chore: duplicate changes from http to swoole

[levivannoort]

Summary by CodeRabbit

• New Features

  • Added configurable trusted-proxy header handling to improve client IP detection behind proxies/load balancers.

• Tests

  • Updated cookie test to allow multiple Set-Cookie headers with the same name (prevents accidental override).

• Chores

  • Updated framework dependency constraint to exact 0.33.35.
  • Removed the top-level compose file version entry from docker-compose configuration.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Walkthrough

Updated composer.json to change the required version constraint for "utopia-php/framework" from "0.33.*" to "0.33.35". Added a protected property in src/Swoole/Request.php to store trusted proxy header names, added setTrustedIpHeaders(array $headers) to normalize/configure them, and modified getIP() to prefer the leftmost valid IP from those trusted headers before falling back to REMOTE_ADDR; docblocks and notes updated. Removed the top-level version: '3' entry from docker-compose.yml. In tests/e2e/server.php the second Set-Cookie call now passes override: false to allow multiple cookies with the same name.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

• Inspect src/Swoole/Request.php:
  • Validate header normalization in setTrustedIpHeaders().
  • Verify getIP() selects the leftmost header value, trims/normalizes contents, and validates IPv4/IPv6 correctly; check fallback to REMOTE_ADDR.
  • Confirm property visibility, defaults, mutation behavior, and docblock accuracy.
• Review tests/e2e/server.php:
  • Confirm Set-Cookie change (override: false) matches test intent and does not introduce duplicate-cookie regressions.
• Verify composer.json change uses the intended fixed version 0.33.35.
• Quick check of docker-compose.yml removal of top-level version entry for project conventions.

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main objective of duplicating changes from the http package to the swoole package, which aligns with the file modifications across composer.json, Request.php, docker-compose.yml, and tests/e2e/server.php.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch clo-3704-duplicate-changes-to-swoole-due-to-overwrite

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 4056787 and 1f06c2d.

⛔ Files ignored due to path filters (1)

• composer.lock is excluded by !**/*.lock

📒 Files selected for processing (1)

• composer.json (1 hunks)

🔇 Additional comments (1)

composer.json (1)

18-18: The pinned version 0.33.35 is valid and justified.

The composer.lock file confirms utopia-php/framework 0.33.35 is installed and locked. The Request.php in this PR implements the trusted IP header mechanism (setTrustedIpHeaders and getIP extraction), which requires this specific version. The pinned constraint (rather than a wildcard range) is intentional and appropriate for ensuring the required features are available.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 150c307 and af6911b.

⛔ Files ignored due to path filters (1)

• composer.lock is excluded by !**/*.lock

📒 Files selected for processing (2)

• composer.json (1 hunks)
• src/Swoole/Request.php (2 hunks)

🧰 Additional context used

🪛 GitHub Actions: CodeQL

src/Swoole/Request.php

[error] 22-22: PHPStan: Property Utopia\Swoole\Request::$trustedIpHeaders type has no value specified for iterable type 'array'.

---

[error] 83-83: PHPStan: Method Utopia\Swoole\Request::setTrustedIpHeaders() has parameter $headers with no value type specified in iterable type 'array'.

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: Unit & E2E

🔇 Additional comments (2)

composer.json (1)

18-18: LGTM! Version constraint syntax modernized.

The change from "0.33.*" to "0.33.x" is a syntax update that maintains the same version range. Both constraints match versions 0.33.0, 0.33.1, etc., but the "x" notation is the preferred modern syntax.

src/Swoole/Request.php (1)

101-123: Consider rejecting private IP ranges in trusted headers.

The filter_var($ip, FILTER_VALIDATE_IP) validation accepts private IP ranges (10.x.x.x, 172.16-31.x.x, 192.168.x.x) and reserved ranges (127.x.x.x, 0.0.0.0) by default. If this IP is used for security decisions (rate limiting, access control, logging), an attacker could spoof trusted headers with private IPs to bypass restrictions.

Consider using additional flags to reject private and reserved ranges:

if (filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE)) {
    return $ip;
}

However, this depends on your use case—if legitimate clients connect from private networks behind proxies, rejecting private IPs would break functionality. Please verify whether your application requires this additional validation.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

tests/e2e/server.php (1)

74-75: For consistency, explicitly set override: false on both Set-Cookie headers.

Line 75 correctly uses override: false to allow multiple Set-Cookie headers to coexist. Consider applying the same explicit parameter to line 74 for clarity:

$response->addHeader('Set-Cookie', 'key1=value1', override: false);
$response->addHeader('Set-Cookie', 'key2=value2', override: false);

The framework version 0.33.x (confirmed in composer.json) supports the override parameter in Response::addHeader().

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between dbc52e2 and 8c31908.

📒 Files selected for processing (1)

• tests/e2e/server.php (1 hunks)

🧰 Additional context used

🧬 Code graph analysis (1)

tests/e2e/server.php (1)

src/Swoole/Request.php (1)

• addHeader (338-343)