codesignificant / api-pro
API PRO – Lightweight PHP REST API framework
Requires
- php: >=7.4
- ext-redis: *
This package is not auto-updated.
Last update: 2026-07-10 19:41:04 UTC
README
ApiPro is a high-performance, lightweight, production-ready PHP REST framework built on a secure, service-oriented paradigm. It is engineered with a strict Separation of Concerns architecture, native multi-device stateful sessions via Redis, deterministic page builders, and distributed high-concurrency protection tools.
Key Features
- Clean Layered Architecture: Strictly isolates HTTP parsing and routing gateways (Controllers) from pure, state-free business logic (Services).
- Attribute-Based Declarative Routing: Map endpoints using clean PHP attributes:
#[Controller],#[Get],#[Post]. - Unified JSON Response Envelopes: Consistent API contracts structured cleanly under
'success','message', and'data'keys without top-level property pollution. - Robust Stateful Session Security: Crypto-secure Encrypt-then-MAC tokens with Redis-backed multi-device limiters, automatic hijacking protection, and developer-friendly
curlcompatibility. - Distributed Concurrency Mutex: Native Redis-backed distributed locks to prevent race conditions during write/read operations.
- Deterministic Pagination: Group-safe, JOIN-safe paginator that structures queries with absolute mathematical precision.
Directory Layout
app/
├── Core/ # Core Framework Engine
│ ├── Http/ # Unified HTTP responses & models
│ ├── Security/ # Tokens, Sessions, and Device Security managers
│ ├── Services/ # Diagnostic & Tester backend services
│ ├── ProSql.php # Deterministic paginator & SQL escape engine
│ └── Files.php # Strict HTTP uploaded & generated file manager
├── lib/ # Application Namespace
│ ├── controller/ # HTTP Entry Controllers (Session verification, Routing)
│ ├── service/ # Pure, State-Free Service Logic (Calculations, Database writes)
│ └── repo/ # Data access Repositories
├── index.php # Application Router & Entrypoint
└── config.php # System constants & Redis/MySQL Configuration
1. Clean Separation of Concerns
To maximize testability and keep code state-free, ApiPro strictly separates request boundaries:
- The Controller parses inputs, manages HTTP headers, verifies permissions using the secure
Session::Get()module, and converts web state into primitives (such as$userId). - The Service acts as a pure machine. It has zero knowledge of HTTP headers, cookies, or the global web environment. It operates purely on arguments passed down by the Controller and returns a standardized
DataResponse.
Implementation Example
Controller Layer (lib/controller/ProductController.php):
#[Controller('/v1/products')] class ProductController { private ProductService $service; public function __construct() { $this->service = new ProductService(); } #[Post('/purchase')] public function purchase() { // 1. Authenticate and resolve session context $session = Session::Get(); $userId = $session['id']; // 2. Validate mandatory request body arguments $body = Node::body(['productId']); // 3. Delegate to the pure service return $this->service->purchaseProduct($userId, $body['productId']); } }
Service Layer (lib/service/ProductService.php):
class ProductService { public function purchaseProduct($userId, string $productId): DataResponse { $safeId = ProSql::Escape($productId); // Pure business operation decoupled from HTTP variables $product = ProSql::FetchItem("SELECT * FROM products WHERE id = '$safeId'")->getData(); if (!$product) { return new DataFailed("Product not found", 404); } // Process purchase... return new DataSuccess("Purchase completed successfully", [ 'productId' => $productId, 'timestamp' => time() ]); } }
2. Standardized JSON Envelope Contract
All success responses returned by the framework are automatically formatted using a unified, clean three-key envelope:
{
"success": true,
"message": "Purchase completed successfully",
"data": {
"productId": "4df1c080-...",
"timestamp": 1779991200
}
}
If a request fails, a clean error structure is returned:
{
"success": false,
"message": "Product not found"
}
3. High-Concurrency Distributed Locks (ProLock)
Protect critical pathways (deducting balances, booking hotel rooms, checking out shopping carts) from double-spend and race conditions with native Redis-backed mutexes:
$lock = "balance_deduct_" . $userId; if (!ProLock::acquire($lock, 5)) { // Attempt to acquire lock with 5s timeout return new DataFailed("System busy. Please try again.", 409); } try { // Perform critical write action safely... } finally { ProLock::release($lock); // Always release lock in finally block }
4. Multi-Device Stateful Session Security
ApiPro provides full session control with customizable maximum device limits:
- Stateful Driver Support: Easily switch session management to Redis by setting
TOKEN_DRIVERto'redis'inconfig.php. - Multi-Device Concurrency Control: Define
TOKEN_MAX_DEVICES(default5) to limit concurrent sessions. - Developer-Friendly API Testing: Dynamic validation allows stateful tokens to be tested seamlessly on
curlor Postman without getting blocked by user-agent fingerprint mismatches when custom device tracking headers are omitted.
5. Config-Driven Automatic Schema Sync & 3-Tier Locks
ApiPro introduces a base Repository (backed by ProRepository) class that automatically synchronizes database table schemas declared inside child constructors, managed globally or protected by a robust 3-tier lock system.
Key Operational Sync Modes (config.php):
define('DB_WRITE', 'update');(Default / Development): Automatically creates missing tables and runs incremental structure alterations on existing tables.define('DB_WRITE', 'create');: Creates tables only if they are missing.define('DB_WRITE', 'force');(or'recreate'): Automatically drops existing tables and recreates them fresh.define('DB_WRITE', false);: Completely suspends all constructor checks and database sync activity (highly recommended for production performance).
The 3-Tier Lock Hierarchy:
- Global Lock (Project Scope): Set
define('DB_WRITE', 'lock');inconfig.phpto prevent drops or alterations on any table in the entire codebase. - Repository Lock (Class Scope): Pass
trueor['lock' => true]as the second argument toparent::__construct($tables, true)to lock all tables declared inside that repository class. - Table Lock (Table Scope): Define
'lock' => trueon an individual table configuration array to protect only that table.
If locked at any level, the engine will still auto-create the table if it's missing (to prevent app crashes), but will completely bypass any drops, recreations, or alters if the table already exists.
6. Symmetric Data Encryption Layer
ApiPro features a dedicated symmetric data encryption layer for response payloads. This encrypts the value of the "data" key in all success and failure response envelopes.
- Global Configuration: Set
define("DATA_ENC", "your_secret_key");inconfig.php. IfDATA_ENCis empty or undefined, data encryption is disabled globally. - Custom Key / Bypass Overrides: Both
DataSuccessandDataFailedconstructors accept a fourth optional parameter$encryptionKey(?string $encryptionKey = null):- Null (Default): Uses the global
DATA_ENCkey. If configured, encrypts the data; otherwise, returns data as-is. - Empty String
"": Explicitly disables encryption for this response (even ifDATA_ENCis configured globally). - Non-Empty String: Encrypts the response data using this custom key.
- Null (Default): Uses the global
Code Examples:
// 1. Default (uses global DATA_ENC key) return new DataSuccess("Message", $data); // 2. Explicitly unencrypted (passes empty string key override) return new DataSuccess("Message", $data, 200, ''); // 3. Custom key encryption (uses 'custom_secret_key') return new DataSuccess("Message", $data, 200, 'custom_secret_key');
7. Running and Setting Up the Project
Local Development Server
To start the built-in PHP development server, run from the project root:
php -S 127.0.0.1:8000 index.php
Or you can use the composer script:
composer start
The server will be running on http://127.0.0.1:8000.
Setup Checklist
- Initialize Workspace: Run
composer installto download dependencies and trigger post-install mappings. - Environment Configuration: Set credentials and encryption constants in
config.php:SERVER_ENC(Tokens and session keys)DATA_ENC(Symmetric response data keys)- Redis host and port config (
TOKEN_DRIVER => 'redis') - Database sync modes (
DB_WRITE => 'update'for dev,DB_WRITE => falsefor database-less or production mode)
8. ApiPro CLI Tool
The framework includes a CLI companion tool in the project root: api-pro.
Commands
- Check version:
php api-pro version
- Update Framework:
Downloads the latest release ZIP package from the official repository and securely updates the
Core/framework directory, entry points (index.php,.htaccess), and dependencies while completely preserving your custom application code (lib/), configurations (config.php), and non-project folders:php api-pro update [version]
(Example:php api-pro update 2.1.0or simplyphp api-pro updateto fetch the latest release).
Installation Guide
Prerequisites
Make sure your development server meets the following requirements:
- PHP: Version 8.0 or higher.
- Extensions:
pdo_mysql,openssl,redis(or a compatible Redis library), and optionallyzip(for framework updates). - Composer: PHP dependency manager.
- Services: MySQL/MariaDB and Redis.
Option 1: Via Composer (Recommended)
Create a brand new ApiPro project from the official skeleton:
composer create-project codesignificant/api-pro my-new-api
This command downloads the framework skeleton, initializes the correct configurations, performs post-install mappings, and cleans up temporary setup documentation for a production-ready folder structure.
Option 2: Direct Git Clone
Clone the repository manually:
# Clone the repository git clone https://github.com/CodeSignificant/api-pro.git my-new-api cd my-new-api # Install dependencies and trigger post-install setup composer install
Post-Installation Setup
- Configure Environment: Update
config.phpin the root directory with your MySQL DB, Redis, and MAILER settings. - Set up Web Server routing:
- Apache: The preconfigured
.htaccessfile handles URL rewriting and routes requests toindex.phpout of the box. Ensuremod_rewriteis enabled. - Nginx: Set your server block configuration to rewrite unmatched requests:
location / { try_files $uri $uri/ /index.php?$query_string; }
- Apache: The preconfigured
Release Notes & Updates
Version 2.3.0 Release Notes
ApiPro v2.3.0 focuses on modularizing the debugger tools, introducing global utility logging, and stabilizing the CLI update engine.
- Modular Developer Console:
- Relocated the monolithic
logs.htmlandtest.htmlassets into organized subfolders (Core/logs/andCore/tester/) to maintain a clean workspace. - Added an in-place highlight and find navigation system (browser-like
Ctrl+Flayout) with arrow cycle buttons and Enter/Shift+Enter keystroke navigation in the Logger console. - Shortened and styled the timestamp toggle into a compact, space-saving clock icon toggle button.
- Automatically filters long absolute file directories and line number strings from PHP error logs to keep message outputs clean.
- Relocated the monolithic
- Global Helper Logging:
- Introduced the static helper class
Log(e.g.Log::info(),Log::warning(),Log::error()) write-mapped directly to the error stream. - Implemented automatic logging of incoming request methods/paths and corresponding response status codes.
- Introduced the static helper class
- Payload Optimizations:
- Configured
DataResponseto completely omit the"data"field from final JSON responses when its value isnull. - Added text masking styles and autocomplete attributes to password fields to prevent browser autofill suggestions.
- Configured
- Framework CLI Updater Improvements:
- Overhauled
php api-pro updateto clear out outdated files before copying, eliminating old directory junk. - Added a multi-layered downloader that tries
curlfirst before falling back to native stream wrappers. - Uses native PHP
ZipArchiveunpacking with a command-lineunzipfallback.
- Overhauled
How to Update an Installed Instance
To update your existing ApiPro project to this latest release, execute the built-in updater command from your terminal:
php api-pro update 2.3.0
The updater will download the specified release, safely perform a fresh overwrite of the framework Core/ directory, and verify your updated setup while keeping your custom lib/ controllers/services and config.php files untouched.
License
This project is open-source software licensed under the MIT License.