Merge pull request #446 from Liturgical-Calendar/development

Release v5.7

Author: JohnRDOrazio

.claude/commands/coderabbit.md

@@ -0,0 +1,10 @@
+Run coderabbit --plain, let it run as long as it needs (run it in the background).
+
+Evaluate the fixes and considerations. Fix major issues, critical issues, and only fix the nits if they make sense even if they seem out of scope.
+
+Once those changes are implemented, run CodeRabbit CLI one more time to make sure
+we addressed all the critical issues and didn't introduce any additional bugs.
+
+Only run the loop up to four times. If on the fourth run you don't find any critical issues,
+ignore the nits and you're complete. Give me a summary of everything that was
+completed and why.

.claude/commands/merge.md

@@ -0,0 +1,7 @@
+## Steps to Merge and Clean Up
+
+1. Merge the PR using `gh pr merge <pr-number> --merge --delete-branch`, handling any conflicts if needed.
+2. Confirm the merge was successful by checking the PR status: `gh pr view <pr-number>`.
+3. Checkout the target branch (the branch the PR was merged into, e.g., `master` or `development`).
+4. Pull the changes: `git pull origin <target-branch>`.
+5. Delete the local branch if it wasn't already deleted: `git branch -d <branch-name>`.

.claude/commands/release.md

@@ -0,0 +1,67 @@
+# Prepare a New Release
+
+Prepare a new release for the Liturgical Calendar API.
+
+## Step 1: Update API Version
+
+Update the API version in two locations:
+
+1. **CalendarHandler.php** (`src/Handlers/CalendarHandler.php`):
+   - Find `public const API_VERSION = 'X.Y';`
+   - Increment to the next minor version (e.g., `5.6` → `5.7`)
+   - If there are breaking changes, increment the major version instead (e.g., `5.6` → `6.0`)
+
+2. **openapi.json** (`jsondata/schemas/openapi.json`):
+   - Find `"version": "X.Y"` in the `info` section
+   - Update to match the new version
+
+## Step 2: Update CHANGELOG.md
+
+Add a new entry at the top of the changelog (after any commented unreleased section):
+
+1. **Format**: `## [vX.Y](https://github.com/Liturgical-Calendar/LiturgicalCalendarAPI/releases/tag/vX.Y) (Month DDth YYYY)`
+
+2. **Changes**: List the changes made since the last release as bullet points. Check git log for commits since the last release tag.
+
+3. **Liturgical celebration note**: Check if today has a significant liturgical celebration:
+   - First, try fetching from local API: `http://localhost:8000/calendar?year_type=CIVIL`
+   - If local is not running, use: `https://litcal.johnromanodorazio.com/api/dev/calendar?year_type=CIVIL`
+   - Use `Accept-Language: en-US` header
+   - Filter the `litcal` results for entries where `date` matches today's date formatted as RFC 3339 (e.g., `2025-12-15T00:00:00+00:00`)
+   - If there's a celebration with grade >= FEAST (grade 5 or higher), or it's a notable memorial, add a note similar to previous entries:
+     - "Saint X, pray for us! [emoji]"
+     - "Happy Feast of X! [emoji]"
+     - "X, [relevant prayer/exclamation]! [emoji]"
+   - Look at previous changelog entries for style examples
+
+## Step 3: Commit and Push
+
+1. Stage the changed files:
+   - `src/Handlers/CalendarHandler.php`
+   - `jsondata/schemas/openapi.json`
+   - `CHANGELOG.md`
+
+2. Commit with message: `Release vX.Y`
+
+3. Push to the `development` branch
+
+## Step 4: Open Pull Request
+
+Create a PR from `development` to `master`:
+
+```bash
+gh pr create --base master --head development --title "Release vX.Y" --body "$(cat <<'EOF'
+## Release vX.Y
+
+[Summary of changes from the changelog]
+
+🤖 Generated with [Claude Code](https://claude.com/claude-code)
+EOF
+)"
+```
+
+Return the PR URL when complete.
+
+---
+
+**Note**: If unsure whether changes are breaking, ask the user before proceeding.

.env.example

@@ -1,51 +1,91 @@
-### .env.example
-### Copy this file to .env.local (or .env.development or .env.production)
-### Set the values as needed.
-### Do not commit .env.local to version control, as it may contain sensitive information.
-### In production, API_BASE_PATH must be set, other variables are optional.
-### In development, the variables are used to launch the API and the Unit Test server,
-### and to help them connect to each other.
-
-### Set the same value for WS_PORT in the Unit Test frontend project folder.
-### For more information, see https://github.com/Liturgical-Calendar/LiturgicalCalendarAPI/blob/development/public/LitCalTestServer.php
+# Copy this file to .env.local (or .env.development or .env.production)
+# Do not commit .env.local to version control, as it may contain sensitive information.
+# In production, API_BASE_PATH must be set; other variables are optional.
+# In development, the variables are used to launch the API and the Unit Test server.
+
+# valid values: development, test, staging, production
+APP_ENV=development
+
+##
+# WebSocket Configuration
+# Set the same value for WS_PORT in the Unit Test frontend project folder
+# See: https://github.com/Liturgical-Calendar/LiturgicalCalendarAPI/blob/development/public/LitCalTestServer.php
+##
 WS_PORT=8080
+# Maximum concurrent HTTP requests for WebSocket server (default: 10 in production, 4 in development)
+# Reduce this on memory-constrained servers to prevent overwhelming the API
+WS_MAX_CONCURRENCY=10
 
-# Set the protocol to use for the API (default: "http")
+##
+# API Configuration
+# These variables control where the API launches and how the Unit Test server connects to it
+##
 API_PROTOCOL=http
-
-# Set the hostname or IP address to use for the API (default: "localhost")
 API_HOST=localhost
-
-# Set the port number to use for the API (default: "8000")
-# This will determine the port on which 'composer start' will launch the API.
-# It will also instruct the Unit Test server on the port on which it should look for the API.
-# If launching the API from VSCode tasks, make sure to set the same value in the tasks.json file.
+# This determines the port on which 'composer start' will launch the API
+# It also instructs the Unit Test server on which port to look for the API
+# If launching from VSCode tasks, set the same value in tasks.json
 API_PORT=8000
+# API Base Path - required in production or if dev server is not launched from public folder
+# The API cannot infer whether its path is `/api/` or `/api/{version}/`
+# In local development, leave empty (API runs at root)
+# In production, typically /api/dev or /api/v5
+API_BASE_PATH=
 
-# Set the base path for the API (default: "/")
-# Required in production or if the development server is not launched from the public folder.
-# This value is needed for the Unit Test server to connect to the API,
-# and for the API to know the base path which it cannot infer otherwise.
-# It cannot know if the API path is `/`, `/api/` or `/api/{version}/`.
-# Please include a trailing slash for the API_BASE_PATH in any case.
-API_BASE_PATH=/
-
-# Valid values: development | test | staging | production (optional)
-APP_ENV=development
-
+##
 # JWT Authentication Configuration
-# IMPORTANT: Change JWT_SECRET to a strong random string in production (minimum 32 characters)
-# Generate a secure 64-character hex string with: php -r "echo bin2hex(random_bytes(32));"
+# Generate a secure 64-character hex string: php -r "echo bin2hex(random_bytes(32));"
+##
 JWT_ALGORITHM=HS256
 JWT_EXPIRY=3600
 JWT_REFRESH_EXPIRY=604800
+# IMPORTANT: Change to a strong random string in production (minimum 32 characters)
 JWT_SECRET=change-this-to-a-secure-random-string-in-production-minimum-32-chars
 
-# Admin User Credentials (for initial JWT implementation)
-# IMPORTANT: Change these in production!
-# Generate password hash with: php -r "echo password_hash('your-password', PASSWORD_ARGON2ID);"
-# In development/test environments, if ADMIN_PASSWORD_HASH is missing or invalid,
-# authentication falls back to the default password "password".
-# In staging/production, a valid ADMIN_PASSWORD_HASH is required.
-ADMIN_PASSWORD_HASH=CHANGE_ME_GENERATE_WITH_password_hash
+##
+# Admin User Credentials
+# Generate password hash: php -r "echo password_hash('your-password', PASSWORD_ARGON2ID);"
+# In dev/test: falls back to default password "password" if hash is missing/invalid
+# In staging/production: a valid ADMIN_PASSWORD_HASH is required
+##
 ADMIN_USERNAME=admin
+ADMIN_PASSWORD_HASH=CHANGE_ME_GENERATE_WITH_password_hash
+
+##
+# CORS Configuration
+# Comma-separated list of allowed origins for credentialed CORS requests (auth endpoints)
+# Use '*' to allow all origins (not recommended for production with cookie-based auth)
+# Example: https://example.com,https://admin.example.com
+##
+CORS_ALLOWED_ORIGINS=*
+
+##
+# Rate Limiting for Authentication
+# Protects against brute-force attacks on the /auth/login endpoint
+##
+# Maximum failed login attempts before lockout (default: 5)
+RATE_LIMIT_LOGIN_ATTEMPTS=5
+# Time window in seconds for tracking attempts (default: 900 = 15 minutes)
+RATE_LIMIT_LOGIN_WINDOW=900
+# Path for rate limit data files (default: system temp directory)
+# RATE_LIMIT_STORAGE_PATH=/var/lib/litcal/rate_limits
+
+##
+# HTTPS Enforcement
+# In staging/production, auth endpoints require HTTPS by default
+# Set to "false" to disable (e.g., if TLS is terminated at load balancer)
+# When using a reverse proxy, ensure it sets X-Forwarded-Proto header
+##
+HTTPS_ENFORCEMENT=true
+
+##
+# Redis Configuration (for WebSocket server caching)
+# Uses Redis (or APCu fallback) for caching
+# Configure either Unix socket OR TCP connection (socket takes precedence)
+# If not configured, defaults to TCP 127.0.0.1:6379
+##
+# Unix socket connection (recommended for local Redis):
+# REDIS_SOCKET=/var/run/redis/redis.sock
+# TCP connection:
+# REDIS_HOST=127.0.0.1
+# REDIS_PORT=6379

.github/workflows/cldr_cron.yml

@@ -11,6 +11,8 @@ jobs:
 
     steps:
       - uses: actions/checkout@v4
+        with:
+          ref: development
 
       - name: Get latest CLDR release tag
         id: cldr
@@ -51,6 +53,7 @@ jobs:
             remote_version=$(echo "$remote_version" | cut -d '.' -f 1)
           fi
 
+          echo "remote_version=$remote_version" >> $GITHUB_OUTPUT
           if [[ $remote_version == $local_version ]]; then
             echo "up_to_date=true" >> $GITHUB_OUTPUT
           else
@@ -84,4 +87,5 @@ jobs:
             Release notes: https://github.com/unicode-org/cldr-json/releases/tag/${{ steps.cldr.outputs.tag }}
           labels: dependencies, automated
           branch: update-cldr
+          base: development
           delete-branch: true

.vscode/extensions.json

@@ -1,6 +1,5 @@
 {
     "recommendations": [
-        "shevaua.phpcs",
         "bmewburn.vscode-intelephense-client",
         "davidanson.vscode-markdownlint"
     ]

CHANGELOG.md

@@ -1,11 +1,23 @@
 # CHANGELOG
 
 <!--
-## [v5.7](https://github.com/Liturgical-Calendar/LiturgicalCalendarAPI/releases/tag/v5.7) (unreleased)
+## [v5.8](https://github.com/Liturgical-Calendar/LiturgicalCalendarAPI/releases/tag/v5.8) (unreleased)
 
 * implement `filter` parameter for limited sets of calendar events, see issue [#43](https://github.com/Liturgical-Calendar/LiturgicalCalendarAPI/issues/43)
 -->
 
+## [v5.7](https://github.com/Liturgical-Calendar/LiturgicalCalendarAPI/releases/tag/v5.7) (December 15th 2025)
+
+* implement "Remember Me" functionality for login, see issue [#439](https://github.com/Liturgical-Calendar/LiturgicalCalendarAPI/issues/439)
+* add production security features: login rate limiting, HTTPS enforcement, and APP_ENV validation, see issue [#428](https://github.com/Liturgical-Calendar/LiturgicalCalendarAPI/issues/428)
+* add Redis cache with APCu fallback for improved performance, see issue [#420](https://github.com/Liturgical-Calendar/LiturgicalCalendarAPI/issues/420)
+* implement cookie-only authentication (Phase 2.5) with HttpOnly cookies for enhanced security
+* add JWT authentication for /tests PUT/PATCH/DELETE endpoints, see issue [#443](https://github.com/Liturgical-Calendar/LiturgicalCalendarAPI/issues/443)
+* improve CORS handling for authenticated requests with proper origin validation, see issue [#426](https://github.com/Liturgical-Calendar/LiturgicalCalendarAPI/issues/426)
+* standardize dotenv configuration and add .env.test support
+
+O Oriens, splendor lucis æternæ, veni! 🌅
+
 ## [v5.6](https://github.com/Liturgical-Calendar/LiturgicalCalendarAPI/releases/tag/v5.6) (November 28th 2025)
 
 * fix bug [PUT/PATCH requests to /data serializing incorrectly](https://github.com/Liturgical-Calendar/LiturgicalCalendarAPI/issues/411)

CLAUDE.md

@@ -45,7 +45,7 @@ composer stop
 - `API_PROTOCOL` (http|https)
 - `API_HOST` (localhost in dev)
 - `API_PORT` (8000 in dev)
-- `API_BASE_PATH` (/ in dev)
+- `API_BASE_PATH` (empty in dev, e.g. /api/dev in production)
 - `APP_ENV` (development|test|staging|production) - **Required in non-localhost environments**
   - `development` / `test`: Allow default password if `ADMIN_PASSWORD_HASH` is unset (for testing convenience)
   - `staging` / `production`: Require `ADMIN_PASSWORD_HASH` to be configured (throws exception if missing)
@@ -62,16 +62,34 @@ composer stop
   - Required in `staging` and `production` environments
   - Optional in `development` and `test` environments (defaults to password "password")
 
-**Protected Routes:** The following routes require JWT authentication (via `Authorization: Bearer <token>` header):
+**Protected Routes:** The following routes require JWT authentication (via HttpOnly cookie or `Authorization: Bearer <token>` header):
 
 - `PUT /data/{category}/{calendar}` - Create calendar data
 - `PATCH /data/{category}/{calendar}` - Update calendar data
 - `DELETE /data/{category}/{calendar}` - Delete calendar data
 
 **Authentication Endpoints:**
 
-- `POST /auth/login` - Authenticate with username/password, returns access and refresh tokens
-- `POST /auth/refresh` - Refresh access token using refresh token
+- `POST /auth/login` - Authenticate with username/password, returns access and refresh tokens (sets HttpOnly cookies)
+- `POST /auth/refresh` - Refresh access token using refresh token (reads from cookie or body)
+- `POST /auth/logout` - End session and clear HttpOnly cookies
+- `GET /auth/me` - Check authentication state (returns user info from token, essential for cookie-based auth)
+
+**Cookie-Based Authentication (Phase 2.5):**
+
+The API supports full cookie-only authentication where:
+
+- Tokens are stored in HttpOnly cookies (not accessible to JavaScript, mitigating token theft via XSS)
+- `JwtAuthMiddleware` reads token from cookie first, falls back to Authorization header
+- `RefreshHandler` reads refresh token from cookie, no request body needed
+- Frontend uses `credentials: 'include'` to send cookies automatically
+
+**CORS Configuration:**
+
+- `CORS_ALLOWED_ORIGINS` - Comma-separated list of allowed origins for credentialed CORS requests
+  - Default: `*` (all origins allowed - not recommended for production with cookies)
+  - Example: `CORS_ALLOWED_ORIGINS=https://example.com,https://admin.example.com`
+  - Auth endpoint errors only reflect validated origins (security measure)
 
 See [Authentication Roadmap](docs/enhancements/AUTHENTICATION_ROADMAP.md) for implementation details.
 
@@ -356,12 +374,21 @@ data validation via WebSocket backend.
 
 ## Git Workflow
 
-- Main branch: `master` (stable releases)
-- Development branch: `development` (testing)
-- Feature branches: Created for complex features
-- PRs should target `development` first, then merge to `master` after community testing
+- **Main branch:** `master` (stable releases)
+- **Development branch:** `development` (active development and testing)
+- **Feature branches:** Always branch off `development`, not `master`
+- **Pull requests:** Always target `development` branch, never `master` directly
+- **Release flow:** Changes merge from feature branches → `development` → `master` after community testing
 - Test locally before submitting PR
 
+**Creating a feature branch:**
+
+```bash
+git checkout development
+git pull origin development
+git checkout -b feature/your-feature-name
+```
+
 ## System Requirements
 
 - PHP >= 8.4 (uses modern syntax like `array_find`)