.php\n";
+echo "\n";
+echo "3. Replace this line:\n";
+echo "   'jwt_secret' => 'YourSuperSecretKeyChangeMe',\n";
+echo "\n";
+echo "4. With:\n";
+echo "   'jwt_secret' => '" . $secret . "',\n";
+echo "\n";
+echo "========================================\n";
+echo "\n";
+
+echo "⚠️  SECURITY NOTES:\n";
+echo "\n";
+echo "• Keep this secret PRIVATE (never commit to Git)\n";
+echo "• Use different secrets for dev/staging/production\n";
+echo "• Generate a new secret if compromised\n";
+echo "• Changing the secret invalidates all existing tokens\n";
+echo "\n";
+
+echo "💡 TIP: For environment variables (.env file):\n";
+echo "   JWT_SECRET=" . $secret . "\n";
+echo "\n";
+
+// Option: Save to file
+echo "📁 Save to file? (y/n): ";
+$handle = fopen("php://stdin", "r");
+$line = trim(fgets($handle));
+
+if (strtolower($line) === 'y') {
+    $filename = 'jwt_secret_' . date('Y-m-d_His') . '.txt';
+    file_put_contents($filename, $secret);
+    echo "✅ Saved to: " . $filename . "\n";
+    echo "⚠️  Remember to delete this file after updating your config!\n";
+    echo "\n";
+}
+
+echo "Done! 🎉\n";
+echo "\n";

scripts/generate_secrets.php

@@ -0,0 +1,183 @@
+<?php
+/**
+ * Security Secrets Generator
+ * 
+ * Generates all security secrets needed for production deployment:
+ * - JWT secret (for token signing)
+ * - API keys (for API key authentication)
+ * - Database encryption key (optional)
+ * 
+ * Usage:
+ *   php scripts/generate_secrets.php
+ * 
+ * @package PHP-CRUD-API-Generator
+ * @version 1.0.0
+ */
+
+echo "\n";
+echo "╔════════════════════════════════════════╗\n";
+echo "║   SECURITY SECRETS GENERATOR          ║\n";
+echo "║   PHP-CRUD-API-Generator v1.4.0       ║\n";
+echo "╚════════════════════════════════════════╝\n";
+echo "\n";
+
+echo "Generating cryptographically secure secrets...\n";
+echo "\n";
+
+// Generate secrets
+$jwtSecret = bin2hex(random_bytes(32));      // 64-char hex (256-bit)
+$apiKey1 = bin2hex(random_bytes(32));        // 64-char hex
+$apiKey2 = bin2hex(random_bytes(32));        // 64-char hex
+$encryptionKey = bin2hex(random_bytes(32));  // For future use
+
+echo "========================================\n";
+echo "  GENERATED SECRETS\n";
+echo "========================================\n";
+echo "\n";
+
+// JWT Secret
+echo "1️⃣  JWT SECRET (for token signing):\n";
+echo "\n";
+echo "   " . $jwtSecret . "\n";
+echo "\n";
+echo "   Update in config/api.php:\n";
+echo "   'jwt_secret' => '" . $jwtSecret . "',\n";
+echo "\n";
+
+// API Keys
+echo "========================================\n";
+echo "\n";
+echo "2️⃣  API KEYS (for API key authentication):\n";
+echo "\n";
+echo "   Key #1: " . $apiKey1 . "\n";
+echo "   Key #2: " . $apiKey2 . "\n";
+echo "\n";
+echo "   Update in config/api.php:\n";
+echo "   'api_keys' => [\n";
+echo "       '" . $apiKey1 . "',\n";
+echo "       '" . $apiKey2 . "',\n";
+echo "   ],\n";
+echo "\n";
+
+// Database Encryption Key (optional)
+echo "========================================\n";
+echo "\n";
+echo "3️⃣  DATABASE ENCRYPTION KEY (optional):\n";
+echo "\n";
+echo "   " . $encryptionKey . "\n";
+echo "\n";
+echo "   Use for encrypting sensitive data in database\n";
+echo "\n";
+
+// Environment Variables Format
+echo "========================================\n";
+echo "  FOR .env FILE\n";
+echo "========================================\n";
+echo "\n";
+echo "JWT_SECRET=" . $jwtSecret . "\n";
+echo "API_KEY_1=" . $apiKey1 . "\n";
+echo "API_KEY_2=" . $apiKey2 . "\n";
+echo "ENCRYPTION_KEY=" . $encryptionKey . "\n";
+echo "\n";
+
+// Security warnings
+echo "========================================\n";
+echo "  ⚠️  SECURITY WARNINGS\n";
+echo "========================================\n";
+echo "\n";
+echo "✓ Keep these secrets PRIVATE and SECURE\n";
+echo "✓ Never commit secrets to Git\n";
+echo "✓ Use different secrets for dev/staging/production\n";
+echo "✓ Store in environment variables or secure vault\n";
+echo "✓ Rotate secrets regularly (every 90 days)\n";
+echo "✓ Changing JWT secret invalidates all tokens\n";
+echo "\n";
+
+// Save option
+echo "========================================\n";
+echo "\n";
+echo "💾 Save secrets to file? (y/n): ";
+$handle = fopen("php://stdin", "r");
+$line = trim(fgets($handle));
+
+if (strtolower($line) === 'y') {
+    $timestamp = date('Y-m-d_His');
+    $filename = 'secrets_' . $timestamp . '.txt';
+    
+    $content = "# Generated Security Secrets\n";
+    $content .= "# Date: " . date('Y-m-d H:i:s') . "\n";
+    $content .= "# ⚠️  DELETE THIS FILE AFTER COPYING SECRETS!\n";
+    $content .= "\n";
+    $content .= "========================================\n";
+    $content .= "JWT SECRET:\n";
+    $content .= "========================================\n";
+    $content .= $jwtSecret . "\n";
+    $content .= "\n";
+    $content .= "========================================\n";
+    $content .= "API KEYS:\n";
+    $content .= "========================================\n";
+    $content .= "Key #1: " . $apiKey1 . "\n";
+    $content .= "Key #2: " . $apiKey2 . "\n";
+    $content .= "\n";
+    $content .= "========================================\n";
+    $content .= "ENCRYPTION KEY:\n";
+    $content .= "========================================\n";
+    $content .= $encryptionKey . "\n";
+    $content .= "\n";
+    $content .= "========================================\n";
+    $content .= ".env FORMAT:\n";
+    $content .= "========================================\n";
+    $content .= "JWT_SECRET=" . $jwtSecret . "\n";
+    $content .= "API_KEY_1=" . $apiKey1 . "\n";
+    $content .= "API_KEY_2=" . $apiKey2 . "\n";
+    $content .= "ENCRYPTION_KEY=" . $encryptionKey . "\n";
+    $content .= "\n";
+    $content .= "========================================\n";
+    $content .= "config/api.php FORMAT:\n";
+    $content .= "========================================\n";
+    $content .= "'jwt_secret' => '" . $jwtSecret . "',\n";
+    $content .= "'api_keys' => ['" . $apiKey1 . "', '" . $apiKey2 . "'],\n";
+    $content .= "\n";
+    
+    file_put_contents($filename, $content);
+    
+    echo "\n";
+    echo "✅ Secrets saved to: " . $filename . "\n";
+    echo "\n";
+    echo "⚠️  IMPORTANT:\n";
+    echo "   1. Copy secrets to your config/api.php or .env\n";
+    echo "   2. DELETE THIS FILE: " . $filename . "\n";
+    echo "   3. Never commit this file to Git!\n";
+    echo "\n";
+    
+    // Add to .gitignore automatically
+    $gitignorePath = __DIR__ . '/../.gitignore';
+    if (file_exists($gitignorePath)) {
+        $gitignoreContent = file_get_contents($gitignorePath);
+        if (strpos($gitignoreContent, 'secrets_*.txt') === false) {
+            file_put_contents($gitignorePath, "\n# Generated secrets files\nsecrets_*.txt\n", FILE_APPEND);
+            echo "✅ Added 'secrets_*.txt' to .gitignore\n";
+        }
+    }
+} else {
+    echo "\n";
+    echo "⚠️  Make sure to copy the secrets above before closing!\n";
+}
+
+echo "\n";
+echo "========================================\n";
+echo "  📚 NEXT STEPS\n";
+echo "========================================\n";
+echo "\n";
+echo "1. Update config/api.php with new secrets\n";
+echo "2. Or create .env file with environment variables\n";
+echo "3. Test authentication with new secrets\n";
+echo "4. Deploy to production\n";
+echo "\n";
+echo "📖 Documentation:\n";
+echo "   - docs/AUTHENTICATION.md\n";
+echo "   - docs/AUTH_QUICK_REFERENCE.md\n";
+echo "\n";
+
+echo "Done! 🎉\n";
+echo "\n";