jyoungblood / darkwave Goto Github PK

NEW VERSION 2024 (pre-HEQ) - 0.6.3

• new slime + jy deps + document other new changes? - from this commit: 24b2ebd

• ?? any new easy quick features? (fine if not)

  • org roadmap, find low-hanging fruit

dw roadmap & project cleanup

• ?? new dw version 0.6.1 (looks like it's been started?) what's new? users stuff?

  • do we want to leave the env file out? (it's not there by default, should we leave it in the gitignore? (i added it but it's commented out))

• not using new dw for blu, but want to get reference material sorted (some of it is applicable)

• simple initial & usable docs site (using evolution of readme & demo material

• functional demo (just the demo page, maybe a login app but you can’t write to it…still do the login tho)

• public roadmap (sort siyuan roadmap, move important ones to GH)

  • all issues on GH, organized into roadmap/board

dw 0.6.3 - user updates for auth routes

• isset(GLOBALS['is_admin']) --> !(isset(GLOBALS['is_admin']))

• for user-edit (which is the crud example for everything) - only use save/delete if $GLOBALS['user_id'] == $user['_id'] or isset($GLOBALS['is_admin'])

  • see sme - /donation/{donation_id}

    • if (!isset(GLOBALS['is_admin']) && donation['donor_user_id'])){

  • for the user ones it could be

    • if (!(isset(GLOBALS['is_admin'])) || _POST['id']){

  • for others use the record lookup

    • _POST['_id']."'"); if (!(isset(GLOBALS['is_admin'])) || user['data'][0]['id']){

this is, like, everything i want to do with this system. need to sort it out into individual issues and make a roadmap.

0.7 - NEXT BIG CHANGES

• db defaults/conventions -- url_title —> url_slug ... or seo_slug ?? slug?

• sticky table headers

  • allegedly you can add position: sticky; top: 0; to the thead but that doesn’t work with this

• ?? use htmx for …. ajaxy htmx stuff

• css - need to include (blank) breakpoints for css (s/m/l/xl)

  • just have blank spaces in main stylesheet? (like we were doing in breakpoints.css for stereo, but in the main file?)

• arbitrary auth groups

• “right way” auth setup

  • app container
  • auth middleware
  • session-based auth **
    • Dw Slim session auth the right way
    • security lockout / revoke access
    • long-lived sessions (don’t want them to expire unless logging out or revoked)
  • dw auth ... is there a better way to do it than just checking the $GLOBALS['auth'] var? (better way to check than isset()?)

• auth rolling tips - "accidentally rolled my own auth again" - https://x.com/dillon_mulroy/status/1797996541262840172

• security patch/checkup (mitigate risks, make it as impervious to MOST threats as possible)

• base theme (no tabler)

• html web components

  • **HTML Web Components Are Having a Moment -**​https://cloudfour.com/thinks/html-web-components-are-having-a-moment/

    • includes reading list of articles that make the concept “click”

  • ?? native web components possible? - https://daverupert.com/2021/10/html-with-superpowers/

  • LEARN

    • html custom elements / web components

    • ?? easiest way to create/define

    • https://developer.mozilla.org/en-US/docs/Web/API/Web_components/Using_custom_elements

    • https://custom-elements-everywhere.com/

    • ?? https://stenciljs.com/

    • ?? https://hybrids.js.org/#/

    • ?? https://lit.dev/

    • how-to - https://htmlwithsuperpowers.netlify.app/

      • https://www.freecodecamp.org/news/write-components-that-work-in-any-framework

    • native components example - https://blog.jim-nielsen.com/2023/web-components-icon-galleries/

    • html web components - https://blog.jim-nielsen.com/2023/html-web-components/

      • and example - https://blog.jim-nielsen.com/2023/html-web-components-an-example/

    • **HTML web components -**​https://adactio.com/journal/20618

    • curated list of awesome framework-agnostic standalone web components - https://github.com/davatron5000/awesome-standalones#element-extensions

    • **The Good, The Bad, and The Web Components - Zach Leatherman | JSHeroes 2023 -**​https://www.youtube.com/watch?v=R4Ri4ft7bXY

    • Web Components Eliminate JavaScript Framework Lock-in - https://jakelazaroff.com/words/web-components-eliminate-javascript-framework-lock-in/

  • pre-built ui components based on lit - https://shoelace.style/

    • i’ve seen this a lot, never tried it
    • looks promising, lots of complex stuff i don’t want to develop
    • i guess it’s an alternative to tabler/bs in some respects…does it play nice w/ bootstrap?

• figure out FE / ui css base

  • ?? want to ditch bootstrap
  • love pines (it’s tailwind + alpine) - https://devdojo.com/pines
  • would prefer tw, but can we do it without build?

• templates/controllers org - just move the auth stuff back to their original places? (and not dw namespaced?)

  • it was kinda weird building SME bc the auth/user templates felt like they were in weird place

ROADMAP

• auth routes hack for titles in HEAD requests?

  • mostly for my purposes, if i paste a url into trello for a route that's admin only, it says "401 unauthorized"

  • would like to still have it render the title that would be rendered for the page if unauthorized

    • head request only
    • title only (can still return the same response)

• dw forms next

  • back-end error validation / reporting

    • want to also handle any error validation on the back end & make sure there are no problems (content types, etc)
    • show errors and prevent submission/updating if there are problems

• modals dismiss by hitting enter (er, hitting enter has the same effect as focusing the big button and clicking)

  • check that the tabs work to change selection among multiple buttons as intended
  • hitting esc works to dismiss, right?

• modals - running validation on modal forms? (like on the close event, add a function that runs the default form validation?) … ok to just be a pattern (copy/paste code)

• dw.js - add radio_validate() functionality

  • want to hook this to the same error reporting as the rest (so there's only 1 error dialog)

    • move the 'valid' var to dw.form_valid
    • proper way to do that and still have it work correctly (/restart) whenever function is run again (need to add "was-validated" to the form?)

  • i did something that works for the SME donation form, but would like an easier more “integrated” solution (don’t want to have to write custom validation for this shit)

• db creation stuff - should we enforce encoding colation? or should that just be the developer’s responsibility?

  • ideally should be:

    • charset: utf8mb4
    • collation: utf8mb4_general_ci

• boilerplate - ?? should auth-forgot (et al) do the same kind of validation & submission prevention the other (normal) forms (like register) are doing? (forgot doesn't)

• global email theme / templates (for auth registration & pw reset emails)

  • use html email templates for registration/reset emails? - see SME (email to haley on dontation submit)

  • dw email templates

    • have boilerplate / examples for typical kinds of emails (transactional, notification, pw reset, etc)
    • hidden preview text boilerplate - https://www.litmus.com/blog/the-little-known-preview-text-hack-you-may-want-to-use-in-every-email

• dw - add global email templates

  • started in SME using ocean global tpl
  • docs (xu) update - you can have a layout for the html email too (er, layout param works for render::handlebars, as you might expect)

• html email w/ hbs?

  • ?? easiest way to use hbs render to compile html to feed to the mailer?
  • like this!!

    \\\\VPHP\\\\x::email_send([
      'to' => '[email protected]',
      // 'to' => '[email protected]',
      'from' => '"'.$_ENV['SITE_TITLE'].'" <notifications@'.$_ENV['MAILGUN_DOMAIN'].'>',
      'subject' => 'New test from debug w template ',
      'html' => true,
      'message' => render::handlebars([
        'layout' => '_layouts/email',
        'template' => 'email/new-donation',
        'data' => [
          'donation' => $donation,
          'donor' => $donor
        ]
      ])
    ]);
  
  

• dw default use html email template that matches site style

  • stripped down html defaults that match the template
  • make a note in the docs "when you change the site's style you'll probably want to update the email templates, but we have a nice generic default"

• cool default email templates (similar to the style of blu/api.o or this: https://github.com/mailgun/transactional-email-templates )

  • same but from postmark - https://github.com/ActiveCampaign/postmark-templates
  • similar from foundation - https://get.foundation/emails/email-templates.html

• remove datepicker altogether? native html date fields are fine (and pretty good now)

• dw-utilities-js - form_validate - mark "required" fields that have had values filled OK for the next pass

  • ?? i can't remember if i did this or not, need to do some more testing
  • related: want to do the regular js form validations without having to add the data-validate=”” attribute to the containing div (ideally we could just look up the parent container div and not have to specify ANOTHER thing)

• dw register form - submit on enter?

  • add x-on:keydown.enter="submit()" like login form
  • add to all fields? or just the last one? (that's what i did for SME)

dw custom field validation rules

• cool to be able to add custom checks (callback/ pass-through function) to "save" or "delete" helpers

  • you can define your own logic for validating whatever (or if you need to call something or do special checks) ... return true and the process continues, return false and the process stops (with an optional error message?)

dw demo/docs - need to note the versions of each library/fw being included? (like alpine, etc)

dw wysiwyg solution w/ alpine/tw? - https://codepen.io/ScottWindon/full/dyOJqMq

• this one uses tw, but could make a version that uses bootstrap, prob

dw default (users edit) add redirect params (from SME - {{#if GET.redirect}}{{GET.redirect}}{{else}}/users/{{/if}})

dw org - should the users list/edit be part of the regular templates? (instead of in the dw folder?)

• dw bug (all "unauthorized" templates)

  • 'template' => 'error',

    • should be: 'template' => 'dw/error',

  • i think it's just like that on users

  • auth-account doesn't have it (but maybe it should?)

• dw auth - should "unauth" checks on templates/routes also check for auth?

  • currently: if (isset(GLOBALS['is_admin'])){
  • could be: if (!isset(GLOBALS['auth']) && !isset($GLOBALS['is_admin']))){

• dw - default unauthorized message - "you are not authorized to view this page"

• it's like that in most places but in some it's "use this resource"

• ** actually this is probably fine …. the “resource” message is on api routes only (right?) **

• dw save - not always run on first click (feels broken) ... is it the validate function? doesn't consistently happen, but it happens and it feels broken

• dw authenticate() - need ability to manage what's saved with locals.identity? (ex, for sme i wanted to add email and show it instead of screenname

  • i ended up changing dw::authenticate() and dw::generate_jwt()

• dw default base - multiple id="navbar-menu" ... submenu should be id="navbar-submenu"

• ?? should .gitignore block .ini files? (sme has user.ini & php.ini ... we want them in this repo, but is it normal to not want them?)

  • also should we have the .env one in there but commented out? (to encourage "best practices")

• dw - should composer-create be hxgf/darkwave instead of hxgf/dw?

• test - try other dbs (sqlite, postgres)

  • maybe try on other platforms? (localhost, shared host, vercel, etc)

• what about using env vars for other vphp stuff that expects GLOBALS vars? (ex: email_send)

• bug / weird thing? on our server (eqkh) if i don’t have the cpanel rules (for the ea/php.ini settings), on every few page loads the nav links are all the default color (purple) before they’re changed to the right one (FOUT but just for the nav links) … everything else (even tabler-related stuff) is pretty much the same

  • also it’s doing a weird CLS behavior in the nav (bc the height is set on the image but the width is not … i think it has something to do w/ the tabler stylesheet specifically

• auth - groups update

  • use groups from a table (w/ uuid _id fields instead of 1/2/3/4)
  • use group_id for token
  • screens to manage groups (list + edit)
  • allow users to be part of multiple groups

• set up auth the “right” way

  • auth / middleware - set up auth middleware & app container

  • latest version in desktop folder: dw/dw-future/fw-auth-middleware.php

  • determine ideal middleware + container setup

    • https://www.slimframework.com/docs/v4/concepts/middleware.html
    • https://www.slimframework.com/docs/v4/concepts/di.html
    • ?? https://www.slimframework.com/docs/v4/objects/routing.html#container-resolution
    • skeleton inspo https://github.com/slimphp/Slim-Skeleton/blob/master/public/index.php

  • ?? **Authentication With Slim 4 -**​https://www.youtube.com/watch?v=3Hg2WPwDyG8&t=5s

    • https://www.youtube.com/watch?v=l662In2_J1w

    • https://www.youtube.com/watch?v=R4qQofznCHA

    • want to watch this whole series?

      • i’m annoyed with all the galaxy-brained optimizations and abstractions, but …

    • ?? where is this auth package coming from?

  • slim basic auth - https://github.com/tuupola/slim-basic-auth

  • ?? figure out the right time to run the middleware (after we’ve checked for auth & before rendering the controller/template

  • ?? get the middleware to work with an app container

    • FUCK IT I AM SO TIRED OF FUCKING WITH THIS

    • publish composer package (& include w/ dw)

  • easiest & most effective way to do session auth? need to be able to lock someone out / revoke their access (if logged in)

    • should we do actual sessions? (instead of just an open-ended cookie)

      • db vs stateless?

      • using actual php sessions?

        • https://www.reddit.com/r/PHP/comments/ado2ag/php_session_vs_jwt_whats_your_opinions/
        • http://cryto.net/~joepie91/blog/2016/06/13/stop-using-jwt-for-sessions/ **
        • http://cryto.net/~joepie91/blog/2016/06/19/stop-using-jwt-for-sessions-part-2-why-your-solution-doesnt-work/
        • https://security.stackexchange.com/questions/141353/jwt-vs-sessions

    • https://mcvendrell.medium.com/a-simple-login-auth-project-with-slim-framework-4-29f73d4e1d55

      • https://github.com/mcvendrell/SlimFramework4LoginAuth

    • https://discourse.slimframework.com/t/slim-4-and-auth-middleware-passing-the-username-to-the-app/4719

    • https://github.com/darkalchemy/Slim-Auth

    • ?? https://github.com/fritsvt/slim-auth-boilerplate

    • https://stackoverflow.com/questions/35949317/how-to-log-user-in-and-out-in-slim-rest-framework-using-slim-session-middleware

    • https://github.com/mcvendrell/SlimFramework4LoginAuth

    • ?? https://stackoverflow.com/questions/26108746/authentication-in-slim-is-a-combined-middleware-singleton-and-hook-approach-sm

    • https://odan.github.io/slim4-skeleton/session.html

    • session middleware - https://discourse.slimframework.com/t/slim4-session-data/3487

    • auth middleware?

      • https://discourse.slimframework.com/t/auth-middleware-in-slim-4/4179/4

    • security lockout - also want to be able to lock people (any users) out by changing their password and/or adding them to the block list or deleting their accounts (break existing logins/sessions…none of this works rn)

      • need to keep a list of blocked/denied tokens
      • ?? is there an easier way? - https://stackoverflow.com/questions/64925738/jwt-token-revoke-for-specific-user-on-deactivate-account

    • make the “blocked” user group work (it won’t do new logins, but won’t revoke any current logins)

    • https://www.google.com/search?q=php+session+auth+revoke+active&oq=php+session+auth+revoke+active&aqs=chrome..69i57j69i64.4675j0j1&sourceid=chrome&ie=UTF-8

    • delight-im/PHP-Auth#52

    • https://www.php.net/manual/en/features.session.security.management.php

    • https://stackoverflow.com/questions/9001702/php-session-destroy-on-log-out-button

    • https://stackoverflow.com/questions/35949317/how-to-log-user-in-and-out-in-slim-rest-framework-using-slim-session-middleware

    • example concept w/ other fw (enhance)

      • https://begin.com/blog/posts/2023-02-03-bulletproof-sessions-with-httponly-cookies
      • ?? https://github.com/brianleroux/enhance-example-single-player-auth

  • misc auth notes from twitter posts

    • Imagine building an app without thinking about any of this - https://twitter.com/devagrawal09/status/1686978368246280192

      • “using an auth service is fine, but i would pay 5x the price to own my users table outright”

    • Session, cookie, JWT, token, SSO, and OAuth 2.0 - what are they? - https://twitter.com/bytebytego/status/1685895102445879296

    • “just match credentials on login, send back a 12-hour JWT, and store it in local storage. Send the JWT on each request. Use some built-in JWT middleware and authorisation policies in your API. Access ID and claims from JWT. Done in less than a few hours.” - https://twitter.com/jtalsby/status/1685417655879249920

  • Using JWT authentication middleware as a line of defense in a PHP API. - https://twitter.com/garyclarketech/status/1723709286629388507

    • https://garyclarketech.teachable.com/courses/test-driven-php/lectures/50190267 **

  • Navigating the World of JWT: A Comprehensive Guide - https://ssojet.com/blog/navigating-the-world-of-jwt-a-comprehensive-guide/?ref=dailydev

• security - risk mitigation (middleware updates, etc)

  • slim4 security options https://odan.github.io/slim4-skeleton/security.html

  • JWT updates?

    • actually probably don’t want to use JWT w/ new auth

    • figure out the right way to do jwt

      • https://www.loginradius.com/blog/engineering/guest-post/securing-php-api-with-jwt/ **

        • replacement for session storage

      • https://www.sitepoint.com/php-authorization-jwt-json-web-tokens/

      • https://coderwall.com/p/8wrxfw/goodbye-php-sessions-hello-json-web-tokens

    • set explicit expiration (& renew while using the site)

    • set extra claims required for oauth support

    • do we need to pw verify the auth token?

      • from the last stereo version: password_verify($GLOBALS['site_code'].'-'.$parsed['_id'], cookie::get('auth_token'))

    • jwt security best practices?

      • https://connect2id.com/products/nimbus-jose-jwt/vulnerabilities
      • https://security.stackexchange.com/questions/221827/storing-info-in-jwt-payload/221857#221857
      • https://security.stackexchange.com/questions/221827/storing-info-in-jwt-payload
      • https://dev.to/gkoniaris/how-to-securely-store-jwt-tokens-51cf

  • CORS, CSRF, XSS

    • better support for CORS (ex, multiple clients using api.ocean)
    • Htmx xss security settings https://twitter.com/gurleen_s_/status/1682815674828111872?s=46&t=l7wRi4wE6KFhNZJNnPZNmg

  • csrf cookie - double-submit technique? - https://stackoverflow.com/questions/27067251/where-to-store-jwt-in-browser-how-to-protect-against-csrf#:~:text=JWT should be stored in,site from any other site.

• slime symlink security patch

  • ?? More secure structure - set docroot to "public" subfolder (keep config outside publicly accessible areas)

  • subfolder of symlinks that you make the root folder

  • or just field guide instructions on “a more secure installation”

• get the composer package (utilities) to work as a standalone package (idk why it not working now? 500 errors when i try to use a function)

  • PHP Fatal error: Uncaught Error: Class "DW\\dw" not found in /home/darkwave/dev.darkwave.ltd/index.php:54

  • tail -f /home/darkwave/logs/dev_darkwave_ltd.php.error.log

  • ?? what is wrong here?

    • https://stackoverflow.com/questions/33289135/composer-gives-error-class-not-found
    • https://laracasts.com/discuss/channels/code-review/package-composer-psr-4-autoload-class-does-not-found
    • https://stackoverflow.com/questions/40126706/composer-autoloading-classes-not-found
    • https://dev.to/dechamp/php---how-to-fix-class--not-found-error-1gp9
    • composer/composer#7293
    • https://www.google.com/search?q=composer+package+PHP+Fatal+error%3A+Uncaught+Error%3A+Class+not+found&oq=composer+package+PHP+Fatal+error%3A++Uncaught+Error%3A+Class+not+found&aqs=chrome..69i57.5973j1j1&sourceid=chrome&ie=UTF-8
    • https://www.google.com/search?q=composer+package+class+not+found&oq=composer+package+class+not+found&aqs=chrome.0.0i512j0i22i30l3j0i390i650l3.3814j1j1&sourceid=chrome&ie=UTF-8

  • ?? try using a different namespace? (Darkwave)

  • make whatever required changes and publish again (just re-do 0.1)

• web components for more complex features (photo uploads)

  • and conventions for handling backend/server parts (single api endpoints? copy/paste code?)
  • ?? native web components?
  • or lit components? or solidjs?

• clean up header links (css/js - minimize libs, only include uploads on upload pages, etc)

  • right way to do dependency injection for FE libs?
  • after figuring out tabler/bs defaults/theme, have the default “theme” in a styles.css where it’s very easy to tell what to change

• tabler tweaks wanted

  • actually, the really problem is: we can’t customize tabler styles w/ :root{} ?

    • ugh it’s an issue w/ tabler 😭
    • ?? how is this supposed to work? - https://blog.getbootstrap.com/2022/05/16/using-bootstrap-css-vars/
    • https://tabler.io/docs/getting-started/customize
    • tabler/tabler#1579

  • modal foot

    • ?? no footer by default (only if it has buttons or footer_extra)

  • scrollbar style shouldn't change (bs default)

    • i fucking hate this so much. i love tabler but the custom scrollbars are a dealbreaker for me
    • it’s such a fucked up thing to force on users
    • https://ericwbailey.website/published/dont-use-custom-css-scrollbars/
    • especially for a lib that focuses so much on accessibility…this is a basic a11y issue
    • try some info from the scrollbar editor - https://scrollbar.app/

• kill tabler (& make a customized default theme?)

  • dw ui - just bs by default, GET params to view demo w/ various ui kits (tabler, hope, mdb, etc)

  • want to be bs-only … bring your own customizations / components if you want

  • build w/ your own ui kit (tabler if you want, or hope, bolt, mdb, etc)

  • alt ui kits (include all the “big” ones)

    • https://mdbootstrap.com/docs/standard/

      • https://www.jsdelivr.com/package/npm/mdb-ui-kit

    • https://github.com/iqonicdesignofficial/hope-ui-design-system

    • https://tabler.io/

    • https://demo.themesberg.com/volt/

    <script src="<https://cdn.jsdelivr.net/npm/[email protected]/js/mdb.min.js>"></script>
        <link href="<https://cdn.jsdelivr.net/npm/[email protected]/css/mdb.min.css>" rel="stylesheet">

  • ?? kill tabler && Dw —> mdb/hope (mit), lift whatever tabler customizations

• ?? or kill bs altogether and use shoelace or something?

  • https://shoelace.style/
  • or agnostic ui? https://www.agnosticui.com/
  • pico better?

• controllers/index.php - is it faster to individually require dw files?

  • we’re doing this bc after install/config it deletes the config controller

  • ?? do we need to have a primer on adding routes? (remember to link/require the file in index.php)

• dw demo/index updates

  • index is just resources

    • ?? index header update

      • small: dw 0.6.1
      • big: SITE TITLE

  • move demo / styleguide to /demo

• index demo - things you can do w/ the special libs

  • tablesort

  • tinymce

  • dropzone / uppy

  • litepicker

    • or maybe easepick - https://github.com/easepick/easepick/ ?
    • or go back to flatpickr?

• index demo - return links to theme builders?

  • https://components.ai/bootstrap-colors/XBZEtBPUHa7h6k8cp4Ai
  • https://huemint.com/bootstrap-basic/
  • https://themestr.app/
  • https://bootstrap.build/app **
  • tool - css grid layout generator - https://layout.bradwoods.io/
  • and link to the nice ui kits

  For more developed UI kits and design systems, check out <a href="<https://tabler.io/>" target="_blank">Tabler</a>, <a href="<https://hopeui.iqonic.design/>" target="_blank">Hope UI</a>, <a href="<https://mdbootstrap.com/>" target="_blank">MDB</a>, and <a href="<https://demo.themesberg.com/volt/>" target="_blank">Volt</a>.

• readme add badges (if there’s any relevant info we want to communicate quickly) - https://badgers.space/

• actually use htmx - idk how it would best be integrated

  • ?? replace dw “bespoke” functionality (form handling mostly, misc dw utilities)
  • ajax calls, reactive/”live” functionality

• ?? dw “utilities” pkgs (js, php) —> “dw core utilities” (single package?)

• actual tabler theme? - tabler/tabler#1260

• index demo - have a page in the docs that has the same content as the index demo

  • add copy/paste code blocks like bs icons - bs icons -https://icons.getbootstrap.com/icons/house/

• dw - authorized api endpoints - anything client-accessed (save, delete, etc) should require auth

• index demo / docs - want to generate a nice-looking cleaned-up version of structure diagram (from goodnotes) using [draw.io](http://draw.io/)

• index demo future more advanced examples

  • datepicker (litepicker? flatpickr?)
  • dropzone
  • wysiwyg text
  • table sort

• plugin/module for pwa features (app icon, manifest, metadata, etc)

• special version for easy deploy on vercel? - pdo w/ postgres

  • https://www.google.com/search?q=php+apps+on+vercel&oq=php+apps+on+vercel&aqs=chrome..69i57j0i22i30j0i390i650j69i64.3167j0j1&sourceid=chrome&ie=UTF-8
  • https://github.com/vercel-community/php
  • https://php.vercel.app/

• ?? want to remove installation process

  • .env.example instead
  • copy/paste sql for creating users table? command to init db?
  • how to handle other stuff install script does? jwt secret?

• install/config future - other default tables to write? (option to include sample content? (blog, sample users, etc)

• install - requirement pre-flight check script

  • pre-check (so you can see which features are available...tell people what they need to change in order to make it compatible...maybe offer a script?)

    • (could be a standalone script, but it also runs before install (maybe on page load?))
    • want to have a standalone version that can run against your production environment? (if your dev is local and then you deploy to a production server?)

  • install reqs

    • mysql user that can create/alter tables
    • ability to write to filesystem
    • default perms - upload 755, media 755
    • GD

• install - more robust error checking/handling - on error show error (in modal?)

  • incorrect db creds

    • check db access before starting
    • ?? do we need to do something different about how we’re showing connection errors? returns a “slim application error” page w/ 500 status & SQLSTATE error at beginning (need to send/read json on client)

  • files/dirs need to be writeable?

    • default perms - upload 755, media 755

  • couldn’t write file

  • missing required fields?

  • other error?

    • just make sure there are no errors before it deletes itself
    • catch errors better & show them & have a friendly "go back and fix" message

  • error test / correct logic flow (for edge cases, what happens if “initialize db” is not selected and “create admin user” is

    • need to conditionally require some fields? (if “initialize db” is checked, db fields need to be required
    • or for now just send descriptive errors when something breaks

• configuration script - check to make sure all required drivers are present

  • someone had an issue w/ their setup - #1

    • they were missing the php-mysql driver (edge case)
    • "this was a fresh instance where I had php and mysql installed but not the php-mysql driver"
    • installed driver and it was fine

  • want more verbose error reporting if there's an error like this (server/env config)

• edge edge case - missing isset() checks on variables in dw::authorize()

  • this happens if you're logged in but delete the contents of the .env file

    • [17-Jul-2023 13:27:54 UTC] PHP Warning: Undefined array key "JWT_SECRET" in /home/darkwave/dev.darkwave.ltd/darkwave.php on line 30
    • [17-Jul-2023 13:27:54 UTC] PHP Fatal error: Uncaught TypeError: PsrJwt\Factory\Jwt::parser(): Argument #2 ($secret) must be of type string, null given, called in /home/darkwave/dev.darkwave.ltd/darkwave.php on line 30

• dw::convert_image() - support more config options

  • see everything we can do here https://github.com/gumlet/php-image-resize

  • ?? additional photo manipulation config

    • Cropping options (next verison)
    • Automatic format conversion option (webp, etc)

  • support animated gifs

    • ?? have a way to use a different rendering engine for certain kinds of things (if phmagick)

• alt image conversion lib (gives us more options for effects too) - spatie image - https://github.com/spatie/image

• uploads - do an example of auto-save after upload (move save routes from /save to its own api route that just saves the photos to the appropriate record (ex users)

  • instead of /users/save it’s in its own route: /users/save-avatar

• upload BE - create media/* folders if they don’t exist

  • tried this doesn’t work … whatever

  if (!is_dir($_SERVER['DOCUMENT_ROOT'] . '/images/avatars/')) {
    mkdir($_SERVER['DOCUMENT_ROOT'] . '/images/avatars/', 0755, true);
  }

• dw.upload_initialize() config tweaks

  • dz_options.uploadmultiple - should show error? it doesn’t

  • update preview_html param

    • can we have template literals use values from upload_initialize (cfg, r, id)

      • https://stackoverflow.com/questions/22607806/defer-execution-for-es6-template-literals
      • aaaaaaaaaaaaaaa
      • wow ok https://stackoverflow.com/questions/30003353/can-es6-template-literals-be-substituted-at-runtime-or-reused

    • ?? OK NOW ability to custom define what post-upload looks like (currently it’s just mirroring what’s in the ‘’preview-image’ block

    • ?? OK NOW set custom preview_html param in dw.photo_upload_initialize() cfg (can’t do it now bc js errors from vars in in template

    • gracefully support non-photo uploads (like jcdv files)

  • cfg test/evolution - what if we wanted to overlay the dropzone on the image preview?

    • part of a more complex photo component
    • i would like this to be the default, though
    • concept: the whole photo is a dropzone, the controls appear when you mouse over
    • also on mouseover of the container, the “edit” and “delete” buttons appear right outside the photo

• upgrade to dropzone 6 (when it’s out of beta)

  • then we can remove Dropzone.autoDiscover = false;

• dw dz upload - make the avatar preview a dropzone still hover to delete/crop, but the controls are outside the dropzone

• add easy cropping lib (default options to crop avatars, constrain to proportions, etc)

  • https://fengyuanchen.github.io/cropperjs/ ***

  • alt crop lib

    • https://shpontex.github.io/cropme/
    • https://foliotek.github.io/Croppie/
    • https://markerjs.com/download/cropro (cool but not mit)
    • https://jamesooi.design/Croppr.js/ (cool but no rotate)
    • https://mattketmo.github.io/darkroomjs/ (no longer developed)
    • https://github.com/jwagner/smartcrop.js - content-aware auto-crop
    • http://willbamford.github.io/tinycrop/ (nice & simple but no rotate)
    • http://peterver.github.io/vanilla-image-cropper/
    • http://www.croppic.net/ (shitty ui)

  • modify backend photo resize to accommodate crop

• add gallery module (jcdv/mst)

• better default avatar (maybe one that looks like a person or something?)

• try integrating glide as an image resizing service

  • https://github.com/thephpleague/glide

  • https://glide.thephpleague.com/2.0/installation/

  • https://glide.thephpleague.com/2.0/config/setup/

  • composer require league/glide-slim

  • setup is kinda complex, maybe too much work for now

  • can we even get it to work w/ slim4? will it break in the future?

    • https://glide.thephpleague.com/2.0/config/integrations/slim/
    • https://github.com/thephpleague/glide-slim
    • "Root composer.json requires league/glide-slim ^1.0 -> satisfiable by league/glide-slim[1.0.0].
    • league/glide-slim 1.0.0 requires slim/slim ^3.0 -> found slim/slim[3.0.0, ..., 3.12.4] but it conflicts with your root composer.json require (4.*)."

• emails “from” address default / var in .env settings

• do we need to have a .env.example file? installation writes whatever, and we can just have an example in the docs?

• want to replace {{locals.year}} w/ {{date "now" "Y"}}

  • if so, do we want to change slime defaults?

  • ?? slime - remove year from locals?

    • in demo use {{date "now" "Y"}} instead of {{locals.year}}
    • maybe kill that in all current slime projects?

• components/partials for header nav bar(s)?

  • possible to do header injection w/ subnav partials?

  • ?? maybe w/ dynamic partials?

    • https://zordius.github.io/HandlebarsCookbook/9004-partials.html
    • https://stackoverflow.com/questions/18427507/using-variables-for-a-partial-template
    • https://github.com/zordius/lightncandy/issues?q=dynamic+partial
    • zordius/lightncandy#282

• header tweak - can we get hover states to work? (want to change opacity to .5 or .75 on hover)

  • ideally would love to add this to all buttons and links
  • same as custom .hover-o-90 in jcdv

• header tweak - separate “system” dropdown menu for admins? or better default wording to note which options (ie users) are system and which are personal? should this just be a gears icon? or just the avatar?

• theme dark mode (+ header toggle, like tabler preview)

• search demo evolution (users)

  • add pagination

    • using tabler components - https://preview.tabler.io/pagination.html

  • add search filters?

  • highlight specific search terms

  • more advanced search parameters (group, date joined range, etc)

  • link to reset

• form save buttons (account/user-edit) - alt save behavior options

  • “working-inline” version (save & reload behavior)

    • on save set save button to "working" state (instead of body)

    • on success, show message (instead of redirect)

      • either next to button, on button, or as a toast

    • or change button content - add loading icon & label for “saving” and check icon & label for “saved”

  • easy/elegant save & reload option like jcdv?

    • just like save except window.location.reload instead of .href change

  • ?? dropdown button w/ more options - copy/duplicate record, etc

• admin controls to re-send validation/pw links?

  • users list - show if a user hasn’t been validated

    • maybe have a validation queue? and admins can approve? (like vrc)

  • user-edit - (if not activated) add links to re-send activation link? & forgot pw hash link?

• submit ALL forms (login & edit) w/ cmd + enter

  • edit can currently be submitted w/ ctrl + enter, but i can’t get cmd to register for some reason

  • according to alpine docs you can use meta, but it doesn’t work - https://alpinejs.dev/directives/on

  • i was also using an event listener, but maybe there’s a working solution that’s cleaner? (using the alpine syntax?)

    document.querySelector('.edit-form').addEventListener('keydown', function (e) {
      if (e.keyCode == 13 && e.metaKey) {
        document.querySelector('[data-container="save"] button').click();
      }
    });

• dependencies / perf - would love to have better default pagespeed scores, but don’t want to have to do a bunch of extra crazy config/setup stuff to get it

  • the desktop version is fine, but mobile is slow (because of css/js libs)
  • suggestions here - https://pagespeed.web.dev/analysis/https-dev-darkwave-ltd

• evolve error templates

  • make it work for 500 errors? (or show any kind of error)

  • make it work for any kind of error (401, etc)

    • and figure out the right places to trigger (w/ auth middleware, i guess)

    • REF - most common http status codes (src - https://hackernoon.com/the-system-design-cheat-sheet-api-styles-rest-graphql-websocket-webhook-rpcgrpc-soap )

      • 2xx - Acknowledge and Success

        • 200 - OK
        • 201 - Created
        • 202 - Accepted

      • 3xx - Redirection

        • 301 - Moved Permanently
        • 302 - Found
        • 303 - See Other

      • 4xx - Client Error

        • 400 - Bad Request
        • 401 - Unauthorized
        • 403 - Forbidden
        • 404 - Not Found
        • 405 - Method Not Allowed

      • 5xx - Server Error

        • 500 - Internal Server Error
        • 501 - Not Implemented
        • 502 - Bad Gateway
        • 503 - Service Unavailable
        • 504 - Gateway Timeout

  • space for detailed messages (verbose reporting)

  • error handling how-to https://www.slimframework.com/docs/v4/middleware/error-handling.html

  • slimphp/Slim#2757

  • i just want to edit the default slim error template

    • don’t say “slim application error”
    • in dev mode have a cool looking debugging page
    • in production mode have a consistent error template w/ the 404 tpl

  • all the http error codes - https://www.google.com/search?q=http status codes cheat sheet&tbm=isch&hl=en-us&client=safari&sa=X&ved=0CHQQrNwCKAJqFwoTCIiqwKrcuf4CFQAAAAAdAAAAABAF&biw=375&bih=626#imgrc=Qbg6cfmLO6y47M&lnspr=W10=

• figure out the ideal rich text editor solution (quill still good? tinymce better? or something else?)

  • if quill, quill-output classes & docs notes (or kill the auto formatting?)

• ux - email notifications - styled templates (instead of plain text emails)

• ux - fine-tune the ux writing for auth process (want it to be generic but also nice and thoughtful)

• ?? onboard kitchen sink / elements page

  • copy/paste components
  • searchable
  • everything you can use
  • elements —> design system / style guide / (is there a better term?)
  • i’m planning on having something in the docs / field guide (components & patterns library / catalog) … probably don’t need to include it w/ the actual app

• dark mode + Easy themes - change the look of the app w a single style sheet , css vars, nice to have default light/dark mode options

  • there is a default theme you can edit, and a place to put your own styles (styles.css)

  • want to call them skins, have a single css file you can swap in and change the look

    • cool to have a visual editor where you can easily tweak all the values (similar to lips theme editor), save it and share it

  • theme catalog on the docs site?

  • admin themes - cool to have a few different defaults? (corporate, glassmorph, neuomorph, cyberpunk, win95, etc)

  • Dw themes that look like sites i’ve built Vrc Jcdv Blu Cb Etc

• dw.api_request

  • return error & error message for connection/server errors (currently not sending anything

    return {
    	error_type: 'connection',
    	error_message: 'Network error, check your connection and try again.'
    }

  • to be read in client as r.error.type, r.error.message

• dw.js - handle cookies like js cookie

  • or like this - https://stackoverflow.com/questions/14573223/set-cookie-and-get-cookie-with-javascript

• dw.js - make dw.api_fetch work (make api requests w/ fetch instead of XHR)

  • example usage from svelte experiment - https://bitbucket.org/purimage/blu-client/src/master/src/components/Login.svelte

  • make api_fetch work without the data parameter/object (formbody_encode throws an error if it’s not there, but want to be able to make a request w/ just the url param)

  • dw_fetch formbody progressive enhancement? - https://www.bram.us/2022/04/22/progressive-enhancement-and-html-forms-use-formdata/

• dw.js - anything else we want to integrate from 0x00 version?

  • in js/_o/lib

  • https://bitbucket.org/purimage/blu-client/src/master/src/lib/dw-utils.js

  • ?? could be used w/ module pattern:

    <script type="module">
      import dw from './js/dw-utils.js';
      dw.what();
    </script>

  • ?? desired fixes

• dw.js - .form_validate() required add support for radios & checkboxes

  • i came up with a way to do this for sme (see donate-form)

    • (and an easier version of doing this w/ jquery w/ voting.nrhya 2023)

  • honestly i hate doing this kind of shit without jquery...it's just too hard and it's against the spirit of the framework

    • ... which makes me think we should back to using jquery?

• dw.js - dw.toast() & dw.alert() - js triggers similar to modal, markup written and added dynamically using bootstrap components

• dw.js modal - close modal (click primary button) by pressing "enter”

• dw.js - modal - ?? is there a better way to trigger modals from js?

  • i can’t make it trigger a modal from js, although it’s possible, allegedly
  • can we do it and preserve all of our configuration?

• dw.js - dw.modal() future

  • dw modal - would like to add an onOpen() hook (event that happens right after the modal is opened)
  • modal form handlers - serialize all the form data and do something with it (make an api request)

  // fixit form submit function
      // 'form': dw.serialize(document.querySelector('#' + modal_id+ ' form'))
  

  • pre-configured “success” and “error” methods (ex: dw.modal.error())

    • that match the styles of the success/danger modals in the tabler demo - https://preview.tabler.io/modals.html
    • w/ the icons & vertical padding & colors & spacing & font sizes
    • dw.modal.alert(), dw.modal.confirm() - act just like native browser native (& smoke), built w/ dw.modal() (form handlers pre-wired w/ callbacks, etc)
    • dw modal abstractions - cool to have dw.error_alert() or something that shows a preconfigured danger themed alert with whatever content

  • more button alignment options

    • flex (hard left/right)
    • center
    • all left/right
    • flex

    // 2-col w-100 buttons
    
        <div class="w-100">
          <div class="row">
            <div class="col"><a href="#" class="btn w-100" data-bs-dismiss="modal">
              Go to dashboard
            </a></div>
            <div class="col"><a href="#" class="btn btn-success w-100" data-bs-dismiss="modal">
              View invoice
            </a></div>
          </div>
        </div>
    
    // also would love a full-width single button
    

  • more modal alignment options? (top/bottom/middle left/right/center)

  • would love to have a “pre-load” callback - so a function/action can be called when the modal is launched, then action can be done (form can be loaded, etc), maybe with an optional loading spinner?

  • modal - cool to have a flag to destroy after close? (the markup is left on the page otherwise)

  • modal - trigger click on primary/action modal button on “enter” keyup (esp if there’s only one)

• dw.validate_input()

  • make “unique” and “required” play nice (currently not throwing “required” error if there are both “unique” and “required” rules)

  • validation evolution (how to do it in an elegant way that can be extended)

    • checking type (is it an email?)

      • use js lib for validation - https://github.com/validatorjs/validator.js
      • did some “manual” email/name validation for mst - https://port164.com/contact/email

    • checking for uniqueness (is there a match of this in this specific table?)

  • would love to have a list of several kinds of errors

    • ex: required email for registration should be (and show errors for)

      • required
      • is unique
      • is an actual email address

  • make sure any errors are always sticky (’is-invalid’ class shouldn’t disappear until the validation error is resolved

    • also is it possible to force focus on the error elements without removing ‘is-invalid’ class?

  • also see oma - i did a simple regex email validate function on /apply/1

• dw.form_validate()

  • check that there are no error/invalid classes before returning “valid”

    • currently just checking for required

• FE components for complex functionality

  • components w/ args in lightncandy? - zordius/lightncandy#294

    • named arg? - https://zordius.github.io/HandlebarsCookbook/9900-lc-options.html
    • https://zordius.github.io/HandlebarsCookbook/LC-FLAG_NAMEDARG.html
    • https://zordius.github.io/HandlebarsCookbook/9002-helperoptions.html

  • package more complex components (uploader, text editor, etc) as web components w/ lit - https://lit.dev/

  • would shoelace help? https://shoelace.style/

    • looks ok, but idk if it gives us anything we don’t have

  • ?? how do we do this for dw/slime? - Componetizing chunks of html+css+js as single file components is incredibly useful, blade templates? (you can call templates as components and pass arguments?)

• FE dependencies - want to use asset packagist?

  • ?? asset packagist? - https://asset-packagist.org/site/about
  • get packages from npm or bower, install w/ composer, put into custom spots in your own application wow

• ext - x-utils / vphp email_send - send w/ smtp by default (& document easy config for sending email notifications w/ smtp creds in system screen, like pocketbase setup)

• ext - more hbs helpers (either add them here or use the new standalone hbs helpers (slime)

• security - should the “register” routes be disabled by default (for security?)

  • or just have a note in the docs - “depending on the kind of app your build, you may want to disable public registration” (i know i do in like 75% of the apps i build)
  • and/or should we have a manual approval queue for registrations (like vrc)

• middleware - public access - accept every http method from any location

  • auth middleware public support (explicitly set routes to be accessible from anywhere

  • for public calls, access control allow origin from all?

  • set headers to allow every http method from every location

    	header("Access-Control-Allow-Origin: *");
    	header("Access-Control-Allow-Headers: *");
    	header('Access-Control-Request-Method: GET, POST, PUT, DELETE, PATCH, COPY, SEARCH, HEAD, OPTIONS');
    

• middleware - making $req vars automatically available in templates?

  • stereo render_template - automatically send GET and POST variables to templates!

  • ?? also make GET/POST vars automatically available in forms?

    • how to make GET variables show in forms?? (shouldn't this just work automatically?) -- i guess you have to do it w/ js? https://stackoverflow.com/questions/5422265/how-can-i-pre-populate-html-form-input-fields-from-url-parameters
    • but would love to have this as an option to just happen automatically for stereo...

• plugin - BAAS suite

  • CMS functionality via plugins (admin panels, data editors, user mgmt, etc) - BAAS functionality

    • manage ux copy

    • manage password requirement rules

    • data collection manager

      • /grid editor like sequel pro

    • theme editor

  • lite version of pocketbase, supabase, etc

  • VERY EASY BAAS functions

• plugin - turn-key global notifictations (in header nav, like in tabler demo)

• plugin - premium auth/security suite - more “best practices” than the default

  • ?? Slime dw passkey ? Oauth?

  • oauth / 3rd-party login

  • support for passkeys? (need oauth implementation? need to change how we're doing auth?)

    • try passage - https://passage.1password.com/
    • ?? https://passage.1password.com/product/passkey-flex

  • text/email verification codes (connect your own trello accont)

  • special auth/config changes for security (jwt tokens regenerate/expire, sessions, etc)

• plugin - site settings update

  • set timezone?
  • settings - set error reporting levels?
  • settings - change dev mode
  • settings - add 3rd-party services back after better settings handling scheme is figured out (s3, mailgun, bitbucket, twilio, etc)

• plugin - favicons? - do we care? nice defaults & links to where to go to generate more?

• plugin - to send welcome email (from user screen & by default on user create, settings managed in app)

• saas-related plugins - generic privacy policy & terms of service boilerplate

  • simnilar layout w/ tabler license - https://preview.tabler.io/license.html?theme=light
  • (& maybe a generic “support” page w/ contact form?)

• ?? system/admin - ux copy settings manager

  • would it be cool to have a central place in the admin to manage the wording of all of the login/forgot pages? (like a “ux copy settings” page?)

    • ?? also change default wording - forgot pw action button (on form) - 'generate password reset link' ?

  • also the wording of the notification emails?

• ?? system/admin - do we want to support variable names for auth process links (/forgot, /login, etc) - currently hard-coded in back-end and templates

• add blu/mst seo_slug to js utilities?

  function seo_slug(text) {
      // stereo url slug does this?? #[^\\pL\\pN./-]+#
      return text.trim().replace("'", '').replace('"', '').replace(/[^A-Z0-9.-]+/ig, "-").toLowerCase().replace(/~*$/, '-');
    }

FUTURE UPDATES

• auth - validate_hash edge case

  • what if someone doesn’t activate their account (didn’t receive registration link, didn’t click) and then tries to reset their password (it will show unregistered address

    • and then if they try to create an account again? (it will show the address is already in use)

• auth (register, account, user-edit, forgot-reset) - enable option for password requirement rules & validation on new password fields

• auth - ability to add custom groups (plugin? default options?)

  • and users edit - show different groups on different screens (like vrc)

• dev mode utilities

  • they were useful for a little while, but not really necessary now…maybe cool to use them as plugins?

  // utilities for dev mode only
  
  if ($GLOBALS['settings']['mode'] == 'development'){
  
  	$app->get('/dw/uuid[/]', function ($req, $res, $args) {
      return render::text($req, $res, uniqid(uniqid()));
  	});
  
    $app->get('/dw/db-structure[/]', function ($req, $res, $args) {
  		$tf = '';
  		$html = "<div style='line-height: 180%; padding: 2rem;'>";
  		foreach ($GLOBALS['database']->query('show tables')->fetchAll(PDO::FETCH_ASSOC) as $table){
  			$table_name = $table['Tables_in_' . $GLOBALS['settings']['database']['name']];
  			$tf .= $table_name . "\\n";
  			$html .= "<h1>" . $table_name . "</h1>";
  			$_fields = [];
  			foreach ($GLOBALS['database']->query('DESCRIBE ' . $table_name)->fetchAll(PDO::FETCH_ASSOC) as $field){
  				if ($field['Field'] != 'id'){
  					$_fields[] = [$field['Field'] => $field['Type']];
  					$tf .= '  ' . $field['Field'] . '		' . $field['Type'] . "\\n";
  					$html .= '<span style="display: inline-block; width: 250px;">' . $field['Field'] . '</span> <span>' . $field['Type'] . '</span><br />';
  				}
  			}
  			$_tables[] = [
  				$table_name => $_fields
        ];
  
  			$tf .= "\\n";
  			$html .= "<br /><br />";
  		}
  		$html .= "</div>";
      return render::html($req, $res, $html);
  	});
  
  }

FE - form solutions wanted - find a good convenient easy way to cache fields client-side for forms with localstorage or sessionstorage, without ext dependencies (ok to write functions for dw.js, and clear fields on submit?)

• https://twitter.com/jamonholmgren/status/1720516241583174143

• automatic skeleton screens
• dw - "deploy to render" solution
  • recipe or whatever to do a simple install on render
  • instructions for how to work w/ this (ftp or set up your own env locally idk)
  • add a button to the readme

Hi, I keep getting this error when I try submitting the configuration, console says internal server error on configure/execute, im trying this on a fresh ec2 instance w Debian bullseye, mysql 8.0.33 and php 8.1 (with GD). Also I ran composer install without issues.

I also made sure www-data had permission to read/write/execute everything under the project directory.

I tried the db connection with two db users, including root.

I'm not seeing anything appear when I do tail -f error.log for both apache and mysql.

I confirmed that my sql bind-address is set to 'localhost'