Compare revisions

00870cef · 00870cef · 00870cef · 00870cef · 00870cef · 00870cef
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
--- a/docs/src/contributing/setup-development.md
+++ b/docs/src/contributing/setup-development.md
---
-title: Development setup
-sidebarDepth: 3
---
 # Setup your development environment
 ## Introduction
@@ -10,7 +5,7 @@ sidebarDepth: 3
 Castopod is a web app based on the `php` framework
 [CodeIgniter 4](https://codeigniter.com).
-We use [Docker](https://www.docker.com/) quickly setup a dev environment. A
+We use [Docker](https://www.docker.com/) to quickly setup a dev environment. A
 `docker-compose.yml` and `Dockerfile` are included in the project's root folder
 to help you kickstart your contribution.
@@ -21,9 +16,9 @@ to help you kickstart your contribution.
 ### 1. Pre-requisites
-0. Install [docker](https://docs.docker.com/get-docker).
+0. Install [Docker](https://docs.docker.com/get-docker).
-1. Clone Castopod project by running:
+1. Clone the Castopod repository by running:
   ```bash
   git clone https://code.castopod.org/adaures/castopod.git
@@ -34,7 +29,7 @@ to help you kickstart your contribution.
   ```ini
   CI_ENVIRONMENT="development"
-   # If set to development, you must run `npm run dev` to start the static assets server
+   # If set to development, you must run `pnpm run dev` to start the static assets server
   vite.environment="development"
   # By default, this is set to true in the app config.
@@ -43,7 +38,6 @@ to help you kickstart your contribution.
   app.forceGlobalSecureRequests=false
   app.baseURL="http://localhost:8080/"
-   app.mediaBaseURL="http://localhost:8080/"
   admin.gateway="cp-admin"
   auth.gateway="cp-auth"
@@ -52,25 +46,43 @@ to help you kickstart your contribution.
   database.default.database="castopod"
   database.default.username="castopod"
   database.default.password="castopod"
+   database.default.DBPrefix="dev_"
+   analytics.salt="DEV_ANALYTICS_SALT"
   cache.handler="redis"
-   cache.redis.host = "redis"
+   cache.redis.host="redis"
   # You may not want to use redis as your cache handler
   # Comment/remove the two lines above and uncomment
   # the next line for file caching.
+   # -----------------------
   #cache.handler="file"
+   ######################################
+   # Media config
+   ######################################
+   media.baseURL="http://localhost:8080/"
+   # S3
+   # Uncomment to store s3 objects using adobe/s3mock service
+   # -----------------------
+   #media.fileManager="s3"
+   #media.s3.bucket="castopod"
+   #media.s3.endpoint="http://172.31.0.6:9090/"
+   #media.s3.pathStyleEndpoint=true
   ```
-   > _NB._ You can tweak your environment by setting more environment variables
+   > [!NOTE]  
-   > in your custom `.env` file. See the `env` for examples or the
+   > You can tweak your environment by setting more environment variables in
+   > your custom `.env` file. See the `env` for examples or the
   > [CodeIgniter4 User Guide](https://codeigniter.com/user_guide/index.html)
   > for more info.
-3. (for docker desktop) Add the repository you've cloned to docker desktop's
+3. (for Docker desktop) Add the repository you've cloned to Docker desktop's
   `Settings` > `Resources` > `File Sharing`
-### 2. (recommended) Develop inside the app Container with VSCode
+### 2. (recommended) Develop inside the app container with VSCode
 If you're working in VSCode, you can take advantage of the `.devcontainer/`
 folder. It defines a development environment (dev container) with preinstalled
@@ -84,16 +96,16 @@ required services will be loaded automagically! 🪄
   > The VSCode window will reload inside the dev container. Expect several
   > minutes during first load as it is building all necessary services.
-   **Note**: The dev container will start by running Castopod's php server.
+   **Note**: The dev container will start by running Castopod's PHP server.
   During development, you will have to start [Vite](https://vitejs.dev)'s dev
   server for compiling the typescript code and styles:
   ```bash
   # run Vite dev server
-   npm run dev
+   pnpm run dev
   ```
-   If there is any issue with the php server not running, you can restart them
+   If there is any issue with the PHP server not running, you can restart them
   using the following commands:
   ```bash
@@ -113,15 +125,15 @@ required services will be loaded automagically! 🪄
   # Composer is installed
   composer -V
-   # npm is installed
+   # pnpm is installed
-   npm -v
+   pnpm -v
   # git is installed
   git version
   ```
 For more info, see
-[VSCode Remote Containers](https://code.visualstudio.com/docs/remote/containers)
+[Developing inside a Container](https://code.visualstudio.com/docs/devcontainers/containers)
 ### 3. Start hacking
@@ -132,7 +144,12 @@ more insights.
 To see your changes, go to:
- `http://localhost:8080/` for the Castopod app
+- `http://localhost:8080/` for the Castopod website
+- `http://localhost:8080/cp-admin` for the Castopod admin:
+  - email: **admin@castopod.local**
+  - password: **castopod**
 - `http://localhost:8888/` for the phpmyadmin interface:
  - username: **castopod**
@@ -142,9 +159,9 @@ To see your changes, go to:
 You do not wish to use the VSCode devcontainer? No problem!
-1. Start docker containers manually:
+1. Start the Docker containers manually:
-   Go to project's root folder and run:
+   Go to the project's root folder and run:
   ```bash
   # starts all services declared in docker-compose.yml file
@@ -159,7 +176,7 @@ You do not wish to use the VSCode devcontainer? No problem!
   ```
-   > The `docker-compose up -d` command will boot 4 containers in the
+   > The `docker-compose up -d` command will boot 5 containers in the
   > background:
   >
   > - `castopod_app`: a php based container with Castopod requirements
@@ -170,6 +187,7 @@ You do not wish to use the VSCode devcontainer? No problem!
   >   persistent data
   > - `castopod_phpmyadmin`: a phpmyadmin server to visualize the mariadb
   >   database.
+   > - `castopod_s3`: a mock s3 server to work on the s3 fileManager
 2. Run any command inside the containers by prefixing them with
   `docker-compose run --rm app`:
@@ -181,8 +199,8 @@ You do not wish to use the VSCode devcontainer? No problem!
   # use Composer
   docker-compose run --rm app composer -V
-   # use npm
+   # use pnpm
-   docker-compose run --rm app npm -v
+   docker-compose run --rm app pnpm -v
   # use git
   docker-compose run --rm app git version
@@ -200,57 +218,46 @@ You do not wish to use the VSCode devcontainer? No problem!
   composer install
   ```
-   ::: info Note
+   > [!NOTE]  
+   > The php dependencies aren't included in the repository. Composer will check
-   The php dependencies aren't included in the repository. Composer will check
+   > the `composer.json` and `composer.lock` files to download the packages with
-   the `composer.json` and `composer.lock` files to download the packages with
+   > the right versions. The dependencies will live under the `vendor/` folder.
-   the right versions. The dependencies will live under the `vendor/` folder.
+   > For more info, check out the
-   For more info, check out the
+   > [Composer documentation](https://getcomposer.org/doc/).
-   [Composer documentation](https://getcomposer.org/doc/).
-   :::
-2. Install javascript dependencies with [npm](https://www.npmjs.com/)
+2. Install JavaScript dependencies with [pnpm](https://pnpm.io/)
   ```bash
-   npm install
+   pnpm install
   ```
-   ::: info Note
+   > [!NOTE]  
+   > The JavaScript dependencies aren't included in the repository. Pnpm will
-   The javascript dependencies aren't included in the repository. Npm will check
+   > check the `package.json` and `pnpm-lock.yaml` files to download the
-   the `package.json` and `package.lock` files to download the packages with the
+   > packages with the right versions. The dependencies will live under the
-   right versions. The dependencies will live under the `node_module` folder.
+   > `node_module` folder. For more info, check out the
-   For more info, check out the [NPM documentation](https://docs.npmjs.com/).
+   > [PNPM documentation](https://pnpm.io/motivation).
-   :::
 3. Generate static assets:
   ```bash
   # build all static assets at once
-   npm run build:static
+   pnpm run build:static
   # build specific assets
-   npm run build:icons
+   pnpm run build:icons
-   npm run build:svg
+   pnpm run build:svg
   ```
-   ::: info Note
+   > [!NOTE]  
+   > The static assets generated live under the `public/assets` folder, it
-   The static assets generated live under the `public/assets` folder, it
+   > includes JavaScript, styles, images, fonts, icons and svg files.
-   includes javascript, styles, images, fonts, icons and svg files.
-   :::
 ### Initialize and populate database
-::: tip
+> [!TIP]  
+> You may skip this section if you go through the install wizard (go to
-You may skip this section if you go through the install wizard (go to
+> `/cp-install`).
-`/cp-install`).
-:::
 1. Build the database with the migrate command:
@@ -270,7 +277,7 @@ You may skip this section if you go through the install wizard (go to
   ```bash
   # Populates all required data
-   php spark db:seed AppSeeder
+   php spark db:seed DevSeeder
   ```
   You may choose to add data separately:
@@ -282,20 +289,11 @@ You may skip this section if you go through the install wizard (go to
   # Populates all Languages
   php spark db:seed LanguageSeeder
-   # Populates all podcasts platforms
+   # Adds a superadmin with [admin@castopod.local / castopod] credentials
-   php spark db:seed PlatformSeeder
+   php spark db:seed DevSuperadminSeeder
-   # Populates all Authentication data (roles definition…)
-   php spark db:seed AuthSeeder
   ```
-3. (optionnal) Populate the database with test data:
+3. (optional) Populate the database with test data:
-   - Populate test data (login: admin / password: AGUehL3P)
-   ```bash
-   php spark db:seed TestSeeder
-   ```
   - Populate with fake podcast analytics:
@@ -309,11 +307,6 @@ You may skip this section if you go through the install wizard (go to
   php spark db:seed FakeWebsiteAnalyticsSeeder
   ```
-   TestSeeder will add an active superadmin user with the following credentials:
-   - username: **admin**
-   - password: **AGUehL3P**
 ### Useful docker / docker-compose commands
 - Monitor the app container:
@@ -322,13 +315,13 @@ You may skip this section if you go through the install wizard (go to
 docker-compose logs --tail 50 --follow --timestamps app
 ```
- Interact with redis server using included redis-cli command:
+- Interact with the Redis server using included redis-cli command:
 ```bash
 docker exec -it castopod_redis redis-cli
 ```
- Monitor the redis container:
+- Monitor the Redis container:
 ```bash
 docker-compose logs --tail 50 --follow --timestamps redis
@@ -364,28 +357,52 @@ docker-compose down
 docker-compose build app
 ```
-Check [docker](https://docs.docker.com/engine/reference/commandline/docker/) and
+Check [Docker](https://docs.docker.com/engine/reference/commandline/docker/) and
 [docker-compose](https://docs.docker.com/compose/reference/) documentations for
 more insights.
+### Updating Documentation
+Castopod's documentation is written in Markdown and uses the Astro Starlight
+framework. To update Castopod's documentation, including the Getting Started
+guide and User Guide:
+1. Change directories to the `docs` directory and install the dependencies:
+   ```bash
+   cd docs/
+   pnpm i
+   ```
+2. Start the documentation development server:
+   ```bash
+   pnpm run dev --host
+   ```
+3. The documentation development server runs on port 4321. In your browser visit
+   `http://localhost:4321/docs`. If the page displays a 404 Not Found error,
+   click on the Castopod logo in the upper left hand corner of the page and the
+   documentation should load.
+4. Edit the Markdown files with your documentation updates. The Astro Starlight
+   development server will automatically update each time you save a change.
 ## Known issues
 ### Allocation failed - JavaScript heap out of memory
-This happens when running `npm install`.
+This happens when running `pnpm install`.
 👉 By default, docker might not have access to enough RAM. Allocate more memory
-and run `npm install` again.
+and run `pnpm install` again.
 ### (Linux) Files created inside container are attributed to root locally
 You may use Linux user namespaces to fix this on your machine:
-::: info Note
+> [!NOTE]  
+> Replace "username" with your local username
-Replace "username" with your local username
-:::
 1. Go to `/etc/docker/daemon.json` and add:
@@ -409,7 +426,7 @@ Replace "username" with your local username
   username:100000:65536
   ```
-3. Restart docker:
+3. Restart Docker:
   ```bash
   sudo systemctl restart docker

--- a/docs/src/contributing/guidelines.md
+++ b/docs/src/contributing/guidelines.md
---
-title: Guidelines
---
 # Contributing to Castopod
 Love Castopod and want to help? Thanks so much, there's something to do for
 everybody!
+> [!NOTE]  
+> Castopod follows the [all contributors](https://allcontributors.org/)
+> specification in an effort to **recognize any kind of contribution**, not just
+> code!  
+> If you've made a contribution and do not appear in the
+> [contributors](../index.md#contributors-✨) list, please
+> [let us know](../index.md#contact) so we can correct our mistake! 🙂
 Please take a moment to review this document in order to make the contribution
 process easy and effective for everyone involved.
@@ -15,13 +19,20 @@ developers managing and developing this open source project. In return, they
 should reciprocate that respect in addressing your issue or assessing patches
 and features.
-::: info Note
+## Translating Castopod
+We use [Crowdin](https://translate.castopod.org/) to manage translation files
+for [Castopod](https://code.castopod.org/), the
+[documentation](https://docs.castopod.org/) and the
+[landing](https://castopod.org/) websites.
-**Any** contribution made on a repository other than
+Whether you'd like to correct a translation error, validate new translations or
-[the original repository](https://code.castopod.org/adaures/castopod) will not
+include your language to Castopod, head into the
-be accepted.
+[crowdin project](https://translate.castopod.org/) to get started.
-:::
+> [!NOTE]  
+> To prevent degrading user experience, new languages are included to Castopod
+> when they reach a certain threshold (~90%).
 ## Using the issue tracker
@@ -59,8 +70,9 @@ your environment? What steps will reproduce the issue? What browser(s) and OS
 experience the problem? What would you expect to be the outcome? All these
 details will help people to fix any potential bugs.
-> [Issue templates](https://docs.gitlab.com/ee/user/project/description_templates.html#using-the-templates)
+> [!NOTE]  
-> have been created for this project. You may use them to help you follow those
+> [Issue templates](https://docs.gitlab.com/ee/user/project/description_templates.html#using-the-templates) have
+> been created for this project. You may use them to help you follow those
 > guidelines.
 ## Feature requests
@@ -86,33 +98,33 @@ accurate comments, etc.) and any other requirements (such as test coverage).
 Adhering to the following process is the best way to get your work included in
 the project:
-1. [Fork](https://docs.gitlab.com/ee/gitlab-basics/fork-project.html) the
+1. [Fork](https://docs.gitlab.com/ee/user/project/repository/forking_workflow.html)
-   project, clone your fork, and configure the remotes:
+   the project, clone your fork, and configure the remotes:
-```bash
+   ```bash
-# Clone your fork of the repo into the current directory
+   # Clone your fork of the repo into the current directory
-git clone https://code.castopod.org/<your-username>/castopod.git
+   git clone https://code.castopod.org/<your-username>/castopod.git
-# Navigate to the newly cloned directory
+   # Navigate to the newly cloned directory
-cd castopod
+   cd castopod
-# Assign the original repo to a remote called "upstream"
+   # Assign the original repo to a remote called "upstream"
-git remote add upstream https://code.castopod.org/adaures/castopod.git
+   git remote add upstream https://code.castopod.org/adaures/castopod.git
-```
+   ```
 2. If you cloned a while ago, get the latest changes from upstream:
-```bash
+   ```bash
-git checkout main
+   git checkout main
-git pull upstream main
+   git pull upstream main
-```
+   ```
 3. Create a new topic branch (off the `main` branch) to contain your feature,
   change, or fix:
-```bash
+   ```bash
-git checkout -b <topic-branch-name>
+   git checkout -b <topic-branch-name>
-```
+   ```
 4. Commit your changes in logical chunks. Please adhere to these
   [git commit message guidelines](https://conventionalcommits.org/) or your
@@ -122,22 +134,23 @@ git checkout -b <topic-branch-name>
 5. Locally merge (or rebase) the upstream dev branch into your topic branch:
-```bash
+   ```bash
-git pull [--rebase] upstream main
+   git pull [--rebase] upstream main
-```
+   ```
 6. Push your topic branch up to your fork:
-```bash
+   ```bash
-git push origin <topic-branch-name>
+   git push origin <topic-branch-name>
-```
+   ```
 7. [Open a Pull Request](https://docs.gitlab.com/ee/user/project/merge_requests/creating_merge_requests.html#new-merge-request-from-a-fork)
   with a clear title and description.
-**IMPORTANT**: By submitting a patch, you agree to allow the project owners to
+> [!IMPORTANT]  
-license your work under the terms of the
+> By submitting a patch, you agree to allow the project owners to license your
-[GNU AGPLv3](https://code.castopod.org/adaures/castopod/-/blob/main/LICENSE).
+> work under the terms of the
+> [GNU AGPLv3](https://code.castopod.org/adaures/castopod/-/blob/develop/LICENSE.md).
 ## Collaborating guidelines

--- a/DEPENDENCIES.md
+++ b/DEPENDENCIES.md
@@ -18,9 +18,9 @@ Javascript dependencies can be found in the [package.json](./package.json) file.
  ([Open Font License](https://scripts.sil.org/cms/scripts/page.php?site_id=nrsi&id=OFL))
 - [RemixIcon](https://remixicon.com/)
  ([Apache License 2.0](https://github.com/Remix-Design/RemixIcon/blob/master/License))
- [OPAWG/User agent list](https://github.com/opawg/user-agents)
+- [OPAWG/User agent list](https://github.com/opawg/user-agents-v2)
  ([by Open Podcast Analytics Working Group](https://github.com/opawg))
-  ([MIT license](https://github.com/opawg/user-agents/blob/master/LICENSE))
+  ([MIT license](https://github.com/opawg/user-agents-v2/blob/master/LICENSE))
 - [OPAWG/podcast-rss-useragents](https://github.com/opawg/podcast-rss-useragents)
  ([by Open Podcast Analytics Working Group](https://github.com/opawg))
  ([MIT license](https://github.com/opawg/podcast-rss-useragents/blob/master/LICENSE))

--- a/GDPR.txt
+++ b/GDPR.txt
@@ -6,6 +6,29 @@
 # in particular. As a hosting provider, you must inform your users of their
 # rights and how their data are used and protected.
+purpose:
+    Deduplicate number of audio file downloads made by the same listener
+    for analytics purposes
+lawfulness: legitimate interest
+data: (User IP address + Browser User Agent)
+required: yes
+visibility: none
+description:
+    In order to produce analytics data comparable to the podcasting
+    ecosystem standards, the User IP address (REMOTE_ADDR) with the
+    browser User Agent (HTTP_USER_AGENT) are stored when an audio file
+    is downloaded.
+mitigation:
+    The data (User IP address + Browser User Agent) is never stored in plain
+    format.
+    The data is concatenated with a cryptographic salt, the current date,
+    and the podcast or episode IDs.
+    The data is hashed (using sha1) after being concatenated and before
+    being stored.
+    The data is stored in a cache database (eg. Redis).
+    The data expires every day at midnight (server time).
 purpose: Connect users to their accounts
 lawfulness: legitimate interest
@@ -46,3 +69,15 @@ description:
    platforms (such as Apple Podcasts).
 mitigation:
    The e-mail can be generic.
+purpose: Grant access to premium content
+lawfulness: legitimate interest
+data: Subscriber's email address
+required: yes
+visibility: administrators
+description:
+    The subscriber's e-mail address is used to provide credentials for
+    listening to premium content.
+mitigation:
+    The e-mail can be generic.
--- a/README.md
+++ b/README.md
--- a/app/.htaccess
+++ b/app/.htaccess
-<IfModule authz_core_module>
+<IfModule authz_core_module> Require all denied </IfModule>
-    Require all denied
+<IfModule !authz_core_module> Deny from all </IfModule>
-</IfModule>
-<IfModule !authz_core_module>
-    Deny from all
-</IfModule>
--- a/app/Commands/EpisodesComputeDownloads.php
+++ b/app/Commands/EpisodesComputeDownloads.php
+<?php
+declare(strict_types=1);
+namespace App\Commands;
+use App\Models\EpisodeModel;
+use CodeIgniter\CLI\BaseCommand;
+class EpisodesComputeDownloads extends BaseCommand
+{
+    /**
+     * The Command's Group
+     *
+     * @var string
+     */
+    protected $group = 'Episodes';
+    /**
+     * The Command's Name
+     *
+     * @var string
+     */
+    protected $name = 'episodes:compute-downloads';
+    /**
+     * The Command's Description
+     *
+     * @var string
+     */
+    protected $description = "Calculates all episodes downloads and stores results in episodes' downloads_count field.";
+    /**
+     * Actually execute a command.
+     */
+    public function run(array $params): void
+    {
+        $episodesModel = new EpisodeModel();
+        $query = $episodesModel->builder()
+            ->select('episodes.id as id, IFNULL(SUM(ape.hits),0) as downloads_count')
+            ->join('analytics_podcasts_by_episode ape', 'episodes.id=ape.episode_id', 'left')
+            ->groupBy('episodes.id');
+        $episodeModel2 = new EpisodeModel();
+        $episodeModel2->builder()
+            ->setQueryAsData($query)
+            ->onConstraint('id')
+            ->updateBatch();
+    }
+}
--- a/app/Common.php
+++ b/app/Common.php
@@ -2,18 +2,17 @@
 declare(strict_types=1);
-use App\Libraries\View;
 use ViewThemes\Theme;
 /**
 * The goal of this file is to allow developers a location where they can overwrite core procedural functions and
- * replace them with their own. This file is loaded during the bootstrap process and is called during the frameworks
+ * replace them with their own. This file is loaded during the bootstrap process and is called during the framework's
 * execution.
 *
 * This can be looked at as a `master helper` file that is loaded early on, and may also contain additional functions
 * that you'd like to use throughout your entire application
 *
- * @link: https://codeigniter4.github.io/CodeIgniter4/
+ * @see: https://codeigniter.com/user_guide/extending/common.html
 */
 if (! function_exists('view')) {
@@ -28,12 +27,17 @@ if (! function_exists('view')) {
     */
    function view(string $name, array $data = [], array $options = []): string
    {
+        if (array_key_exists('theme', $options)) {
+            Theme::setTheme($options['theme']);
+        }
        $path = Theme::path();
        /** @var CodeIgniter\View\View $renderer */
        $renderer = single_service('renderer', $path);
-        $saveData = config(View::class)->saveData;
+        $saveData = config('View')
+            ->saveData;
        if (array_key_exists('saveData', $options)) {
            $saveData = (bool) $options['saveData'];

--- a/app/Config/App.php
+++ b/app/Config/App.php
@@ -5,7 +5,7 @@ declare(strict_types=1);
 namespace Config;
 use CodeIgniter\Config\BaseConfig;
-use CodeIgniter\Session\Handlers\FileHandler;
+use Override;
 class App extends BaseConfig
 {
@@ -14,38 +14,34 @@ class App extends BaseConfig
     * Base Site URL
     * --------------------------------------------------------------------------
     *
-     * URL to your CodeIgniter root. Typically this will be your base URL,
+     * URL to your CodeIgniter root. Typically, this will be your base URL,
     * WITH a trailing slash:
     *
-     *    http://example.com/
+     * E.g., http://example.com/
-     *
-     * If this is not set then CodeIgniter will try guess the protocol, domain
-     * and path to your installation. However, you should always configure this
-     * explicitly and never rely on auto-guessing, especially in production
-     * environments.
     */
    public string $baseURL = 'http://localhost:8080/';
    /**
-     * --------------------------------------------------------------------------
+     * Allowed Hostnames in the Site URL other than the hostname in the baseURL.
-     * Media Base URL
+     * If you want to accept multiple Hostnames, set this.
-     * --------------------------------------------------------------------------
     *
-     * URL to your media root. Typically this will be your base URL,
+     * E.g.,
-     * WITH a trailing slash:
+     * When your site URL ($baseURL) is 'http://example.com/', and your site
+     * also accepts 'http://media.example.com/' and 'http://accounts.example.com/':
+     *     ['media.example.com', 'accounts.example.com']
     *
-     *    http://cdn.example.com/
+     * @var list<string>
     */
-    public string $mediaBaseURL = 'http://localhost:8080/';
+    public array $allowedHostnames = [];
    /**
     * --------------------------------------------------------------------------
     * Index File
     * --------------------------------------------------------------------------
     *
-     * Typically this will be your index.php file, unless you've renamed it to
+     * Typically, this will be your `index.php` file, unless you've renamed it to
-     * something else. If you are using mod_rewrite to remove the page set this
+     * something else. If you have configured your web server to remove this file
-     * variable so that it is blank.
+     * from your site URIs, set this variable to an empty string.
     */
    public string $indexPage = '';
@@ -54,18 +50,42 @@ class App extends BaseConfig
     * URI PROTOCOL
     * --------------------------------------------------------------------------
     *
-     * This item determines which getServer global should be used to retrieve the
+     * This item determines which server global should be used to retrieve the
-     * URI string.  The default setting of 'REQUEST_URI' works for most servers.
+     * URI string. The default setting of 'REQUEST_URI' works for most servers.
     * If your links do not seem to work, try one of the other delicious flavors:
     *
-     * 'REQUEST_URI'    Uses $_SERVER['REQUEST_URI']
+     *  'REQUEST_URI': Uses $_SERVER['REQUEST_URI']
-     * 'QUERY_STRING'   Uses $_SERVER['QUERY_STRING']
+     * 'QUERY_STRING': Uses $_SERVER['QUERY_STRING']
-     * 'PATH_INFO'      Uses $_SERVER['PATH_INFO']
+     *    'PATH_INFO': Uses $_SERVER['PATH_INFO']
     *
     * WARNING: If you set this to 'PATH_INFO', URIs will always be URL-decoded!
     */
    public string $uriProtocol = 'REQUEST_URI';
+    /*
+    *--------------------------------------------------------------------------
+    * Allowed URL Characters
+    *--------------------------------------------------------------------------
+    *
+    * This lets you specify which characters are permitted within your URLs.
+    * When someone tries to submit a URL with disallowed characters they will
+    * get a warning message.
+    *
+    * As a security measure you are STRONGLY encouraged to restrict URLs to
+    * as few characters as possible.
+    *
+    * By default, only these are allowed: `a-z 0-9~%.:_-`
+    *
+    * Set an empty string to allow all characters -- but only if you are insane.
+    *
+    * The configured value is actually a regular expression character group
+    * and it will be used as: '/\A[<permittedURIChars>]+\z/iu'
+    *
+    * DO NOT CHANGE THIS UNLESS YOU FULLY UNDERSTAND THE REPERCUSSIONS!!
+    *
+    */
+    public string $permittedURIChars = 'a-z 0-9~%.:_\-@';
    /**
     * --------------------------------------------------------------------------
     * Default Locale
@@ -99,9 +119,23 @@ class App extends BaseConfig
     * by the application in descending order of priority. If no match is
     * found, the first locale will be used.
     *
-     * @var string[]
+     * IncomingRequest::setLocale() also uses this list.
-     */
+     *
-    public array $supportedLocales = ['en', 'fr', 'pl'];
+     * @var list<string>
+     */
+    public array $supportedLocales = [
+        'en',
+        'fr',
+        'pl',
+        'de',
+        'pt-br',
+        'nn-no',
+        'es',
+        'zh-hans',
+        'ca',
+        'br',
+        'sr-latn',
+    ];
    /**
     * --------------------------------------------------------------------------
@@ -110,6 +144,9 @@ class App extends BaseConfig
     *
     * The default timezone that will be used in your application to display
     * dates with the date helper, and can be retrieved through app_timezone()
+     *
+     * @see https://www.php.net/manual/en/timezones.php for list of timezones
+     *      supported by PHP.
     */
    public string $appTimezone = 'UTC';
@@ -133,170 +170,10 @@ class App extends BaseConfig
     * If true, this will force every request made to this application to be
     * made via a secure connection (HTTPS). If the incoming request is not
     * secure, the user will be redirected to a secure version of the page
-     * and the HTTP Strict Transport Security header will be set.
+     * and the HTTP Strict Transport Security (HSTS) header will be set.
     */
    public bool $forceGlobalSecureRequests = true;
-    /**
-     * --------------------------------------------------------------------------
-     * Session Driver
-     * --------------------------------------------------------------------------
-     *
-     * The session storage driver to use:
-     * - `CodeIgniter\Session\Handlers\FileHandler`
-     * - `CodeIgniter\Session\Handlers\DatabaseHandler`
-     * - `CodeIgniter\Session\Handlers\MemcachedHandler`
-     * - `CodeIgniter\Session\Handlers\RedisHandler`
-     */
-    public string $sessionDriver = FileHandler::class;
-    /**
-     * --------------------------------------------------------------------------
-     * Session Cookie Name
-     * --------------------------------------------------------------------------
-     *
-     * The session cookie name, must contain only [0-9a-z_-] characters
-     */
-    public string $sessionCookieName = 'ci_session';
-    /**
-     * --------------------------------------------------------------------------
-     * Session Expiration
-     * --------------------------------------------------------------------------
-     *
-     * The number of SECONDS you want the session to last.
-     * Setting to 0 (zero) means expire when the browser is closed.
-     */
-    public int $sessionExpiration = 7200;
-    /**
-     * --------------------------------------------------------------------------
-     * Session Save Path
-     * --------------------------------------------------------------------------
-     *
-     * The location to save sessions to and is driver dependent.
-     *
-     * For the 'files' driver, it's a path to a writable directory.
-     * WARNING: Only absolute paths are supported!
-     *
-     * For the 'database' driver, it's a table name.
-     * Please read up the manual for the format with other session drivers.
-     *
-     * IMPORTANT: You are REQUIRED to set a valid save path!
-     */
-    public string $sessionSavePath = WRITEPATH . 'session';
-    /**
-     * --------------------------------------------------------------------------
-     * Session Match IP
-     * --------------------------------------------------------------------------
-     *
-     * Whether to match the user's IP address when reading the session data.
-     *
-     * WARNING: If you're using the database driver, don't forget to update
-     *          your session table's PRIMARY KEY when changing this setting.
-     */
-    public bool $sessionMatchIP = false;
-    /**
-     * --------------------------------------------------------------------------
-     * Session Time to Update
-     * --------------------------------------------------------------------------
-     *
-     * How many seconds between CI regenerating the session ID.
-     */
-    public int $sessionTimeToUpdate = 300;
-    /**
-     * --------------------------------------------------------------------------
-     * Session Regenerate Destroy
-     * --------------------------------------------------------------------------
-     *
-     * Whether to destroy session data associated with the old session ID
-     * when auto-regenerating the session ID. When set to FALSE, the data
-     * will be later deleted by the garbage collector.
-     */
-    public bool $sessionRegenerateDestroy = false;
-    /**
-     * --------------------------------------------------------------------------
-     * Cookie Prefix
-     * --------------------------------------------------------------------------
-     *
-     * Set a cookie name prefix if you need to avoid collisions.
-     *
-     * @deprecated use Config\Cookie::$prefix property instead.
-     */
-    public string $cookiePrefix = '';
-    /**
-     * --------------------------------------------------------------------------
-     * Cookie Domain
-     * --------------------------------------------------------------------------
-     *
-     * Set to `.your-domain.com` for site-wide cookies.
-     *
-     * @deprecated use Config\Cookie::$domain property instead.
-     */
-    public string $cookieDomain = '';
-    /**
-     * --------------------------------------------------------------------------
-     * Cookie Path
-     * --------------------------------------------------------------------------
-     *
-     * Typically will be a forward slash.
-     *
-     * @deprecated use Config\Cookie::$path property instead.
-     */
-    public string $cookiePath = '/';
-    /**
-     * --------------------------------------------------------------------------
-     * Cookie Secure
-     * --------------------------------------------------------------------------
-     *
-     * Cookie will only be set if a secure HTTPS connection exists.
-     *
-     * @deprecated use Config\Cookie::$secure property instead.
-     */
-    public bool $cookieSecure = false;
-    /**
-     * --------------------------------------------------------------------------
-     * Cookie HttpOnly
-     * --------------------------------------------------------------------------
-     *
-     * Cookie will only be accessible via HTTP(S) (no JavaScript).
-     *
-     * @deprecated use Config\Cookie::$httponly property instead.
-     */
-    public bool $cookieHTTPOnly = true;
-    /**
-     * --------------------------------------------------------------------------
-     * Cookie SameSite
-     * --------------------------------------------------------------------------
-     *
-     * Configure cookie SameSite setting. Allowed values are:
-     * - None
-     * - Lax
-     * - Strict
-     * - ''
-     *
-     * Alternatively, you can use the constant names:
-     * - `Cookie::SAMESITE_NONE`
-     * - `Cookie::SAMESITE_LAX`
-     * - `Cookie::SAMESITE_STRICT`
-     *
-     * Defaults to `Lax` for compatibility with modern browsers. Setting `''`
-     * (empty string) means default SameSite attribute set by browsers (`Lax`)
-     * will be set on cookies. If set to `None`, `$cookieSecure` must also be set.
-     *
-     * @deprecated use Config\Cookie::$samesite property instead.
-     */
-    public string $cookieSameSite = 'Lax';
    /**
     * --------------------------------------------------------------------------
     * Reverse Proxy IPs
@@ -304,103 +181,21 @@ class App extends BaseConfig
     *
     * If your server is behind a reverse proxy, you must whitelist the proxy
     * IP addresses from which CodeIgniter should trust headers such as
-     * HTTP_X_FORWARDED_FOR and HTTP_CLIENT_IP in order to properly identify
+     * X-Forwarded-For or Client-IP in order to properly identify
     * the visitor's IP address.
     *
-     * You can use both an array or a comma-separated list of proxy addresses,
+     * You need to set a proxy IP address or IP address with subnets and
-     * as well as specifying whole subnets. Here are a few examples:
+     * the HTTP header for the client IP address.
     *
-     * Comma-separated:	'10.0.1.200,192.168.5.0/24'
+     * Here are some examples:
-     * Array: ['10.0.1.200', '192.168.5.0/24']
+     *     [
+     *         '10.0.1.200'     => 'X-Forwarded-For',
+     *         '192.168.5.0/24' => 'X-Real-IP',
+     *     ]
     *
-     * @var string|string[]
+     * @var array<string, string>|string
     */
-    public string | array $proxyIPs = '';
+    public $proxyIPs = [];
-    /**
-     * --------------------------------------------------------------------------
-     * CSRF Token Name
-     * --------------------------------------------------------------------------
-     *
-     * The token name.
-     *
-     * @deprecated Use `Config\Security` $tokenName property instead of using this property.
-     */
-    public string $CSRFTokenName = 'csrf_test_name';
-    /**
-     * --------------------------------------------------------------------------
-     * CSRF Header Name
-     * --------------------------------------------------------------------------
-     *
-     * The header name.
-     *
-     * @deprecated Use `Config\Security` $headerName property instead of using this property.
-     */
-    public string $CSRFHeaderName = 'X-CSRF-TOKEN';
-    /**
-     * --------------------------------------------------------------------------
-     * CSRF Cookie Name
-     * --------------------------------------------------------------------------
-     *
-     * The cookie name.
-     *
-     * @deprecated Use `Config\Security` $cookieName property instead of using this property.
-     */
-    public string $CSRFCookieName = 'csrf_cookie_name';
-    /**
-     * --------------------------------------------------------------------------
-     * CSRF Expire
-     * --------------------------------------------------------------------------
-     *
-     * The number in seconds the token should expire.
-     *
-     * @deprecated Use `Config\Security` $expire property instead of using this property.
-     */
-    public int $CSRFExpire = 7200;
-    /**
-     * --------------------------------------------------------------------------
-     * CSRF Regenerate
-     * --------------------------------------------------------------------------
-     *
-     * Regenerate token on every submission?
-     *
-     * @deprecated Use `Config\Security` $regenerate property instead of using this property.
-     */
-    public bool $CSRFRegenerate = true;
-    /**
-     * --------------------------------------------------------------------------
-     * CSRF Redirect
-     * --------------------------------------------------------------------------
-     *
-     * Redirect to previous page with error on failure?
-     *
-     * @deprecated Use `Config\Security` $redirect property instead of using this property.
-     */
-    public bool $CSRFRedirect = true;
-    /**
-     * --------------------------------------------------------------------------
-     * CSRF SameSite
-     * --------------------------------------------------------------------------
-     *
-     * Setting for CSRF SameSite cookie token. Allowed values are:
-     * - None
-     * - Lax
-     * - Strict
-     * - ''
-     *
-     * Defaults to `Lax` as recommended in this link:
-     *
-     * @see https://portswigger.net/web-security/csrf/samesite-cookies
-     *
-     * @deprecated Use `Config\Security` $samesite property instead of using this property.
-     */
-    public string $CSRFSameSite = 'Lax';
    /**
     * --------------------------------------------------------------------------
@@ -420,14 +215,6 @@ class App extends BaseConfig
     */
    public bool $CSPEnabled = false;
-    /**
-     * --------------------------------------------------------------------------
-     * Media root folder
-     * --------------------------------------------------------------------------
-     * Defines the root folder for media files storage
-     */
-    public string $mediaRoot = 'media';
    /**
     * --------------------------------------------------------------------------
     * Instance / Site Config
@@ -444,11 +231,56 @@ class App extends BaseConfig
     */
    public array $siteIcon = [
        'ico' => '/favicon.ico',
-        '64' => '/icon-64.png',
+        '64'  => '/icon-64.png',
        '180' => '/icon-180.png',
        '192' => '/icon-192.png',
        '512' => '/icon-512.png',
    ];
    public string $theme = 'pine';
+    /**
+     * Storage limit in Gigabytes
+     */
+    public ?int $storageLimit = null;
+    /**
+     * Bandwidth limit (per month) in Gigabytes
+     */
+    public ?int $bandwidthLimit = null;
+    public ?string $legalNoticeURL = null;
+    /**
+     * AuthToken Config Constructor
+     */
+    public function __construct()
+    {
+        parent::__construct();
+        if (is_string($this->proxyIPs)) {
+            $array = json_decode($this->proxyIPs, true);
+            if (is_array($array)) {
+                $this->proxyIPs = $array;
+            }
+        }
+    }
+    /**
+     * Override parent initEnvValue() to allow for direct setting to array properties values from ENV
+     *
+     * In order to set array properties via ENV vars we need to set the property to a string value first.
+     *
+     * @param mixed $property
+     */
+    #[Override]
+    protected function initEnvValue(&$property, string $name, string $prefix, string $shortPrefix): void
+    {
+        // if attempting to set property from ENV, first set to empty string
+        if ($name === 'proxyIPs' && $this->getEnvValue($name, $prefix, $shortPrefix) !== null) {
+            $property = '';
+        }
+        parent::initEnvValue($property, $name, $prefix, $shortPrefix);
+    }
 }
--- a/app/Config/Autoload.php
+++ b/app/Config/Autoload.php
@@ -16,6 +16,8 @@ use CodeIgniter\Config\AutoloadConfig;
 *
 * NOTE: If you use an identical key in $psr4 or $classmap, then
 * the values in this file will overwrite the framework's values.
+ *
+ * @immutable
 */
 class Autoload extends AutoloadConfig
 {
@@ -27,40 +29,39 @@ class Autoload extends AutoloadConfig
     * their location on the file system. These are used by the autoloader
     * to locate files the first time they have been instantiated.
     *
-     * The '/app' and '/system' directories are already mapped for you.
+     * The 'Config' (APPPATH . 'Config') and 'CodeIgniter' (SYSTEMPATH) are
-     * you may change the name of the 'App' namespace if you wish,
+     * already mapped for you.
+     *
+     * You may change the name of the 'App' namespace if you wish,
     * but this should be done prior to creating any namespaced classes,
     * else you will need to modify all of those classes for this to work.
     *
-     * Prototype:
+     * @var array<string, list<string>|string>
-     *
-     *   $psr4 = [
-     *       'CodeIgniter' => SYSTEMPATH,
-     *       'App'	       => APPPATH
-     *   ];
-     *
-     * @var array<string, string>
     */
    public $psr4 = [
-        APP_NAMESPACE => APPPATH,
+        APP_NAMESPACE             => APPPATH,
-        'Modules' => ROOTPATH . 'modules/',
+        'Modules'                 => ROOTPATH . 'modules/',
-        'Modules\Admin' => ROOTPATH . 'modules/Admin/',
+        'Modules\Admin'           => ROOTPATH . 'modules/Admin/',
-        'Modules\Auth' => ROOTPATH . 'modules/Auth/',
+        'Modules\Analytics'       => ROOTPATH . 'modules/Analytics/',
-        'Modules\Analytics' => ROOTPATH . 'modules/Analytics/',
+        'Modules\Api\Rest\V1'     => ROOTPATH . 'modules/Api/Rest/V1',
-        'Modules\Install' => ROOTPATH . 'modules/Install/',
+        'Modules\Auth'            => ROOTPATH . 'modules/Auth/',
-        'Modules\Fediverse' => ROOTPATH . 'modules/Fediverse/',
+        'Modules\Fediverse'       => ROOTPATH . 'modules/Fediverse/',
-        'Modules\WebSub' => ROOTPATH . 'modules/WebSub/',
+        'Modules\Install'         => ROOTPATH . 'modules/Install/',
-        'Config' => APPPATH . 'Config/',
+        'Modules\Media'           => ROOTPATH . 'modules/Media/',
-        'ViewComponents' => APPPATH . 'Libraries/ViewComponents/',
+        'Modules\MediaClipper'    => ROOTPATH . 'modules/MediaClipper/',
-        'ViewThemes' => APPPATH . 'Libraries/ViewThemes/',
+        'Modules\Platforms'       => ROOTPATH . 'modules/Platforms/',
-        'MediaClipper' => APPPATH . 'Libraries/MediaClipper/',
+        'Modules\Plugins'         => ROOTPATH . 'modules/Plugins/',
-        'Vite' => APPPATH . 'Libraries/Vite/',
+        'Modules\PodcastImport'   => ROOTPATH . 'modules/PodcastImport/',
-        'Themes' => ROOTPATH . 'themes',
+        'Modules\PremiumPodcasts' => ROOTPATH . 'modules/PremiumPodcasts/',
+        'Modules\Update'          => ROOTPATH . 'modules/Update/',
+        'Modules\WebSub'          => ROOTPATH . 'modules/WebSub/',
+        'Themes'                  => ROOTPATH . 'themes',
+        'ViewComponents'          => APPPATH . 'Libraries/ViewComponents/',
+        'ViewThemes'              => APPPATH . 'Libraries/ViewThemes/',
    ];
    /**
     * -------------------------------------------------------------------
-     * Class Map
     * -------------------------------------------------------------------
     * The class map provides a map of class names and their exact
     * location on the drive. Classes loaded in this manner will have
@@ -87,12 +88,25 @@ class Autoload extends AutoloadConfig
     * or for loading functions.
     *
     * Prototype:
-     * ```
+     *
     *	  $files = [
     *	 	   '/path/to/my/file.php',
     *    ];
-     * ```
+     *
-     * @var array<int, string>
+     * @var list<string>
+     */
+    public $files = [];
+    /**
+     * -------------------------------------------------------------------
+     * Helpers
+     * -------------------------------------------------------------------
+     * Prototype:
+     *   $helpers = [
+     *       'form',
+     *   ];
+     *
+     * @var list<string>
     */
-    public $files = [APPPATH . 'Libraries/ViewComponents/Helpers/view_components_helper.php'];
+    public $helpers = ['auth', 'setting', 'plugins'];
 }
--- a/app/Config/Boot/development.php
+++ b/app/Config/Boot/development.php
@@ -9,8 +9,10 @@ declare(strict_types=1);
 * In development, we want to show as many errors as possible to help
 * make sure they don't make it to production. And save us hours of
 * painful debugging.
+ *
+ * If you set 'display_errors' to '1', CI4's detailed error report will show.
 */
-error_reporting(-1);
+error_reporting(E_ALL);
 ini_set('display_errors', '1');
 /**

--- a/app/Config/Boot/production.php
+++ b/app/Config/Boot/production.php
@@ -8,9 +8,13 @@ declare(strict_types=1);
 * --------------------------------------------------------------------------
 * Don't show ANY in production environments. Instead, let the system catch
 * it and display a generic error message.
+ *
+ * If you set 'display_errors' to '1', CI4's detailed error report will show.
 */
+error_reporting(E_ALL & ~E_DEPRECATED);
+// If you want to suppress more types of errors.
+// error_reporting(E_ALL & ~E_NOTICE & ~E_DEPRECATED & ~E_STRICT & ~E_USER_NOTICE & ~E_USER_DEPRECATED);
 ini_set('display_errors', '0');
-error_reporting(E_ALL & ~E_NOTICE & ~E_DEPRECATED & ~E_STRICT & ~E_USER_NOTICE & ~E_USER_DEPRECATED);
 /**
 * --------------------------------------------------------------------------

--- a/app/Config/Boot/testing.php
+++ b/app/Config/Boot/testing.php
@@ -2,6 +2,12 @@
 declare(strict_types=1);
+/*
+ * The environment testing is reserved for PHPUnit testing. It has special
+ * conditions built into the framework at various places to assist with that.
+ * You can’t use it for your development.
+ */
 /**
 * --------------------------------------------------------------------------
 * ERROR DISPLAY
@@ -10,7 +16,7 @@ declare(strict_types=1);
 * make sure they don't make it to production. And save us hours of
 * painful debugging.
 */
-error_reporting(-1);
+error_reporting(E_ALL);
 ini_set('display_errors', '1');
 /**

--- a/app/Config/CURLRequest.php
+++ b/app/Config/CURLRequest.php
@@ -18,5 +18,5 @@ class CURLRequest extends BaseConfig
     * If true, all the options won't be reset between requests.
     * It may cause an error request with unnecessary headers.
     */
-    public bool $shareOptions = true;
+    public bool $shareOptions = false;
 }
--- a/app/Config/Cache.php
+++ b/app/Config/Cache.php
--- a/app/Config/Colors.php
+++ b/app/Config/Colors.php
--- a/app/Config/Constants.php
+++ b/app/Config/Constants.php
@@ -11,7 +11,7 @@ declare(strict_types=1);
 |
 | NOTE: this constant is updated upon release with Continuous Integration.
 */
-defined('CP_VERSION') || define('CP_VERSION', '1.0.0-beta.9');
+defined('CP_VERSION') || define('CP_VERSION', '2.0.0-next.3');
 /*
 | --------------------------------------------------------------------
@@ -24,10 +24,23 @@ defined('CP_VERSION') || define('CP_VERSION', '1.0.0-beta.9');
 | classes should use.
 |
 | NOTE: changing this will require manually modifying the
- | existing namespaces of App\* namespaced-classes.
+ | existing namespaces of App* namespaced-classes.
 */
 defined('APP_NAMESPACE') || define('APP_NAMESPACE', 'App');
+/*
+ | --------------------------------------------------------------------
+ | Plugins Path
+ | --------------------------------------------------------------------
+ |
+ | This defines the folder in which plugins will live.
+ */
+defined('PLUGINS_PATH') ||
+    define('PLUGINS_PATH', ROOTPATH . 'plugins' . DIRECTORY_SEPARATOR);
+defined('PLUGINS_KEY_PATTERN') ||
+    define('PLUGINS_KEY_PATTERN', '[a-z0-9]([_.-]?[a-z0-9]+)*\/[a-z0-9]([_.-]?[a-z0-9]+)*');
 /*
 | --------------------------------------------------------------------------
 | Composer Path
@@ -52,9 +65,9 @@ defined('MINUTE') || define('MINUTE', 60);
 defined('HOUR') || define('HOUR', 3600);
 defined('DAY') || define('DAY', 86400);
 defined('WEEK') || define('WEEK', 604800);
-defined('MONTH') || define('MONTH', 2592000);
+defined('MONTH') || define('MONTH', 2_592_000);
-defined('YEAR') || define('YEAR', 31536000);
+defined('YEAR') || define('YEAR', 31_536_000);
-defined('DECADE') || define('DECADE', 315360000);
+defined('DECADE') || define('DECADE', 315_360_000);
 /*
 | --------------------------------------------------------------------------

--- a/app/Config/ContentSecurityPolicy.php
+++ b/app/Config/ContentSecurityPolicy.php
--- a/app/Config/Cookie.php
+++ b/app/Config/Cookie.php
@@ -84,6 +84,8 @@ class Cookie extends BaseConfig
     * Defaults to `Lax` for compatibility with modern browsers. Setting `''`
     * (empty string) means default SameSite attribute set by browsers (`Lax`)
     * will be set on cookies. If set to `None`, `$secure` must also be set.
+     *
+     * @phpstan-var 'None'|'Lax'|'Strict'|''
     */
    public string $samesite = 'Lax';
No results found