CodeIgniter 4 Task Management App

Expert guidance for developing a CodeIgniter 4 task management and shift-tracking backend application.

Architecture Overview

This is a **CodeIgniter 4** backend with three user roles:

**Admin**: Dashboard, manage users, locations, items, and actions

**Operator**: Submit task completions and view assignments

**Verifikator**: Verification role (work in progress)

**Core Data Model**: Locations contain Items; Items require Actions (checklist); Operators submit TaskSubmissions tracking action completion.

Project Structure

```

app/

Controllers/ # Route handlers (Auth, Admin/*, Operator, Verifikator)

Models/ # CodeIgniter Models extending Model class (m_* = master, r_* = relational)

Database/Migrations/ # Timestamped migrations (migrations create tables, applied via spark migrate)

Database/Seeds/ # Data seeding (e.g., ActionSeeder)

Config/ # Routes.php defines URL groups, Database.php configures connections

Filters/ # MyCors for CORS handling

Libraries/ # JwtService for EdDSA JWT handling (encode/decode)

Commands/ # CLI commands: shift:initialize, status:clean, shift:rotate

Views/ # Not in backend—frontend is separate

```

Instructions

When working with this codebase, follow these patterns and conventions:

1. Models & Database

**Naming Convention**:

- Master tables use `m_` prefix (m_users, m_locations, m_items, m_actions)

- Relational tables use `r_` prefix (r_task_submission, r_task_submission_detail)

**Model Definition**: Each model must declare:

- `$table` - table name

- `$primaryKey` - primary key field

- `$allowedFields` - fields allowed for mass assignment

- `$returnType = 'array'` - return arrays not objects

**Migrations**: Timestamped format (e.g., 2026-01-04-112511_Users.php)

**Database Commands**:

```bash

# Create migration

php spark make:migration create_table_name

# Run migrations

php spark migrate

# Rollback

php spark migrate --rollback

# Refresh

php spark migrate:refresh

# Seed data

php spark db:seed SeedName

```

2. Authentication & Authorization

**JWT Service**: Uses EdDSA signing with Firebase\JWT library

**Session-based**: Store JWT and public key in `$_SESSION['jwt']` and `$_SESSION['key']`

**Login Flow**: `Auth::login()` checks session JWT expiration; routes to `/admin`, `/operator`, or `/verifikator` based on role

**Validation**: Use inline validation rules in controllers with custom error messages in Indonesian

**JWT Handling**:

Keys generated per session via `sodium_crypto_sign_keypair()`

Payload must include `expire_time` (Unix timestamp)

Always check `time() > $jwt['expire_time']` after decode

**Important**: Tokens tied to session; losing session = losing key to decode

3. Controllers

**Extend BaseController**: All controllers extend it; initializes `$this->jwt = new JwtService()`

**Routes**: Grouped by function (auth, admin/manage/*, operator); use RESTful conventions

**Admin Routes**: Nested structure for managing users, locations/tasks/items/actions

**Response Pattern**: Return `view()` or `redirect()`; datatable endpoints expected

4. CORS & Filters

**MyCors Filter**: Handles preflight OPTIONS requests

Currently allows all origins (commented allowlist for localhost:3000, localhost:5173, production domain)

Apply via `Config/Routes` using `$routes->group(...)` with filters

5. CLI Commands

Available commands:

`shift:initialize` - Set up operator shift assignments (supports `--dry-run`, `--force`)

`status:clean` - Cleanup task

`shift:rotate` - Rotate shift assignments

**Pattern**: Extend `BaseCommand`; use `CLI::write()` for output

6. Field Validation & Localization

Declare validation rules inline in controller methods

Error messages in Indonesian (e.g., 'harus diisi' = must be filled)

Access validator via `service('validation')`

7. Testing

```bash

Run PHPUnit

./vendor/bin/phpunit

Coverage

./vendor/bin/phpunit --coverage-html=build/logs/html/

Config: phpunit.xml.dist (covers app/, logs to build/logs/)

```

Common Pitfalls & Solutions

1. **JWT Expiration**: Always check `time() > $jwt['expire_time']` after decode

2. **Role Mapping**: JWT stores 'administrator', 'operator', 'verifikator' but routes use 'admin' directory—map in controller

3. **Protected Fields**: Models have `$protectFields = true`; only fields in `$allowedFields` can be mass-assigned

4. **CORS Origins**: Currently permissive; update MyCors if restricting to frontend domains

5. **Missing Database Config**: Database credentials must be set in `app/Config/Database.php` (hostname, username, password, database)

6. **EdDSA Requirement**: Requires sodium extension enabled in PHP

7. **Public Root**: Web root should point to `public/index.php`, not project root

Configuration Notes

**Base URL**: http://localhost:8080/ (configured in `Config/App.php`)

**Database**: MySQLi driver; configure `app/Config/Database.php`

**Logging**: Configured in `Config/Logger.php`; logs go to `writable/logs/`

**Debugging**: Enable `DBDebug = true` in `Database.php` for SQL debug output

**Table Prefix**: Empty by default in `Config/Database.php`

**Frontend**: Separate (likely Vue/React at localhost:3000 or :5173)

Development Best Practices

1. Use migrations for all database changes

2. Store validation rules inline with Indonesian error messages

3. Return arrays from models (not objects)

4. Extend BaseController for all controllers

5. Use EdDSA for JWT signing

6. Check JWT expiration on every protected route

7. Use `php spark` for all CLI operations

8. Keep frontend separate from backend

9. Use RESTful conventions for routes

10. Apply CORS filters for cross-origin requests

CodeIgniter 4 Task Management App

CodeIgniter 4 Task Management App

Architecture Overview

Project Structure

Instructions

1. Models & Database

2. Authentication & Authorization

3. Controllers

4. CORS & Filters

5. CLI Commands

6. Field Validation & Localization

7. Testing

Run PHPUnit

Coverage

Config: phpunit.xml.dist (covers app/, logs to build/logs/)

Common Pitfalls & Solutions

Configuration Notes

Development Best Practices

Reviews (0)