VOOZH about

URL: https://deepwiki.com/mathsgod/light/10.1-environment-configuration

⇱ Environment Configuration | mathsgod/light | DeepWiki

Loading...
Loading...
Last indexed: 31 January 2026 (cf9511)
Menu

Environment Configuration

Purpose and Scope

This document covers environment-specific configuration through environment variables and the .env file. These settings include sensitive credentials, deployment-specific parameters, and secrets that should not be committed to version control.

For runtime application settings stored in the database (such as mode, mail configuration, and feature flags), see Application Settings. For dependency and package management, see Dependencies and Package Management.

Sources: README.md1-40

Configuration Architecture

The Light framework loads environment variables during application bootstrap to configure critical infrastructure components. These variables are read from a .env file in the application root directory and accessed through PHP's $_ENV superglobal.

Environment Variable Flow Diagram



Sources: src/App.php64-66 src/App.php616-629 src/App.php647 src/App.php671-684 src/App.php810-813 README.md6-17 README.md20-27 README.md29-39




Required Environment Variables


Database Connection Configuration


The Light framework requires six database environment variables to establish MySQL connectivity. These variables are consumed by the Light\DB database abstraction layer.

















































VariableRequiredDescriptionExample
DATABASE_HOSTNAMEYesMySQL server hostname or IP addresslocalhost, db.example.com
DATABASE_DATABASEYesDatabase name to connect tolight_production
DATABASE_USERNAMEYesDatabase user with appropriate privilegeslight_user
DATABASE_PASSWORDYesDatabase user passwordsecure_password_123
DATABASE_PORTNoMySQL port number (defaults to 3306)3306
DATABASE_CHARSETNoCharacter set for database connectionutf8mb4


Configuration Example:




Sources: README.md9-17




JWT Secret Configuration


The JWT_SECRET environment variable is a cryptographically secure random string used for signing and verifying JSON Web Tokens (JWT). This secret is critical for the security of the authentication system.



















VariableRequiredDescriptionSecurity Notes
JWT_SECRETYesRandom string for JWT token signingMust be at least 32 characters; use cryptographically secure random generation


Purpose:


    

  • Signs access tokens generated by User.login()
    • 

  • Validates tokens in Auth\Service during request authentication
    • 

  • Prevents token forgery and tampering
    • 



Generation Example:




Configuration Example:




Security Considerations:


    

  • Never commit the actual secret to version control
    • 

  • Rotate the secret periodically (requires re-authentication of all users)
    • 

  • Use different secrets for development, staging, and production environments
    • 

  • Store production secrets in secure vault systems (e.g., AWS Secrets Manager, HashiCorp Vault)
    • 



Sources: README.md20-27




OAuth Provider Configuration


The Light framework supports OAuth-based social authentication. Each OAuth provider requires provider-specific credentials obtained from their developer consoles.


Google OAuth Configuration


To enable Google Sign-In, install the Google API client library and configure the client ID:


Installation:




Environment Variable:



















VariableRequiredDescriptionObtain From
GOOGLE_CLIENT_IDNo*OAuth 2.0 client ID from Google Cloud ConsoleGoogle Cloud Console → APIs & Services → Credentials


*Required only if Google authentication is enabled.


Configuration Example:




Usage Flow:


    

  1. Client calls googleAuth mutation in AuthController with OAuth token
    2. 

  2. AuthController validates token using GOOGLE_CLIENT_ID
    3. 

  3. User is authenticated or registered based on Google account information
    4. 



Sources: README.md29-39




Cookie Configuration


The framework uses HTTP-only cookies to store JWT tokens. Cookie behavior is controlled by several environment variables that affect security, cross-site access, and partitioning.





































VariableRequiredDefaultDescription
COOKIE_DOMAINNo"" (empty)Domain scope for cookies; empty allows subdomain sharing
COOKIE_SECURENofalseRequires HTTPS for cookie transmission
COOKIE_SAMESITENo"Lax"Controls cross-site cookie behavior (Strict, Lax, or None)
COOKIE_PARTITIONEDNofalseEnables partitioned cookies for third-party context (HTTPS only)


Configuration Example:




Cookie Partitioning: When COOKIE_PARTITIONED=true and HTTPS is enabled ($_SERVER["HTTPS"] == "on"), the framework appends ;Partitioned to the SameSite attribute, enabling CHIPS (Cookies Having Independent Partitioned State) for third-party contexts.


Implementation Details:


The App::setAccessTokenCookie() method src/App.php614-629 constructs the cookie with these settings:




Refresh Token Cookies: The refresh token uses a path-restricted cookie src/App.php671-684 with scope limited to /refresh_token (or {API_PREFIX}/refresh_token if API_PREFIX is set).


Sources: src/App.php614-629 src/App.php671-684




Timezone Configuration


The framework supports timezone configuration via the TZ environment variable, which sets the default timezone for all date/time operations.



















VariableRequiredDescriptionExample Values
TZNoPHP timezone identifierUTC, America/New_York, Asia/Tokyo


Configuration Example:




Implementation: The App constructor checks for $_ENV["TZ"] and calls date_default_timezone_set() during initialization src/App.php64-66


Sources: src/App.php64-66




API Path Prefix Configuration


The API_PREFIX environment variable allows mounting the API under a custom path prefix, affecting the refresh token cookie path.



















VariableRequiredDescriptionExample
API_PREFIXNoPath prefix for API endpoints/api, /v1


Configuration Example:




Effect on Refresh Token: When set, the refresh token cookie is scoped to {API_PREFIX}/refresh_token instead of the script directory src/App.php671-674


Sources: src/App.php671-674




WebAuthn Configuration


WebAuthn (FIDO2) authentication requires configuration of the Relying Party identifier, which must match the domain serving the application.



















VariableRequiredDescriptionDefault
RP_IDNoWebAuthn Relying Party ID (domain)$_SERVER["SERVER_NAME"]


Configuration Example:




Implementation: The App::getRpId() method src/App.php804-814 returns $_ENV["RP_ID"] if set, otherwise falls back to the server name. The special case "0.0.0.0" is converted to "localhost" for local development.


WebAuthn Entity Creation:




Sources: src/App.php804-814 src/App.php816-832




Environment File Setup


Creating the .env File


The .env file should be created in the application root directory (same level as composer.json). This file is typically excluded from version control via .gitignore.


Minimal .env Template:




Environment-Specific Configuration


Development Environment (.env.development):




Production Environment (.env.production):




Security Best Practices


Environment Variable Security Checklist:










































PracticeDescriptionCritical
Version Control ExclusionAdd .env to .gitignore to prevent committing secrets✓ Yes
File PermissionsSet .env to 0600 (read/write owner only) on Unix systems✓ Yes
Secret RotationRotate JWT_SECRET and database passwords periodicallyRecommended
Environment SeparationUse different credentials for dev/staging/production✓ Yes
Vault IntegrationUse secret management services for productionRecommended
Minimal AccessGrant database users only necessary privileges✓ Yes


File Permission Commands:




Configuration Loading


The framework loads environment variables during application bootstrap in Light\App. Variables are accessed using PHP's $_ENV superglobal array:




Implementation Reference:



Sources: src/App.php64-66 src/App.php614-629 src/App.php647 README.md1-40




Environment Variable Validation


Missing Variable Detection


The Light framework performs validation during bootstrap to ensure required environment variables are set. Missing critical variables will prevent application startup.


Critical Variables Checked:


    

  • Database connection parameters (DATABASE_HOSTNAME, DATABASE_DATABASE, DATABASE_USERNAME)
    • 

  • JWT secret (JWT_SECRET)
    • 



Validation Recommendations:


Create a validation script to check configuration before deployment:




Production Checklist:










































VariableCheckNotes
JWT_SECRET✓ Minimum 32 charactersValidate strength
COOKIE_SECURE✓ Set to true for HTTPSRequired for production
COOKIE_SAMESITE✓ Set to Strict or LaxPrevents CSRF attacks
DATABASE_PASSWORD✓ Strong passwordAvoid default/weak passwords
RP_ID✓ Matches domainRequired if using WebAuthn
TZ✓ Set explicitlyAvoid server timezone differences


Sources: src/App.php64-66 src/App.php614-629 src/App.php647 src/App.php804-814




Configuration Reference Summary


Complete Environment Variable Reference Table:






































































CategoryVariableTypeRequiredPurpose
DatabaseDATABASE_HOSTNAMEStringYesMySQL server address
DATABASE_DATABASEStringYesDatabase name
DATABASE_USERNAMEStringYesDatabase user
DATABASE_PASSWORDStringYesDatabase password
DATABASE_PORTIntegerNoMySQL port (default: 3306)
DATABASE_CHARSETStringNoCharacter encoding (default: utf8mb4)
AuthenticationJWT_SECRETStringYesJWT signing key (min 32 chars)
OAuthGOOGLE_CLIENT_IDStringConditionalGoogle OAuth client ID


Sources: README.md1-40