Last indexed: 31 January 2026 (cf9511)

Controllers

Purpose and Scope

Controllers in the Light framework are PHP classes that expose GraphQL operations (queries and mutations) through annotation-based declaration. They serve as the primary API entry points for client applications, handling authentication flows, configuration management, file operations, and business logic. Controllers use GraphQLite annotations to define schema elements and integrate with the RBAC system for authorization.

For detailed information about specific controllers, see:

Authentication operations: AuthController
Configuration and user preferences: AppController
File system operations: FileSystemController
User management: User Management Operations
Audit trail operations: RevisionController

For GraphQL schema generation and type system details, see Schema Generation and Type System. For the root query type, see Root Query Type (Light\Type\App).

Controller Architecture Pattern

Controllers in Light are standard PHP classes decorated with GraphQLite annotations. They do not extend a base class but follow a consistent pattern for exposing operations through the GraphQL API.

Controller Class Structure Diagram

Sources: src/Controller/AuthController.php1-636 src/Controller/AppController.php1-150

Available Controllers

The Light framework includes several built-in controllers organized by domain:

Controller	File Path	Primary Responsibility	Importance Score
`AuthController`	`src/Controller/AuthController.php`	Authentication mutations: login, logout, 2FA, OAuth, password management	69.18
`AppController`	`src/Controller/AppController.php`	Configuration updates, user preferences (style, language, menu), session revocation	35.86
`FileSystemController`	Referenced in architecture	File and folder CRUD operations, uploads, filesystem configuration	40.67
`RevisionController`	Referenced in architecture	Audit trail queries, revision restoration	Not scored

Sources: Architecture diagrams, src/Controller/AuthController.php1-636 src/Controller/AppController.php1-150

Controller Patterns and Conventions

Method Declaration Pattern

Controllers use GraphQLite annotations to declare GraphQL operations:

Example from AuthController:

src/Controller/AuthController.php105-118

Sources: src/Controller/AuthController.php105-118 src/Controller/AppController.php22-27

Authorization Annotations

Controllers enforce authorization through two primary annotations:

Annotation	Purpose	Example	Behavior
`@Logged`	Requires authentication	`#[Logged]`	Throws error if user not authenticated
`@Right('permission')`	Requires specific permission	`#[Right('config.update')]`	Checks RBAC permission against user roles

Multiple annotations stack to create combined requirements:

src/Controller/AppController.php59-72

Sources: src/Controller/AuthController.php105-118 src/Controller/AppController.php59-72

Dependency Injection Patterns

Controllers use GraphQLite's dependency injection through annotations:

Common Dependency Injection Diagram

Example usage patterns:

App Injection - Access core application services:

src/Controller/AuthController.php373-456

User Injection - Access authenticated user:

src/Controller/AuthController.php474-490

Sources: src/Controller/AuthController.php373-456 src/Controller/AuthController.php474-490 src/Controller/AppController.php22-27

Controller to GraphQL Operation Mapping

The following diagram shows how controller methods map to GraphQL operations exposed to clients:

Sources: src/Controller/AuthController.php1-636 src/Controller/AppController.php1-150

Authentication Flow Pattern

Controllers implement authentication operations following a consistent pattern:

Key implementation details:

Account Lockout: Checked via User::isAuthLocked() method src/Controller/AuthController.php403-405
Password Verification: Uses PasswordVerify() with legacy hash detection src/Controller/AuthController.php458-465
2FA Validation: Validates TOTP codes when user.secret exists src/Controller/AuthController.php420-428
Password Expiration: Checks expiration based on password_dt field src/Controller/AuthController.php446-452
Session Creation: Delegates to App::userLogin() for JWT generation src/Controller/AuthController.php454

Sources: src/Controller/AuthController.php373-456 src/Controller/AuthController.php458-465

Configuration Management Pattern

AppController provides mutations for managing system configuration:

Configuration Update Flow

Implementation details:

Single config update: src/Controller/AppController.php59-72
Batch config update: src/Controller/AppController.php35-57
Menu configuration: src/Controller/AppController.php74-91

All configuration mutations require:

@Logged annotation for authentication
@Right('config.update') or @Right('menu.update') for authorization

Sources: src/Controller/AppController.php35-91

User Preference Management

AppController provides mutations for managing per-user preferences:

Mutation	Parameters	Purpose	Authorization
`updateMyStyle`	`name: String!`, `value: Any!`	Updates single style preference	`@Logged` only
`updateMyStyles`	`value: [KeyValue!]!`	Batch updates style preferences	`@Logged` only
`updateMyLanguage`	`name: String!`	Updates user language preference	`@Logged` only
`updateMyMenu`	`menu: Any!`	Updates custom menu configuration	`@Logged` only