Strata is PSR-15. Every request passes through a middleware stack before hitting your controller.
Request → Middleware 1 → Middleware 2 → Route Handler → Middleware 2 → Middleware 1 → Response
use Strata\App;
$app = new App();
// Global middleware - runs on every request
$app->add(new CorsMiddleware());
$app->add(new SessionMiddleware());
// Route-specific middleware
$app->get('/admin', fn() => 'Dashboard')
->add(new AuthMiddleware());
$app->run();Implement Psr\Http\Server\MiddlewareInterface:
<?php
namespace App\Middleware;
use Psr\Http\Message\ResponseInterface;
use Psr\Http\Message\ServerRequestInterface;
use Psr\Http\Server\MiddlewareInterface;
use Psr\Http\Server\RequestHandlerInterface;
class AuthMiddleware implements MiddlewareInterface
{
public function process(
ServerRequestInterface $request,
RequestHandlerInterface $handler
): ResponseInterface {
$user = $request->getAttribute('user');
if (!$user) {
return new Response(401, [], 'Unauthorized');
}
// Continue to next middleware or handler
return $handler->handle($request);
}
}No base classes. No traits. Just PSR-15.
| Package | What it does |
|---|---|
| middlewares/cors | CORS headers |
| middlewares/whoops | Pretty error pages in dev |
| middlewares/csrf | CSRF protection. Or use TokenManager - see Security |
Middleware added first runs first on the way in, last on the way out. Last-in-first-out.
$app->add($middleware1); // Runs first
$app->add($middleware2); // Runs second
$app->add($middleware3); // Runs thirdPut error handlers first. Put session/auth early. Put CORS before auth.