Environment Keys

The Env class loads configuration values from your .env file. Below are the key environment variables used by Stilmark Base.

Base Configuration

Core configuration variables that control Base framework behavior:

# Base config
APP_ENV=local
SERVER_NAME=base.dev
AUTH_SESSION_NAME=auth
CONTROLLER_NS=BaseApp\Controller\\
ROUTES_PATH=/app/routes.php
ROUTES_CACHE_PATH=/cache/routes.cache.php

Base Config Variables

Variable

Description

Default

Example

APP_ENV

Application environment (local, development, production)

local

production

APP_DEBUG

Enable debug mode (shows errors, stack traces, etc.)

true in local/development, false otherwise

true

SERVER_NAME

Server hostname for the application

base.dev

myapp.com

SESSION_AUTH_NAME

Session name for authentication

auth

myapp_auth

CONTROLLER_NS

Namespace for controllers

BaseApp\Controller\

App\Controllers\

ROUTES_PATH

Path to routes configuration file

/app/routes.php

/config/routes.php

ROUTES_CACHE_PATH

Path for cached routes

/cache/routes.cache.php

/tmp/routes.cache

Session Configuration

Variable

Description

Default

Example

SESSION_DRIVER

Session storage driver

file

file, redis

SESSION_LIFETIME

Session lifetime in minutes

120

1440 (24 hours)

SESSION_SECURE_COOKIE

Only send cookie over HTTPS

false

true in production

SESSION_HTTP_ONLY

Make cookie accessible only through HTTP

true

SESSION_SAME_SITE

CSRF protection level

Lax

Strict, Lax, None

SESSION_SAVE_PATH

Path for file-based sessions

System temp dir

/path/to/sessions

Geolocation & Localization

# Geolocation
LOCALE=en_US.UTF8
TIMEZONE=Europe/Copenhagen
TIME_STANDARD=CET

Localization Variables

Variable

Description

Default

Example

LOCALE

System locale setting

en_US.UTF8

da_DK.UTF8

TIMEZONE

Default timezone

Europe/Copenhagen

America/New_York

TIME_STANDARD

Time standard abbreviation

CET

EST

Database Configuration

# Database
DB_HOST=localhost
DB_DATABASE=baseapp
DB_USERNAME=local
DB_PASSWORD=local

Database Variables

Variable

Description

Default

Example

DB_HOST

Database server hostname

localhost

db.example.com

DB_DATABASE

Database name

baseapp

myapp_production

DB_USERNAME

Database username

local

app_user

DB_PASSWORD

Database password

local

secure_password

Authentication

Google OAuth2 configuration for authentication:

# Google OAuth
GOOGLE_CLIENT_ID=your_client_id
GOOGLE_CLIENT_SECRET=your_client_secret
GOOGLE_REDIRECT_URI=/auth/google/callback

OAuth Variables

Variable

Description

Required

Example

GOOGLE_CLIENT_ID

Google OAuth2 client ID

Yes

123456789-abc.apps.googleusercontent.com

GOOGLE_CLIENT_SECRET

Google OAuth2 client secret

Yes

GOCSPX-abcdefghijklmnop

GOOGLE_REDIRECT_URI

OAuth callback URI

Yes

https://myapp.com/auth/google/callback

CORS Configuration

Cross-Origin Resource Sharing (CORS) configuration for handling requests from different domains:

# CORS Configuration
CORS_ENABLED=false
CORS_ALLOWED_ORIGINS=https://baseapp.dk,https://baseapp.dev
CORS_ALLOWED_METHODS=GET, POST, PUT, DELETE, OPTIONS
CORS_ALLOWED_HEADERS=Content-Type, Authorization, X-Requested-With
CORS_ALLOW_CREDENTIALS=false
CORS_MAX_AGE=86400

CORS Variables

Variable

Description

Default

Example

CORS_ENABLED

Enable/disable CORS handling

false

true

CORS_ALLOWED_ORIGINS

Comma-separated list of allowed origins

(empty)

https://app.com,https://admin.app.com

CORS_ALLOWED_METHODS

HTTP methods allowed for CORS requests

GET, POST, PUT, DELETE, OPTIONS

GET, POST, OPTIONS

CORS_ALLOWED_HEADERS

Headers allowed in CORS requests

Content-Type, Authorization, X-Requested-With

Content-Type, X-API-Key

CORS_ALLOW_CREDENTIALS

Allow credentials (cookies, auth headers)

false

true

CORS_MAX_AGE

Preflight cache duration in seconds

86400

3600

CORS Origin Patterns

You can specify origins in several ways:

# Exact domains
CORS_ALLOWED_ORIGINS=https://app.example.com,https://admin.example.com

# Wildcard for all subdomains
CORS_ALLOWED_ORIGINS=https://*.example.com

# Allow all origins (not recommended for production)
CORS_ALLOWED_ORIGINS=*

# Mixed patterns
CORS_ALLOWED_ORIGINS=https://app.com,https://*.dev.example.com,http://localhost:3000

Environment-Specific Configuration

Development Environment

APP_ENV=development
SERVER_NAME=localhost:8000
DB_DATABASE=baseapp_dev
GOOGLE_REDIRECT_URI=http://localhost:8000/auth/google/callback

Production Environment

APP_ENV=production
SERVER_NAME=myapp.com
DB_DATABASE=baseapp_production
GOOGLE_REDIRECT_URI=https://myapp.com/auth/google/callback

Testing Environment

APP_ENV=testing
SERVER_NAME=test.local
DB_DATABASE=baseapp_test
AUTH_SESSION_NAME=test_auth

Custom Application Variables

You can define your own keys in .env for application-specific configuration:

# API Configuration
API_URL=https://api.example.com
API_TIMEOUT=30
API_KEY=your_api_key

# Feature Flags
FEATURE_NEW_UI=true
FEATURE_BETA_ACCESS=false

# Cache Settings
CACHE_DRIVER=redis
CACHE_TTL=3600

# Mail Configuration
MAIL_HOST=smtp.example.com
MAIL_PORT=587
MAIL_USERNAME=noreply@example.com
MAIL_PASSWORD=mail_password

Accessing Variables in Code

use Stilmark\Base\Env;

// Base configuration
$mode = Env::get('APP_ENV', 'local');
$serverName = Env::get('SERVER_NAME', 'localhost');
$controllerNs = Env::get('CONTROLLER_NS', 'BaseApp\\Controller\\');

// Database configuration
$dbConfig = [
    'host' => Env::get('DB_HOST', 'localhost'),
    'database' => Env::get('DB_DATABASE', 'baseapp'),
    'username' => Env::get('DB_USERNAME', 'root'),
    'password' => Env::get('DB_PASSWORD', ''),
];

// Custom variables
$apiUrl = Env::get('API_URL', 'https://api.default.com');
$featureEnabled = Env::get('FEATURE_NEW_UI') === 'true';

Environment Validation

Validate required environment variables on application startup:

class EnvValidator
{
    private static array $required = [
        'APP_ENV',
        'SERVER_NAME',
        'DB_HOST',
        'DB_DATABASE',
        'DB_USERNAME',
    ];

    private static array $requiredForAuth = [
        'GOOGLE_CLIENT_ID',
        'GOOGLE_CLIENT_SECRET',
        'GOOGLE_REDIRECT_URI',
    ];

    public static function validate(): void
    {
        $missing = [];
        
        foreach (self::$required as $key) {
            if (!Env::has($key)) {
                $missing[] = $key;
            }
        }
        
        // Check auth variables if authentication is enabled
        if (Env::get('ENABLE_AUTH', 'false') === 'true') {
            foreach (self::$requiredForAuth as $key) {
                if (!Env::has($key)) {
                    $missing[] = $key;
                }
            }
        }
        
        if (!empty($missing)) {
            throw new RuntimeException(
                'Missing required environment variables: ' . 
                implode(', ', $missing)
            );
        }
    }
}

Security Best Practices

Never commit .env files to version control
Use strong passwords for database and API keys
Rotate secrets regularly in production environments
Use environment-specific files (.env.local, .env.production)
Validate required variables during application bootstrap
Use HTTPS for OAuth redirect URIs in production

PreviousAuthentication NextSessions & Cookies

Last updated 5 days ago