35 min read
Building a Secure PHP MVC: A Production-Ready Architecture from Scratch
Frameworks abstract complexity, but understanding core architecture is vital for senior engineering. In this practical workshop, we construct a lean, security-first MVC skeleton from the ground up. We implement defense-in-depth strategies—including Argon2id hashing, anti-CSRF tokens, and output escaping—without the overhead of heavy third-party libraries.
Architecture Patterns
MVC Architecture
Model-View-Controller separates application concerns: Models handle data and business logic, Views render UI, and Controllers process requests and coordinate between them, enabling testability and maintainability.
┌─────────────────────────────────────────────┐
│ Request │
│ ↓ │
│ ┌────────────┐ │ ┌────────────┐ │
│ │ Controller │────┼───→│ Model │ │
│ └────────────┘ │ └────────────┘ │
│ │ │ │ │
│ ↓ │ ↓ │
│ ┌────────────┐ │ ┌────────────┐ │
│ │ View │←───┼────│ Data │ │
│ └────────────┘ │ └────────────┘ │
│ ↓ │
│ Response │
└─────────────────────────────────────────────┘
PHP Authentication MVP with Modern Architecture
I'll build you a production-ready authentication system using PHP 8.2+ features and proper MVP architecture.
Project Structure
auth-mvp/
├── composer.json
├── .env
├── .env.example
├── public/
│ ├── index.php
│ └── assets/
│ └── style.css
├── config/
│ └── app.php
├── database/
│ └── schema.sql
├── src/
│ ├── Core/
│ │ ├── Application.php
│ │ ├── Router.php
│ │ ├── Database.php
│ │ ├── Session.php
│ │ ├── Request.php
│ │ ├── Response.php
│ │ └── View.php
│ ├── Models/
│ │ └── User.php
│ ├── Repositories/
│ │ ├── UserRepositoryInterface.php
│ │ └── UserRepository.php
│ ├── Services/
│ │ └── AuthService.php
│ ├── Presenters/
│ │ └── AuthPresenter.php
│ ├── Validators/
│ │ └── AuthValidator.php
│ ├── Enums/
│ │ └── FlashType.php
│ └── Exceptions/
│ ├── ValidationException.php
│ └── AuthenticationException.php
├── templates/
│ ├── layouts/
│ │ └── main.php
│ └── auth/
│ ├── signup.php
│ └── signin.php
└── bootstrap.php
1. Composer Configuration
{ "name": "app/auth-mvp", "description": "Modern PHP Authentication MVP", "type": "project", "require": { "php": ">=8.2", "vlucas/phpdotenv": "^5.6" }, "require-dev": { "phpstan/phpstan": "^1.10" }, "autoload": { "psr-4": { "App\\": "src/" } }, "scripts": { "serve": "php -S localhost:8000 -t public", "analyse": "phpstan analyse src --level=8" }, "minimum-stability": "stable" }
2. Environment Configuration
# .env.example APP_NAME="Auth MVP" APP_ENV=production APP_DEBUG=false APP_URL=http://localhost:8000 DB_CONNECTION=mysql DB_HOST=127.0.0.1 DB_PORT=3306 DB_DATABASE=auth_mvp DB_USERNAME=root DB_PASSWORD= SESSION_LIFETIME=120
3. Database Schema
-- database/schema.sql CREATE DATABASE IF NOT EXISTS auth_mvp CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci; USE auth_mvp; CREATE TABLE IF NOT EXISTS users ( id BIGINT UNSIGNED AUTO_INCREMENT PRIMARY KEY, email VARCHAR(255) NOT NULL UNIQUE, password_hash VARCHAR(255) NOT NULL, name VARCHAR(100) NOT NULL, email_verified_at TIMESTAMP NULL, created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP, updated_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP ON UPDATE CURRENT_TIMESTAMP, INDEX idx_email (email), INDEX idx_created_at (created_at) ) ENGINE=InnoDB; CREATE TABLE IF NOT EXISTS sessions ( id VARCHAR(128) PRIMARY KEY, user_id BIGINT UNSIGNED NULL, ip_address VARCHAR(45) NULL, user_agent TEXT NULL, payload TEXT NOT NULL, last_activity INT UNSIGNED NOT NULL, INDEX idx_user_id (user_id), INDEX idx_last_activity (last_activity), FOREIGN KEY (user_id) REFERENCES users(id) ON DELETE CASCADE ) ENGINE=InnoDB;
4. Core Framework Classes
Application Bootstrap
<?php // bootstrap.php declare(strict_types=1); use Dotenv\Dotenv; require_once __DIR__ . '/vendor/autoload.php'; // Load environment variables $dotenv = Dotenv::createImmutable(__DIR__); $dotenv->load(); // Error handling based on environment if ($_ENV['APP_DEBUG'] === 'true') { error_reporting(E_ALL); ini_set('display_errors', '1'); } else { error_reporting(0); ini_set('display_errors', '0'); } // Timezone date_default_timezone_set('UTC');
Application Container
<?php // src/Core/Application.php declare(strict_types=1); namespace App\Core; use App\Repositories\UserRepository; use App\Repositories\UserRepositoryInterface; use App\Services\AuthService; use App\Presenters\AuthPresenter; use App\Validators\AuthValidator; final readonly class Application { private static ?self $instance = null; /** @var array<string, object> */ private array $container; private function __construct( public Database $database, public Session $session, public Router $router, public View $view, ) { $this->container = $this->buildContainer(); } public static function create(): self { if (self::$instance === null) { $database = new Database( host: $_ENV['DB_HOST'], database: $_ENV['DB_DATABASE'], username: $_ENV['DB_USERNAME'], password: $_ENV['DB_PASSWORD'], port: (int) $_ENV['DB_PORT'], ); $session = new Session( lifetime: (int) ($_ENV['SESSION_LIFETIME'] ?? 120), ); $router = new Router(); $view = new View(__DIR__ . '/../../templates'); self::$instance = new self($database, $session, $router, $view); } return self::$instance; } /** * @return array<string, object> */ private function buildContainer(): array { $userRepository = new UserRepository($this->database); $authValidator = new AuthValidator(); $authService = new AuthService($userRepository, $this->session); $authPresenter = new AuthPresenter( authService: $authService, validator: $authValidator, view: $this->view, session: $this->session, ); return [ UserRepositoryInterface::class => $userRepository, AuthService::class => $authService, AuthPresenter::class => $authPresenter, ]; } /** * @template T of object * @param class-string<T> $class * @return T */ public function get(string $class): object { return $this->container[$class] ?? throw new \RuntimeException("Service not found: {$class}"); } public function run(): void { $this->session->start(); $request = Request::createFromGlobals(); $response = $this->router->dispatch($request, $this); $response->send(); } }
Router
<?php // src/Core/Router.php declare(strict_types=1); namespace App\Core; use Closure; final class Router { /** @var array<string, array<string, array{handler: Closure, middleware: array<string>}>> */ private array $routes = []; public function get(string $path, Closure $handler, array $middleware = []): self { return $this->addRoute('GET', $path, $handler, $middleware); } public function post(string $path, Closure $handler, array $middleware = []): self { return $this->addRoute('POST', $path, $handler, $middleware); } private function addRoute(string $method, string $path, Closure $handler, array $middleware): self { $this->routes[$method][$path] = [ 'handler' => $handler, 'middleware' => $middleware, ]; return $this; } public function dispatch(Request $request, Application $app): Response { $method = $request->method; $path = $request->path; $route = $this->routes[$method][$path] ?? null; if ($route === null) { return Response::html( content: '<h1>404 - Page Not Found</h1>', status: 404 ); } try { // Process middleware foreach ($route['middleware'] as $middlewareClass) { $middleware = match ($middlewareClass) { 'guest' => $this->guestMiddleware($app), 'auth' => $this->authMiddleware($app), default => null, }; if ($middleware instanceof Response) { return $middleware; } } return ($route['handler'])($request, $app); } catch (\Throwable $e) { if ($_ENV['APP_DEBUG'] === 'true') { throw $e; } return Response::html( content: '<h1>500 - Server Error</h1>', status: 500 ); } } private function guestMiddleware(Application $app): ?Response { if ($app->session->isAuthenticated()) { return Response::redirect('/'); } return null; } private function authMiddleware(Application $app): ?Response { if (!$app->session->isAuthenticated()) { return Response::redirect('/signin'); } return null; } }
Request
<?php // src/Core/Request.php declare(strict_types=1); namespace App\Core; final readonly class Request { /** * @param array<string, mixed> $query * @param array<string, mixed> $post * @param array<string, string> $server * @param array<string, string> $cookies */ private function __construct( public string $method, public string $path, public array $query, public array $post, public array $server, public array $cookies, ) {} public static function createFromGlobals(): self { $path = parse_url($_SERVER['REQUEST_URI'] ?? '/', PHP_URL_PATH) ?: '/'; return new self( method: strtoupper($_SERVER['REQUEST_METHOD'] ?? 'GET'), path: rtrim($path, '/') ?: '/', query: $_GET, post: $_POST, server: $_SERVER, cookies: $_COOKIE, ); } public function input(string $key, mixed $default = null): mixed { return $this->post[$key] ?? $this->query[$key] ?? $default; } public function string(string $key, string $default = ''): string { $value = $this->input($key, $default); return is_string($value) ? trim($value) : $default; } public function all(): array { return [...$this->query, ...$this->post]; } public function ip(): string { return $this->server['HTTP_X_FORWARDED_FOR'] ?? $this->server['REMOTE_ADDR'] ?? '0.0.0.0'; } public function userAgent(): string { return $this->server['HTTP_USER_AGENT'] ?? ''; } public function isMethod(string $method): bool { return $this->method === strtoupper($method); } }
Response
<?php // src/Core/Response.php declare(strict_types=1); namespace App\Core; final readonly class Response { /** * @param array<string, string> $headers */ private function __construct( private string $content, private int $status, private array $headers, ) {} public static function html(string $content, int $status = 200): self { return new self( content: $content, status: $status, headers: ['Content-Type' => 'text/html; charset=UTF-8'], ); } public static function redirect(string $url, int $status = 302): self { return new self( content: '', status: $status, headers: ['Location' => $url], ); } public static function json(mixed $data, int $status = 200): self { return new self( content: json_encode($data, JSON_THROW_ON_ERROR), status: $status, headers: ['Content-Type' => 'application/json'], ); } public function send(): never { http_response_code($this->status); foreach ($this->headers as $name => $value) { header("{$name}: {$value}"); } echo $this->content; exit; } }
Database
<?php // src/Core/Database.php declare(strict_types=1); namespace App\Core; use PDO; use PDOStatement; final class Database { private ?PDO $pdo = null; public function __construct( private readonly string $host, private readonly string $database, private readonly string $username, private readonly string $password, private readonly int $port = 3306, ) {} public function connection(): PDO { if ($this->pdo === null) { $dsn = "mysql:host={$this->host};port={$this->port};dbname={$this->database};charset=utf8mb4"; $this->pdo = new PDO( $dsn, $this->username, $this->password, [ PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION, PDO::ATTR_DEFAULT_FETCH_MODE => PDO::FETCH_ASSOC, PDO::ATTR_EMULATE_PREPARES => false, PDO::ATTR_STRINGIFY_FETCHES => false, ], ); } return $this->pdo; } /** * @param array<string, mixed> $params */ public function query(string $sql, array $params = []): PDOStatement { $stmt = $this->connection()->prepare($sql); $stmt->execute($params); return $stmt; } /** * @param array<string, mixed> $params * @return array<string, mixed>|null */ public function fetchOne(string $sql, array $params = []): ?array { $result = $this->query($sql, $params)->fetch(); return $result !== false ? $result : null; } /** * @param array<string, mixed> $params * @return array<int, array<string, mixed>> */ public function fetchAll(string $sql, array $params = []): array { return $this->query($sql, $params)->fetchAll(); } /** * @param array<string, mixed> $data */ public function insert(string $table, array $data): int { $columns = implode(', ', array_keys($data)); $placeholders = implode(', ', array_map(fn($k) => ":{$k}", array_keys($data))); $sql = "INSERT INTO {$table} ({$columns}) VALUES ({$placeholders})"; $this->query($sql, $data); return (int) $this->connection()->lastInsertId(); } }
Session
<?php // src/Core/Session.php declare(strict_types=1); namespace App\Core; use App\Enums\FlashType; use App\Models\User; final class Session { private bool $started = false; public function __construct( private readonly int $lifetime = 120, ) {} public function start(): void { if ($this->started) { return; } if (session_status() === PHP_SESSION_ACTIVE) { $this->started = true; return; } session_set_cookie_params([ 'lifetime' => $this->lifetime * 60, 'path' => '/', 'domain' => '', 'secure' => isset($_SERVER['HTTPS']), 'httponly' => true, 'samesite' => 'Lax', ]); session_start(); $this->started = true; // Regenerate ID periodically for security if (!isset($_SESSION['_created'])) { $_SESSION['_created'] = time(); } elseif (time() - $_SESSION['_created'] > 1800) { session_regenerate_id(true); $_SESSION['_created'] = time(); } } public function regenerate(): void { session_regenerate_id(true); $_SESSION['_created'] = time(); } public function set(string $key, mixed $value): void { $_SESSION[$key] = $value; } public function get(string $key, mixed $default = null): mixed { return $_SESSION[$key] ?? $default; } public function has(string $key): bool { return isset($_SESSION[$key]); } public function remove(string $key): void { unset($_SESSION[$key]); } public function destroy(): void { $_SESSION = []; if (ini_get('session.use_cookies')) { $params = session_get_cookie_params(); setcookie( session_name(), '', time() - 42000, $params['path'], $params['domain'], $params['secure'], $params['httponly'], ); } session_destroy(); $this->started = false; } // Authentication helpers public function setUser(User $user): void { $this->regenerate(); $this->set('user_id', $user->id); $this->set('user_email', $user->email); $this->set('user_name', $user->name); } public function getUser(): ?array { if (!$this->isAuthenticated()) { return null; } return [ 'id' => $this->get('user_id'), 'email' => $this->get('user_email'), 'name' => $this->get('user_name'), ]; } public function isAuthenticated(): bool { return $this->has('user_id'); } // CSRF Protection public function csrf(): string { if (!$this->has('_csrf_token')) { $this->set('_csrf_token', bin2hex(random_bytes(32))); } return $this->get('_csrf_token'); } public function validateCsrf(string $token): bool { return hash_equals($this->csrf(), $token); } // Flash messages public function flash(FlashType $type, string $message): void { $flashes = $this->get('_flashes', []); $flashes[] = ['type' => $type->value, 'message' => $message]; $this->set('_flashes', $flashes); } /** * @return array<int, array{type: string, message: string}> */ public function getFlashes(): array { $flashes = $this->get('_flashes', []); $this->remove('_flashes'); return $flashes; } // Old input for form repopulation public function flashInput(array $input): void { $this->set('_old_input', $input); } public function old(string $key, string $default = ''): string { $oldInput = $this->get('_old_input', []); $value = $oldInput[$key] ?? $default; return htmlspecialchars($value, ENT_QUOTES, 'UTF-8'); } public function clearOldInput(): void { $this->remove('_old_input'); } }
View
<?php // src/Core/View.php declare(strict_types=1); namespace App\Core; final readonly class View { public function __construct( private string $templatePath, ) {} /** * @param array<string, mixed> $data */ public function render(string $template, array $data = [], ?string $layout = 'layouts/main'): string { $content = $this->renderTemplate($template, $data); if ($layout !== null) { $content = $this->renderTemplate($layout, [...$data, 'content' => $content]); } return $content; } /** * @param array<string, mixed> $data */ private function renderTemplate(string $template, array $data): string { $file = "{$this->templatePath}/{$template}.php"; if (!file_exists($file)) { throw new \RuntimeException("Template not found: {$template}"); } extract($data, EXTR_SKIP); ob_start(); include $file; return ob_get_clean() ?: ''; } public function escape(string $value): string { return htmlspecialchars($value, ENT_QUOTES | ENT_HTML5, 'UTF-8'); } }
5. Domain Layer
Flash Type Enum
<?php // src/Enums/FlashType.php declare(strict_types=1); namespace App\Enums; enum FlashType: string { case Success = 'success'; case Error = 'error'; case Warning = 'warning'; case Info = 'info'; public function cssClass(): string { return match ($this) { self::Success => 'alert-success', self::Error => 'alert-error', self::Warning => 'alert-warning', self::Info => 'alert-info', }; } }
User Model
<?php // src/Models/User.php declare(strict_types=1); namespace App\Models; use DateTimeImmutable; final readonly class User { public function __construct( public ?int $id, public string $email, public string $passwordHash, public string $name, public ?DateTimeImmutable $emailVerifiedAt = null, public ?DateTimeImmutable $createdAt = null, public ?DateTimeImmutable $updatedAt = null, ) {} /** * @param array<string, mixed> $data */ public static function fromArray(array $data): self { return new self( id: isset($data['id']) ? (int) $data['id'] : null, email: (string) $data['email'], passwordHash: (string) $data['password_hash'], name: (string) $data['name'], emailVerifiedAt: isset($data['email_verified_at']) ? new DateTimeImmutable($data['email_verified_at']) : null, createdAt: isset($data['created_at']) ? new DateTimeImmutable($data['created_at']) : null, updatedAt: isset($data['updated_at']) ? new DateTimeImmutable($data['updated_at']) : null, ); } public static function create(string $email, string $password, string $name): self { return new self( id: null, email: strtolower(trim($email)), passwordHash: password_hash($password, PASSWORD_ARGON2ID, [ 'memory_cost' => 65536, 'time_cost' => 4, 'threads' => 3, ]), name: trim($name), ); } public function verifyPassword(string $password): bool { return password_verify($password, $this->passwordHash); } public function needsRehash(): bool { return password_needs_rehash($this->passwordHash, PASSWORD_ARGON2ID); } }
Exceptions
<?php // src/Exceptions/ValidationException.php declare(strict_types=1); namespace App\Exceptions; use Exception; final class ValidationException extends Exception { /** * @param array<string, array<string>> $errors */ public function __construct( public readonly array $errors, string $message = 'Validation failed', ) { parent::__construct($message); } public function firstError(): string { foreach ($this->errors as $fieldErrors) { return $fieldErrors[0] ?? 'Validation error'; } return 'Validation error'; } }
<?php // src/Exceptions/AuthenticationException.php declare(strict_types=1); namespace App\Exceptions; use Exception; final class AuthenticationException extends Exception { public function __construct( string $message = 'Invalid credentials', ) { parent::__construct($message); } }
6. Repository Layer
<?php // src/Repositories/UserRepositoryInterface.php declare(strict_types=1); namespace App\Repositories; use App\Models\User; interface UserRepositoryInterface { public function findById(int $id): ?User; public function findByEmail(string $email): ?User; public function emailExists(string $email): bool; public function save(User $user): User; }
<?php // src/Repositories/UserRepository.php declare(strict_types=1); namespace App\Repositories; use App\Core\Database; use App\Models\User; final readonly class UserRepository implements UserRepositoryInterface { public function __construct( private Database $database, ) {} public function findById(int $id): ?User { $data = $this->database->fetchOne( 'SELECT * FROM users WHERE id = :id LIMIT 1', ['id' => $id], ); return $data ? User::fromArray($data) : null; } public function findByEmail(string $email): ?User { $data = $this->database->fetchOne( 'SELECT * FROM users WHERE email = :email LIMIT 1', ['email' => strtolower(trim($email))], ); return $data ? User::fromArray($data) : null; } public function emailExists(string $email): bool { $result = $this->database->fetchOne( 'SELECT 1 FROM users WHERE email = :email LIMIT 1', ['email' => strtolower(trim($email))], ); return $result !== null; } public function save(User $user): User { if ($user->id === null) { return $this->insert($user); } return $this->update($user); } private function insert(User $user): User { $id = $this->database->insert('users', [ 'email' => $user->email, 'password_hash' => $user->passwordHash, 'name' => $user->name, ]); return new User( id: $id, email: $user->email, passwordHash: $user->passwordHash, name: $user->name, ); } private function update(User $user): User { $this->database->query( 'UPDATE users SET email = :email, password_hash = :password_hash, name = :name WHERE id = :id', [ 'id' => $user->id, 'email' => $user->email, 'password_hash' => $user->passwordHash, 'name' => $user->name, ], ); return $user; } }
7. Service Layer
<?php // src/Services/AuthService.php declare(strict_types=1); namespace App\Services; use App\Core\Session; use App\Exceptions\AuthenticationException; use App\Models\User; use App\Repositories\UserRepositoryInterface; final readonly class AuthService { public function __construct( private UserRepositoryInterface $userRepository, private Session $session, ) {} public function register(string $email, string $password, string $name): User { $user = User::create($email, $password, $name); $savedUser = $this->userRepository->save($user); $this->session->setUser($savedUser); return $savedUser; } public function attempt(string $email, string $password): User { $user = $this->userRepository->findByEmail($email); if ($user === null || !$user->verifyPassword($password)) { throw new AuthenticationException('Invalid email or password'); } // Rehash password if algorithm changed if ($user->needsRehash()) { $updatedUser = User::create($email, $password, $user->name); $user = new User( id: $user->id, email: $user->email, passwordHash: $updatedUser->passwordHash, name: $user->name, emailVerifiedAt: $user->emailVerifiedAt, createdAt: $user->createdAt, ); $this->userRepository->save($user); } $this->session->setUser($user); return $user; } public function logout(): void { $this->session->destroy(); } public function emailExists(string $email): bool { return $this->userRepository->emailExists($email); } }
8. Validator
<?php // src/Validators/AuthValidator.php declare(strict_types=1); namespace App\Validators; use App\Exceptions\ValidationException; final class AuthValidator { /** @var array<string, array<string>> */ private array $errors = []; public function validateSignup(string $name, string $email, string $password, string $passwordConfirm): void { $this->errors = []; $this->validateName($name); $this->validateEmail($email); $this->validatePassword($password, $passwordConfirm); if (!empty($this->errors)) { throw new ValidationException($this->errors); } } public function validateSignin(string $email, string $password): void { $this->errors = []; if (empty($email)) { $this->addError('email', 'Email is required'); } if (empty($password)) { $this->addError('password', 'Password is required'); } if (!empty($this->errors)) { throw new ValidationException($this->errors); } } private function validateName(string $name): void { $name = trim($name); if (empty($name)) { $this->addError('name', 'Name is required'); return; } if (mb_strlen($name) < 2) { $this->addError('name', 'Name must be at least 2 characters'); } if (mb_strlen($name) > 100) { $this->addError('name', 'Name must not exceed 100 characters'); } if (!preg_match('/^[\p{L}\p{M}\s\'-]+$/u', $name)) { $this->addError('name', 'Name contains invalid characters'); } } private function validateEmail(string $email): void { if (empty($email)) { $this->addError('email', 'Email is required'); return; } if (!filter_var($email, FILTER_VALIDATE_EMAIL)) { $this->addError('email', 'Please enter a valid email address'); return; } if (mb_strlen($email) > 255) { $this->addError('email', 'Email must not exceed 255 characters'); } } private function validatePassword(string $password, string $passwordConfirm): void { if (empty($password)) { $this->addError('password', 'Password is required'); return; } if (mb_strlen($password) < 8) { $this->addError('password', 'Password must be at least 8 characters'); } if (mb_strlen($password) > 72) { $this->addError('password', 'Password must not exceed 72 characters'); } if (!preg_match('/[A-Z]/', $password)) { $this->addError('password', 'Password must contain at least one uppercase letter'); } if (!preg_match('/[a-z]/', $password)) { $this->addError('password', 'Password must contain at least one lowercase letter'); } if (!preg_match('/[0-9]/', $password)) { $this->addError('password', 'Password must contain at least one number'); } if ($password !== $passwordConfirm) { $this->addError('password_confirm', 'Passwords do not match'); } } private function addError(string $field, string $message): void { $this->errors[$field][] = $message; } }
9. Presenter (MVP Controller)
<?php // src/Presenters/AuthPresenter.php declare(strict_types=1); namespace App\Presenters; use App\Core\Request; use App\Core\Response; use App\Core\Session; use App\Core\View; use App\Enums\FlashType; use App\Exceptions\AuthenticationException; use App\Exceptions\ValidationException; use App\Services\AuthService; use App\Validators\AuthValidator; final readonly class AuthPresenter { public function __construct( private AuthService $authService, private AuthValidator $validator, private View $view, private Session $session, ) {} public function showSignup(): Response { $html = $this->view->render('auth/signup', [ 'title' => 'Sign Up', 'csrf' => $this->session->csrf(), 'session' => $this->session, ]); $this->session->clearOldInput(); return Response::html($html); } public function signup(Request $request): Response { // CSRF validation if (!$this->session->validateCsrf($request->string('_token'))) { $this->session->flash(FlashType::Error, 'Invalid security token. Please try again.'); return Response::redirect('/signup'); } $name = $request->string('name'); $email = $request->string('email'); $password = $request->string('password'); $passwordConfirm = $request->string('password_confirm'); try { $this->validator->validateSignup($name, $email, $password, $passwordConfirm); if ($this->authService->emailExists($email)) { throw new ValidationException(['email' => ['This email is already registered']]); } $this->authService->register($email, $password, $name); $this->session->flash(FlashType::Success, 'Account created successfully! Welcome!'); return Response::redirect('/'); } catch (ValidationException $e) { $this->session->flash(FlashType::Error, $e->firstError()); $this->session->flashInput(['name' => $name, 'email' => $email]); return Response::redirect('/signup'); } } public function showSignin(): Response { $html = $this->view->render('auth/signin', [ 'title' => 'Sign In', 'csrf' => $this->session->csrf(), 'session' => $this->session, ]); $this->session->clearOldInput(); return Response::html($html); } public function signin(Request $request): Response { // CSRF validation if (!$this->session->validateCsrf($request->string('_token'))) { $this->session->flash(FlashType::Error, 'Invalid security token. Please try again.'); return Response::redirect('/signin'); } $email = $request->string('email'); $password = $request->string('password'); try { $this->validator->validateSignin($email, $password); $this->authService->attempt($email, $password); $this->session->flash(FlashType::Success, 'Welcome back!'); return Response::redirect('/'); } catch (ValidationException $e) { $this->session->flash(FlashType::Error, $e->firstError()); $this->session->flashInput(['email' => $email]); return Response::redirect('/signin'); } catch (AuthenticationException $e) { $this->session->flash(FlashType::Error, $e->getMessage()); $this->session->flashInput(['email' => $email]); return Response::redirect('/signin'); } } public function signout(): Response { $this->authService->logout(); // Start new session for flash message $this->session->start(); $this->session->flash(FlashType::Success, 'You have been signed out.'); return Response::redirect('/signin'); } }
10. Views/Templates
Main Layout
<?php // templates/layouts/main.php /** @var string $title */ /** @var string $content */ /** @var \App\Core\Session $session */ ?> <!DOCTYPE html> <html lang="en"> <head> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <meta name="description" content="Secure authentication system"> <title><?= htmlspecialchars($title ?? 'Auth MVP') ?> | <?= htmlspecialchars($_ENV['APP_NAME'] ?? 'App') ?></title> <link rel="stylesheet" href="/assets/style.css"> </head> <body> <div class="container"> <header class="header"> <a href="/" class="logo"><?= htmlspecialchars($_ENV['APP_NAME'] ?? 'Auth MVP') ?></a> <nav class="nav"> <?php if ($session->isAuthenticated()): ?> <?php $user = $session->getUser(); ?> <span class="user-name">Hello, <?= htmlspecialchars($user['name'] ?? '') ?></span> <form action="/signout" method="POST" class="inline-form"> <input type="hidden" name="_token" value="<?= $session->csrf() ?>"> <button type="submit" class="btn btn-link">Sign Out</button> </form> <?php else: ?> <a href="/signin" class="btn btn-link">Sign In</a> <a href="/signup" class="btn btn-primary">Sign Up</a> <?php endif; ?> </nav> </header> <?php foreach ($session->getFlashes() as $flash): ?> <div class="alert alert-<?= htmlspecialchars($flash['type']) ?>"> <?= htmlspecialchars($flash['message']) ?> </div> <?php endforeach; ?> <main class="main"> <?= $content ?> </main> <footer class="footer"> <p>© <?= date('Y') ?> <?= htmlspecialchars($_ENV['APP_NAME'] ?? 'Auth MVP') ?>. All rights reserved.</p> </footer> </div> </body> </html>
Sign Up Template
<?php // templates/auth/signup.php /** @var string $csrf */ /** @var \App\Core\Session $session */ ?> <div class="auth-container"> <div class="auth-card"> <h1 class="auth-title">Create Account</h1> <p class="auth-subtitle">Join us today</p> <form action="/signup" method="POST" class="auth-form" novalidate> <input type="hidden" name="_token" value="<?= htmlspecialchars($csrf) ?>"> <div class="form-group"> <label for="name" class="form-label">Full Name</label> <input type="text" id="name" name="name" class="form-input" value="<?= $session->old('name') ?>" placeholder="John Doe" required autocomplete="name" autofocus > </div> <div class="form-group"> <label for="email" class="form-label">Email Address</label> <input type="email" id="email" name="email" class="form-input" value="<?= $session->old('email') ?>" placeholder="john@example.com" required autocomplete="email" > </div> <div class="form-group"> <label for="password" class="form-label">Password</label> <input type="password" id="password" name="password" class="form-input" placeholder="Min 8 characters" required autocomplete="new-password" minlength="8" > <small class="form-hint">Must contain uppercase, lowercase, and number</small> </div> <div class="form-group"> <label for="password_confirm" class="form-label">Confirm Password</label> <input type="password" id="password_confirm" name="password_confirm" class="form-input" placeholder="Repeat password" required autocomplete="new-password" > </div> <button type="submit" class="btn btn-primary btn-full">Create Account</button> </form> <p class="auth-footer"> Already have an account? <a href="/signin" class="link">Sign in</a> </p> </div> </div>
Sign In Template
<?php // templates/auth/signin.php /** @var string $csrf */ /** @var \App\Core\Session $session */ ?> <div class="auth-container"> <div class="auth-card"> <h1 class="auth-title">Welcome Back</h1> <p class="auth-subtitle">Sign in to your account</p> <form action="/signin" method="POST" class="auth-form" novalidate> <input type="hidden" name="_token" value="<?= htmlspecialchars($csrf) ?>"> <div class="form-group"> <label for="email" class="form-label">Email Address</label> <input type="email" id="email" name="email" class="form-input" value="<?= $session->old('email') ?>" placeholder="john@example.com" required autocomplete="email" autofocus > </div> <div class="form-group"> <label for="password" class="form-label">Password</label> <input type="password" id="password" name="password" class="form-input" placeholder="Your password" required autocomplete="current-password" > </div> <button type="submit" class="btn btn-primary btn-full">Sign In</button> </form> <p class="auth-footer"> Don't have an account? <a href="/signup" class="link">Sign up</a> </p> </div> </div>
11. CSS Styles
/* public/assets/style.css */ :root { --color-primary: #4f46e5; --color-primary-dark: #4338ca; --color-success: #10b981; --color-error: #ef4444; --color-warning: #f59e0b; --color-info: #3b82f6; --color-gray-50: #f9fafb; --color-gray-100: #f3f4f6; --color-gray-200: #e5e7eb; --color-gray-300: #d1d5db; --color-gray-500: #6b7280; --color-gray-700: #374151; --color-gray-900: #111827; --radius: 0.5rem; --shadow: 0 1px 3px rgba(0, 0, 0, 0.1), 0 1px 2px rgba(0, 0, 0, 0.06); --shadow-lg: 0 10px 15px -3px rgba(0, 0, 0, 0.1), 0 4px 6px -2px rgba(0, 0, 0, 0.05); } *, *::before, *::after { box-sizing: border-box; margin: 0; padding: 0; } body { font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, 'Helvetica Neue', Arial, sans-serif; font-size: 1rem; line-height: 1.5; color: var(--color-gray-700); background-color: var(--color-gray-50); min-height: 100vh; } .container { max-width: 1200px; margin: 0 auto; padding: 0 1rem; min-height: 100vh; display: flex; flex-direction: column; } /* Header */ .header { display: flex; justify-content: space-between; align-items: center; padding: 1rem 0; border-bottom: 1px solid var(--color-gray-200); } .logo { font-size: 1.5rem; font-weight: 700; color: var(--color-gray-900); text-decoration: none; } .nav { display: flex; align-items: center; gap: 1rem; } .user-name { color: var(--color-gray-500); } .inline-form { display: inline; } /* Main */ .main { flex: 1; padding: 2rem 0; } /* Footer */ .footer { padding: 1rem 0; text-align: center; border-top: 1px solid var(--color-gray-200); color: var(--color-gray-500); font-size: 0.875rem; } /* Buttons */ .btn { display: inline-flex; align-items: center; justify-content: center; padding: 0.625rem 1.25rem; font-size: 0.875rem; font-weight: 500; border-radius: var(--radius); border: none; cursor: pointer; text-decoration: none; transition: all 0.15s ease; } .btn-primary { background-color: var(--color-primary); color: white; } .btn-primary:hover { background-color: var(--color-primary-dark); } .btn-link { background: none; color: var(--color-gray-500); padding: 0.5rem; } .btn-link:hover { color: var(--color-gray-700); } .btn-full { width: 100%; } /* Alerts */ .alert { padding: 0.875rem 1rem; border-radius: var(--radius); margin-bottom: 1rem; font-size: 0.875rem; } .alert-success { background-color: #d1fae5; color: #065f46; border: 1px solid #a7f3d0; } .alert-error { background-color: #fee2e2; color: #991b1b; border: 1px solid #fecaca; } .alert-warning { background-color: #fef3c7; color: #92400e; border: 1px solid #fde68a; } .alert-info { background-color: #dbeafe; color: #1e40af; border: 1px solid #bfdbfe; } /* Auth Container */ .auth-container { display: flex; align-items: center; justify-content: center; min-height: calc(100vh - 200px); } .auth-card { width: 100%; max-width: 400px; background: white; padding: 2.5rem; border-radius: var(--radius); box-shadow: var(--shadow-lg); } .auth-title { font-size: 1.5rem; font-weight: 700; color: var(--color-gray-900); text-align: center; margin-bottom: 0.25rem; } .auth-subtitle { color: var(--color-gray-500); text-align: center; margin-bottom: 2rem; } .auth-form { display: flex; flex-direction: column; gap: 1.25rem; } .auth-footer { margin-top: 1.5rem; text-align: center; color: var(--color-gray-500); font-size: 0.875rem; } /* Forms */ .form-group { display: flex; flex-direction: column; gap: 0.375rem; } .form-label { font-size: 0.875rem; font-weight: 500; color: var(--color-gray-700); } .form-input { padding: 0.625rem 0.875rem; font-size: 1rem; border: 1px solid var(--color-gray-300); border-radius: var(--radius); transition: border-color 0.15s ease, box-shadow 0.15s ease; } .form-input:focus { outline: none; border-color: var(--color-primary); box-shadow: 0 0 0 3px rgba(79, 70, 229, 0.1); } .form-input::placeholder { color: var(--color-gray-300); } .form-hint { font-size: 0.75rem; color: var(--color-gray-500); } /* Links */ .link { color: var(--color-primary); text-decoration: none; } .link:hover { text-decoration: underline; } /* Home page */ .home-container { text-align: center; padding: 4rem 0; } .home-title { font-size: 2.5rem; font-weight: 700; color: var(--color-gray-900); margin-bottom: 1rem; } .home-subtitle { font-size: 1.125rem; color: var(--color-gray-500); max-width: 600px; margin: 0 auto 2rem; } /* Responsive */ @media (max-width: 640px) { .auth-card { padding: 1.5rem; box-shadow: none; background: transparent; } .header { flex-direction: column; gap: 1rem; } }
12. Front Controller (Entry Point)
<?php // public/index.php declare(strict_types=1); require_once __DIR__ . '/../bootstrap.php'; use App\Core\Application; use App\Core\Request; use App\Core\Response; use App\Presenters\AuthPresenter; $app = Application::create(); $router = $app->router; // Home route $router->get('/', function (Request $request, Application $app): Response { $session = $app->session; $user = $session->getUser(); $html = $app->view->render('home', [ 'title' => 'Home', 'session' => $session, 'user' => $user, ], 'layouts/main'); return Response::html($html); }); // Auth routes $router->get('/signup', function (Request $request, Application $app): Response { return $app->get(AuthPresenter::class)->showSignup(); }, ['guest']); $router->post('/signup', function (Request $request, Application $app): Response { return $app->get(AuthPresenter::class)->signup($request); }, ['guest']); $router->get('/signin', function (Request $request, Application $app): Response { return $app->get(AuthPresenter::class)->showSignin(); }, ['guest']); $router->post('/signin', function (Request $request, Application $app): Response { return $app->get(AuthPresenter::class)->signin($request); }, ['guest']); $router->post('/signout', function (Request $request, Application $app): Response { // CSRF check if (!$app->session->validateCsrf($request->string('_token'))) { return Response::redirect('/'); } return $app->get(AuthPresenter::class)->signout(); }, ['auth']); // Run the application $app->run();
Home Template
<?php // templates/home.php /** @var array|null $user */ /** @var \App\Core\Session $session */ ?> <div class="home-container"> <?php if ($user): ?> <h1 class="home-title">Welcome, <?= htmlspecialchars($user['name']) ?>!</h1> <p class="home-subtitle"> You're signed in as <strong><?= htmlspecialchars($user['email']) ?></strong> </p> <?php else: ?> <h1 class="home-title">Welcome to Auth MVP</h1> <p class="home-subtitle"> A modern PHP authentication system built with MVP architecture and the latest PHP 8.2+ features. </p> <div style="display: flex; gap: 1rem; justify-content: center;"> <a href="/signup" class="btn btn-primary">Get Started</a> <a href="/signin" class="btn btn-link">Sign In</a> </div> <?php endif; ?> </div>
13. Quick Start
# 1. Clone/create project and install dependencies composer install # 2. Copy environment file and configure cp .env.example .env # Edit .env with your database credentials # 3. Create database and tables mysql -u root -p < database/schema.sql # 4. Start development server composer serve # or php -S localhost:8000 -t public # 5. Visit http://localhost:8000
Architecture Summary
┌─────────────────────────────────────────────────────────────────┐
│ REQUEST │
└─────────────────────────────┬───────────────────────────────────┘
│
▼
┌─────────────────────────────────────────────────────────────────┐
│ public/index.php │
│ (Front Controller) │
└─────────────────────────────┬───────────────────────────────────┘
│
▼
┌─────────────────────────────────────────────────────────────────┐
│ Router │
│ (Middleware Stack) │
└─────────────────────────────┬───────────────────────────────────┘
│
▼
┌─────────────────────────────────────────────────────────────────┐
│ PRESENTER (AuthPresenter) │
│ • Handles request/response │
│ • Coordinates Model & View │
└───────────────┬─────────────────────────────┬───────────────────┘
│ │
▼ ▼
┌───────────────────────────┐ ┌────────────────────────────────┐
│ MODEL │ │ VIEW │
│ • AuthService │ │ • Template rendering │
│ • AuthValidator │ │ • HTML generation │
│ • UserRepository │ │ • CSRF tokens │
│ • User (Entity) │ │ • Flash messages │
└───────────────────────────┘ └────────────────────────────────┘
Key PHP 8.2+ Features Used
| Feature | Location |
|---|---|
readonly classes | User, Request, Response, Application |
| Constructor property promotion | All classes |
| Named arguments | User::create(), Response::redirect() |
match expressions | Router middleware |
| Enums | FlashType |
| Union types | Various methods |
| Nullsafe operator | Throughout |
| Strict typing | All files |
| Attributes-ready | PSR-4 structure |
never return type | Response::send() |
| First-class callables | Router closures |
This is a production-ready MVP with:
- ✅ Secure password hashing (Argon2id)
- ✅ CSRF protection
- ✅ Session security (regeneration, secure cookies)
- ✅ Input validation & sanitization
- ✅ XSS protection (output escaping)
- ✅ SQL injection protection (PDO prepared statements)
- ✅ Clean architecture & testability
- ✅ Modern PHP features