Introduce Responde bridge implementation with tests.

[terabytesoftw]

Q	A
Is bugfix?	❌
New feature?	✔️
Breaks BC?	❌

Summary by CodeRabbit

• New Features
  • Added conversion of Yii responses to PSR-7 compatible responses, including status, headers, cookies, and body content.
  • Enhanced cookie handling with proper formatting, validation, and session cookie support.
• Bug Fixes
  • Improved error messaging for missing cookie validation keys.
• Chores
  • Updated dependencies and static analysis configuration.
  • Adjusted code style tool settings.
• Tests
  • Added extensive tests covering response conversion and detailed cookie handling scenarios.

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 100.00%. Comparing base (92b54b5) to head (6ee7f0b).
Report is 1 commits behind head on main.

Additional details and impacted files

@@             Coverage Diff             @@
##                main       #21   +/-   ##
===========================================
  Coverage     100.00%   100.00%           
- Complexity        99       130   +31     
===========================================
  Files              6         8    +2     
  Lines            252       343   +91     
===========================================
+ Hits             252       343   +91     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[coderabbitai]

Walkthrough

The changes introduce a new ResponseAdapter class to convert Yii2 Response objects to PSR-7 responses, including comprehensive cookie handling and validation. A new Response class with a getPsr7Response() method is added, along with related tests, static analysis configuration, dependency updates, and a new message enum for missing cookie validation keys. The test suite verifies conversion correctness and cookie formatting under various scenarios.

Changes

File(s)	Change Summary
src/adapter/ResponseAdapter.php	New final class ResponseAdapter for converting Yii Response to PSR-7 ResponseInterface, including cookie formatting and validation.
src/http/Response.php	New final class Response extends Yii Response, adds getPsr7Response() method for PSR-7 conversion with session cookie support and lifecycle event handling.
tests/adapter/ResponseAdapterTest.php	New comprehensive PHPUnit test suite for ResponseAdapter, covering cookie formatting, validation, edge cases, and response conversion.
tests/http/ResponseTest.php	New PHPUnit test class for Response conversion to PSR-7 responses, testing session states, cookie handling, and lifecycle events.
src/exception/Message.php	Added new enum case COOKIE_VALIDATION_KEY_NOT_CONFIGURED for missing cookie validation key errors.
tests/phpstan-config.php	New PHPStan config mapping PSR-17 interfaces to concrete implementations for static analysis.
composer.json	Added psr/http-factory as a required dependency.
.styleci.yml	Removed fully_qualified_strict_types rule from code style configuration.
tests/TestCase.php	Extended tearDownAfterClass() to flush logger and close session after all tests.

Sequence Diagram(s)

sequenceDiagram
    participant YiiResponse as Yii\Response
    participant ResponseAdapter
    participant PSR7Factory as ResponseFactoryInterface/StreamFactoryInterface
    participant PSR7Response as PSR-7 ResponseInterface

    YiiResponse->>ResponseAdapter: Construct with Yii\Response, factories
    ResponseAdapter->>PSR7Factory: Create PSR-7 response (status, headers)
    ResponseAdapter->>YiiResponse: Read cookies, headers, body
    ResponseAdapter->>ResponseAdapter: Format/validate cookies
    ResponseAdapter->>PSR7Response: Set headers, cookies, body
    ResponseAdapter-->>YiiResponse: Return PSR-7 response

Loading

sequenceDiagram
    participant App as Application
    participant YiiResponse as Response
    participant ResponseAdapter
    participant PSR7Response as PSR-7 Response

    App->>YiiResponse: Trigger beforeSend event, prepare response
    YiiResponse->>App: Check session component
    App->>YiiResponse: Add session cookie if active
    YiiResponse->>ResponseAdapter: Create adapter with factories
    ResponseAdapter->>PSR7Response: Convert Yii response to PSR-7
    YiiResponse->>App: Trigger afterSend event, mark sent, close session
    App-->>PSR7Response: Return PSR-7 response

Loading

Estimated code review effort

4 (~90 minutes)

Poem

In the warren of code, a new bridge is spun,
Yii’s response now meets PSR-7’s run.
Cookies are baked with validation and care,
Headers and bodies adapted with flair.
With tests in the meadow and config anew—
This rabbit hops forward, as frameworks do! 🐇

---

📜 Recent review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 65b21f1 and 6ee7f0b.

📒 Files selected for processing (1)

• tests/TestCase.php (1 hunks)

✅ Files skipped from review due to trivial changes (1)

• tests/TestCase.php

✨ Finishing Touches

• 📝 Generate Docstrings

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Explain this complex logic.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai explain this code block.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and explain its main purpose.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR.
• @coderabbitai generate sequence diagram to generate a sequence diagram of the changes in this PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (1)

src/adapter/ResponseAdapter.php (1)

30-31: Remove unnecessary PHPStan ignore comment

The @phpstan-ignore-next-line comment appears unnecessary. If there's a type issue, it should be addressed properly rather than ignored.

-// @phpstan-ignore-next-line
 $psr7Response = $psr7Response->withHeader($name, $values);

If PHPStan is complaining about the type of $values, ensure that getHeaders() returns the correct type annotation in the Yii Response class.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 92b54b5 and 00eea09.

📒 Files selected for processing (3)

• src/adapter/ResponseAdapter.php (1 hunks)
• src/http/Response.php (1 hunks)
• tests/phpstan-config.php (1 hunks)

🧰 Additional context used

🧠 Learnings (3)

📓 Common learnings

Learnt from: terabytesoftw
PR: yii2-extensions/psr-bridge#6
File: tests/http/RequestTest.php:1536-1552
Timestamp: 2025-07-20T16:35:15.300Z
Learning: In the yii2-extensions/psr-bridge project, the base TestCase class already handles $_SERVER cleanup in setUp() and tearDown() methods, so individual test methods that extend TestCase don't need manual $_SERVER restoration.

Learnt from: terabytesoftw
PR: yii2-extensions/psr-bridge#6
File: tests/http/RequestTest.php:1536-1552
Timestamp: 2025-07-20T16:35:15.300Z
Learning: In the yii2-extensions/psr-bridge project, the base TestCase class already handles $_SERVER cleanup in setUp() and tearDown() methods (lines 28 and 32), so individual test methods that extend TestCase don't need manual $_SERVER restoration.

Learnt from: terabytesoftw
PR: yii2-extensions/psr-bridge#6
File: tests/http/RequestTest.php:1564-1578
Timestamp: 2025-07-20T16:33:57.457Z
Learning: The TestCase class in yii2-extensions/psr-bridge automatically handles $_SERVER superglobal cleanup by saving its original state before each test and restoring it afterward in setUp() and tearDown() methods. Manual $_SERVER cleanup in individual test methods is unnecessary when extending this TestCase.

src/http/Response.php (3)

Learnt from: terabytesoftw
PR: #6
File: tests/http/RequestTest.php:1536-1552
Timestamp: 2025-07-20T16:35:15.300Z
Learning: In the yii2-extensions/psr-bridge project, the base TestCase class already handles $_SERVER cleanup in setUp() and tearDown() methods, so individual test methods that extend TestCase don't need manual $_SERVER restoration.

Learnt from: terabytesoftw
PR: #6
File: tests/http/RequestTest.php:1536-1552
Timestamp: 2025-07-20T16:35:15.300Z
Learning: In the yii2-extensions/psr-bridge project, the base TestCase class already handles $_SERVER cleanup in setUp() and tearDown() methods (lines 28 and 32), so individual test methods that extend TestCase don't need manual $_SERVER restoration.

Learnt from: terabytesoftw
PR: #6
File: tests/http/RequestTest.php:1564-1578
Timestamp: 2025-07-20T16:33:57.457Z
Learning: The TestCase class in yii2-extensions/psr-bridge automatically handles $_SERVER superglobal cleanup by saving its original state before each test and restoring it afterward in setUp() and tearDown() methods. Manual $_SERVER cleanup in individual test methods is unnecessary when extending this TestCase.

src/adapter/ResponseAdapter.php (2)

Learnt from: terabytesoftw
PR: #6
File: tests/http/RequestTest.php:1536-1552
Timestamp: 2025-07-20T16:35:15.300Z
Learning: In the yii2-extensions/psr-bridge project, the base TestCase class already handles $_SERVER cleanup in setUp() and tearDown() methods, so individual test methods that extend TestCase don't need manual $_SERVER restoration.

Learnt from: terabytesoftw
PR: #6
File: tests/http/RequestTest.php:1536-1552
Timestamp: 2025-07-20T16:35:15.300Z
Learning: In the yii2-extensions/psr-bridge project, the base TestCase class already handles $_SERVER cleanup in setUp() and tearDown() methods (lines 28 and 32), so individual test methods that extend TestCase don't need manual $_SERVER restoration.

🪛 GitHub Check: phpstan / PHP 8.4-ubuntu-latest

src/http/Response.php

[failure] 42-42:
Access to undefined constant yii2\extensions\psrbridge\http\Response::EVENT_AFTER_SEND.

---

[failure] 28-28:
Cannot call method add() on mixed.

---

[failure] 28-28:
Access to an undefined property yii2\extensions\psrbridge\http\Response::$cookies.

---

[failure] 24-24:
Call to an undefined method yii2\extensions\psrbridge\http\Response::trigger().

---

[failure] 24-24:
Access to undefined constant yii2\extensions\psrbridge\http\Response::EVENT_AFTER_PREPARE.

---

[failure] 23-23:
Call to an undefined method yii2\extensions\psrbridge\http\Response::prepare().

---

[failure] 22-22:
Call to an undefined method yii2\extensions\psrbridge\http\Response::trigger().

---

[failure] 22-22:
Access to undefined constant yii2\extensions\psrbridge\http\Response::EVENT_BEFORE_SEND.

---

[failure] 17-17:
Parameter #1 $response of class yii2\extensions\psrbridge\adapter\ResponseAdapter constructor expects yii\web\Response, $this(yii2\extensions\psrbridge\http\Response) given.

---

[failure] 12-12:
Class yii2\extensions\psrbridge\http\Response extends unknown class Yii\web\Response.

🪛 GitHub Check: mutation / PHP 8.4-ubuntu-latest

src/http/Response.php

[failure] 42-42:
Access to undefined constant yii2\extensions\psrbridge\http\Response::EVENT_AFTER_SEND.

---

[failure] 28-28:
Cannot call method add() on mixed.

---

[failure] 28-28:
Access to an undefined property yii2\extensions\psrbridge\http\Response::$cookies.

---

[failure] 24-24:
Call to an undefined method yii2\extensions\psrbridge\http\Response::trigger().

---

[failure] 24-24:
Access to undefined constant yii2\extensions\psrbridge\http\Response::EVENT_AFTER_PREPARE.

---

[failure] 23-23:
Call to an undefined method yii2\extensions\psrbridge\http\Response::prepare().

---

[failure] 22-22:
Call to an undefined method yii2\extensions\psrbridge\http\Response::trigger().

---

[failure] 22-22:
Access to undefined constant yii2\extensions\psrbridge\http\Response::EVENT_BEFORE_SEND.

---

[failure] 17-17:
Parameter #1 $response of class yii2\extensions\psrbridge\adapter\ResponseAdapter constructor expects yii\web\Response, $this(yii2\extensions\psrbridge\http\Response) given.

---

[failure] 12-12:
Class yii2\extensions\psrbridge\http\Response extends unknown class Yii\web\Response.

🔇 Additional comments (2)

tests/phpstan-config.php (1)

1-15: LGTM!

The PHPStan configuration correctly maps PSR-17 interfaces to their concrete implementations for static analysis.

src/adapter/ResponseAdapter.php (1)

98-98: Ensure Max-Age is never negative

The Max-Age calculation could result in a negative value if the cookie has already expired. While max(0, ...) prevents negative values, consider if expired cookies should be handled differently.

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 2f86130 and fb976b7.

📒 Files selected for processing (1)

• composer.json (1 hunks)

🧰 Additional context used

🧠 Learnings (1)

📓 Common learnings

Learnt from: terabytesoftw
PR: yii2-extensions/psr-bridge#6
File: tests/http/RequestTest.php:1536-1552
Timestamp: 2025-07-20T16:35:15.300Z
Learning: In the yii2-extensions/psr-bridge project, the base TestCase class already handles $_SERVER cleanup in setUp() and tearDown() methods, so individual test methods that extend TestCase don't need manual $_SERVER restoration.

Learnt from: terabytesoftw
PR: yii2-extensions/psr-bridge#6
File: tests/http/RequestTest.php:1536-1552
Timestamp: 2025-07-20T16:35:15.300Z
Learning: In the yii2-extensions/psr-bridge project, the base TestCase class already handles $_SERVER cleanup in setUp() and tearDown() methods (lines 28 and 32), so individual test methods that extend TestCase don't need manual $_SERVER restoration.

Learnt from: terabytesoftw
PR: yii2-extensions/psr-bridge#6
File: tests/http/RequestTest.php:1564-1578
Timestamp: 2025-07-20T16:33:57.457Z
Learning: The TestCase class in yii2-extensions/psr-bridge automatically handles $_SERVER superglobal cleanup by saving its original state before each test and restoring it afterward in setUp() and tearDown() methods. Manual $_SERVER cleanup in individual test methods is unnecessary when extending this TestCase.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (2)

src/http/Response.php (2)

15-21: Consider adding error handling for missing factory services.

The implementation correctly uses dependency injection for PSR-7 factories. However, consider adding error handling for cases where the required factory services might not be registered in the container.

 public function getPsr7Response(): ResponseInterface
 {
+    if (!Yii::$container->has(ResponseFactoryInterface::class)) {
+        throw new \yii\base\InvalidConfigException('ResponseFactoryInterface service is not registered.');
+    }
+    if (!Yii::$container->has(StreamFactoryInterface::class)) {
+        throw new \yii\base\InvalidConfigException('StreamFactoryInterface service is not registered.');
+    }
+
     $adapter = new ResponseAdapter(
         $this,
         Yii::$container->get(ResponseFactoryInterface::class),
         Yii::$container->get(StreamFactoryInterface::class),
     );

---

56-64: Consider conditional session closure.

The session is closed regardless of whether it was active. While this may be intentional for cleanup, consider whether inactive sessions need to be closed.

+        if ($session->getIsActive()) {
             $session->close();
+        }

Alternatively, if unconditional closure is intended for cleanup purposes, a comment explaining this design decision would be helpful.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between fb976b7 and ca33321.

📒 Files selected for processing (3)

• composer.json (1 hunks)
• src/adapter/ResponseAdapter.php (1 hunks)
• src/http/Response.php (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (2)

• composer.json
• src/adapter/ResponseAdapter.php

🧰 Additional context used

🧠 Learnings (2)

📓 Common learnings

Learnt from: terabytesoftw
PR: yii2-extensions/psr-bridge#6
File: tests/http/RequestTest.php:1536-1552
Timestamp: 2025-07-20T16:35:15.300Z
Learning: In the yii2-extensions/psr-bridge project, the base TestCase class already handles $_SERVER cleanup in setUp() and tearDown() methods, so individual test methods that extend TestCase don't need manual $_SERVER restoration.

Learnt from: terabytesoftw
PR: yii2-extensions/psr-bridge#6
File: tests/http/RequestTest.php:1536-1552
Timestamp: 2025-07-20T16:35:15.300Z
Learning: In the yii2-extensions/psr-bridge project, the base TestCase class already handles $_SERVER cleanup in setUp() and tearDown() methods (lines 28 and 32), so individual test methods that extend TestCase don't need manual $_SERVER restoration.

Learnt from: terabytesoftw
PR: yii2-extensions/psr-bridge#6
File: tests/http/RequestTest.php:1564-1578
Timestamp: 2025-07-20T16:33:57.457Z
Learning: The TestCase class in yii2-extensions/psr-bridge automatically handles $_SERVER superglobal cleanup by saving its original state before each test and restoring it afterward in setUp() and tearDown() methods. Manual $_SERVER cleanup in individual test methods is unnecessary when extending this TestCase.

src/http/Response.php (3)

Learnt from: terabytesoftw
PR: #6
File: tests/http/RequestTest.php:1536-1552
Timestamp: 2025-07-20T16:35:15.300Z
Learning: In the yii2-extensions/psr-bridge project, the base TestCase class already handles $_SERVER cleanup in setUp() and tearDown() methods, so individual test methods that extend TestCase don't need manual $_SERVER restoration.

Learnt from: terabytesoftw
PR: #6
File: tests/http/RequestTest.php:1536-1552
Timestamp: 2025-07-20T16:35:15.300Z
Learning: In the yii2-extensions/psr-bridge project, the base TestCase class already handles $_SERVER cleanup in setUp() and tearDown() methods (lines 28 and 32), so individual test methods that extend TestCase don't need manual $_SERVER restoration.

Learnt from: terabytesoftw
PR: #6
File: tests/http/RequestTest.php:1564-1578
Timestamp: 2025-07-20T16:33:57.457Z
Learning: The TestCase class in yii2-extensions/psr-bridge automatically handles $_SERVER superglobal cleanup by saving its original state before each test and restoring it afterward in setUp() and tearDown() methods. Manual $_SERVER cleanup in individual test methods is unnecessary when extending this TestCase.

🔇 Additional comments (5)

src/http/Response.php (5)

1-12: LGTM! Clean imports and namespace structure.

The file structure follows PSR standards with appropriate imports for PSR-7 interfaces, Yii components, and the custom ResponseAdapter.

---

13-13: LGTM! Proper class declaration with final modifier.

The final modifier appropriately prevents inheritance while extending Yii's base response class.

---

23-25: LGTM! Proper Yii response lifecycle handling.

The method correctly triggers the response lifecycle events and prepares the response according to Yii's conventions.

---

27-35: LGTM! Clean early return path for non-session scenarios.

The early return pattern efficiently handles cases where no session component exists, avoiding unnecessary session processing.

---

37-54: Comprehensive session cookie handling with good parameter mapping.

The implementation properly maps all session cookie parameters from Yii's session configuration to the Cookie object, with sensible defaults. The active session check ensures cookies are only added when appropriate.

[coderabbitai]

Actionable comments posted: 2

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 215abbc and 1cc58fc.

📒 Files selected for processing (2)

• src/adapter/ResponseAdapter.php (1 hunks)
• tests/http/PSR7ResponseTest.php (1 hunks)

🧰 Additional context used

🧠 Learnings (3)

📓 Common learnings

Learnt from: terabytesoftw
PR: yii2-extensions/psr-bridge#6
File: tests/http/RequestTest.php:1536-1552
Timestamp: 2025-07-20T16:35:15.300Z
Learning: In the yii2-extensions/psr-bridge project, the base TestCase class already handles $_SERVER cleanup in setUp() and tearDown() methods, so individual test methods that extend TestCase don't need manual $_SERVER restoration.

Learnt from: terabytesoftw
PR: yii2-extensions/psr-bridge#6
File: tests/http/RequestTest.php:1536-1552
Timestamp: 2025-07-20T16:35:15.300Z
Learning: In the yii2-extensions/psr-bridge project, the base TestCase class already handles $_SERVER cleanup in setUp() and tearDown() methods (lines 28 and 32), so individual test methods that extend TestCase don't need manual $_SERVER restoration.

Learnt from: terabytesoftw
PR: yii2-extensions/psr-bridge#6
File: tests/http/RequestTest.php:1564-1578
Timestamp: 2025-07-20T16:33:57.457Z
Learning: The TestCase class in yii2-extensions/psr-bridge automatically handles $_SERVER superglobal cleanup by saving its original state before each test and restoring it afterward in setUp() and tearDown() methods. Manual $_SERVER cleanup in individual test methods is unnecessary when extending this TestCase.

tests/http/PSR7ResponseTest.php (3)

Learnt from: terabytesoftw
PR: #6
File: tests/http/RequestTest.php:1536-1552
Timestamp: 2025-07-20T16:35:15.300Z
Learning: In the yii2-extensions/psr-bridge project, the base TestCase class already handles $_SERVER cleanup in setUp() and tearDown() methods, so individual test methods that extend TestCase don't need manual $_SERVER restoration.

Learnt from: terabytesoftw
PR: #6
File: tests/http/RequestTest.php:1536-1552
Timestamp: 2025-07-20T16:35:15.300Z
Learning: In the yii2-extensions/psr-bridge project, the base TestCase class already handles $_SERVER cleanup in setUp() and tearDown() methods (lines 28 and 32), so individual test methods that extend TestCase don't need manual $_SERVER restoration.

Learnt from: terabytesoftw
PR: #6
File: tests/http/RequestTest.php:1564-1578
Timestamp: 2025-07-20T16:33:57.457Z
Learning: The TestCase class in yii2-extensions/psr-bridge automatically handles $_SERVER superglobal cleanup by saving its original state before each test and restoring it afterward in setUp() and tearDown() methods. Manual $_SERVER cleanup in individual test methods is unnecessary when extending this TestCase.

src/adapter/ResponseAdapter.php (2)

Learnt from: terabytesoftw
PR: #6
File: tests/http/RequestTest.php:1536-1552
Timestamp: 2025-07-20T16:35:15.300Z
Learning: In the yii2-extensions/psr-bridge project, the base TestCase class already handles $_SERVER cleanup in setUp() and tearDown() methods, so individual test methods that extend TestCase don't need manual $_SERVER restoration.

Learnt from: terabytesoftw
PR: #6
File: tests/http/RequestTest.php:1536-1552
Timestamp: 2025-07-20T16:35:15.300Z
Learning: In the yii2-extensions/psr-bridge project, the base TestCase class already handles $_SERVER cleanup in setUp() and tearDown() methods (lines 28 and 32), so individual test methods that extend TestCase don't need manual $_SERVER restoration.

🧬 Code Graph Analysis (1)

src/adapter/ResponseAdapter.php (2)

tests/support/FactoryHelper.php (2)

• createResponse (97-115)
• createStream (145-148)

tests/support/stub/HTTPFunctions.php (1)

• header (93-108)

🪛 Gitleaks (8.27.2)

tests/http/PSR7ResponseTest.php

565-565: Detected a Generic API Key, potentially exposing access to various services and sensitive operations.

(generic-api-key)

🪛 GitHub Check: mutation / PHP 8.4-ubuntu-latest

src/adapter/ResponseAdapter.php

[warning] 100-100:
Escaped Mutant for Mutator "IncrementInteger":

@@ @@
// add expiration
if (is_int($cookie->expire) && $cookie->expire !== 0) {
$header .= '; Expires=' . gmdate('D, d-M-Y H:i:s T', $cookie->expire);

•        $header .= '; Max-Age=' . max(0, $cookie->expire - time());
  

•        $header .= '; Max-Age=' . max(1, $cookie->expire - time());
     }
     // add path
     if ($cookie->path !== '') {
  

---

[warning] 100-100:
Escaped Mutant for Mutator "DecrementInteger":

@@ @@
// add expiration
if (is_int($cookie->expire) && $cookie->expire !== 0) {
$header .= '; Expires=' . gmdate('D, d-M-Y H:i:s T', $cookie->expire);

•        $header .= '; Max-Age=' . max(0, $cookie->expire - time());
  

•        $header .= '; Max-Age=' . max(-1, $cookie->expire - time());
     }
     // add path
     if ($cookie->path !== '') {
  

---

[warning] 91-91:
Escaped Mutant for Mutator "ArrayItemRemoval":

@@ @@
$value = $cookie->value;
// apply validation if enabled and not a delete cookie
if ($enableValidation && $validationKey !== null && ($cookie->value === '' || $cookie->expire !== 0 && $cookie->expire < time())) {

•        $value = Yii::$app->getSecurity()->hashData(Json::encode([$cookie->name, $cookie->value]), $validationKey);
  

•        $value = Yii::$app->getSecurity()->hashData(Json::encode([$cookie->value]), $validationKey);
     }
     // build cookie header
     $header = urlencode($cookie->name) . '=' . urlencode($value);
  

---

[warning] 89-89:
Escaped Mutant for Mutator "LessThan":

@@ @@
{
$value = $cookie->value;
// apply validation if enabled and not a delete cookie

•    if ($enableValidation && $validationKey !== null && ($cookie->value === '' || $cookie->expire !== 0 && $cookie->expire < time())) {
  

•    if ($enableValidation && $validationKey !== null && ($cookie->value === '' || $cookie->expire !== 0 && $cookie->expire <= time())) {
         $value = Yii::$app->getSecurity()->hashData(Json::encode([$cookie->name, $cookie->value]), $validationKey);
     }
     // build cookie header
  

---

[warning] 72-72:
Escaped Mutant for Mutator "Continue_":

@@ @@
foreach ($this->response->getCookies() as $cookie) {
// Skip cookies with empty values
if ($cookie->value === null || $cookie->value === '') {

•            continue;
  

•            break;
         }
         $headers[] = $this->formatCookieHeader($cookie, $enableValidation, $validationKey);
     }
  

🔇 Additional comments (5)

src/adapter/ResponseAdapter.php (4)

15-19: Constructor is well-designed with proper dependency injection.

The use of constructor property promotion and interface type hints follows best practices.

---

21-43: Well-implemented PSR-7 conversion logic.

The method correctly handles status, headers, cookies, and body conversion. The use of withAddedHeader for cookies is appropriate to support multiple Set-Cookie headers.

Note: The @phpstan-ignore-next-line comment on line 31 might be unnecessary if the Yii Response headers are properly typed. Consider verifying if this suppression is still needed.

---

45-79: Robust cookie header building with proper validation checks.

The method correctly handles cookie validation settings and properly skips empty cookies. The exception thrown for missing validation key is a good security practice.

---

94-129: Cookie header formatting is comprehensive and correct.

The method properly URL-encodes cookie name/value and correctly formats all cookie attributes including expiration, path, domain, secure, httpOnly, and sameSite flags.

tests/http/PSR7ResponseTest.php (1)

1-651: Comprehensive test suite with good coverage.

The test suite thoroughly covers various cookie scenarios, edge cases, and response attributes. The tests are well-organized and use appropriate assertions.

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 92e2946 and e1b83e1.

📒 Files selected for processing (1)

• tests/adapter/ResponseAdapterTest.php (1 hunks)

🧠 Learnings (2)

📓 Common learnings

Learnt from: terabytesoftw
PR: yii2-extensions/psr-bridge#6
File: tests/http/RequestTest.php:1536-1552
Timestamp: 2025-07-20T16:35:15.300Z
Learning: In the yii2-extensions/psr-bridge project, the base TestCase class already handles $_SERVER cleanup in setUp() and tearDown() methods, so individual test methods that extend TestCase don't need manual $_SERVER restoration.

Learnt from: terabytesoftw
PR: yii2-extensions/psr-bridge#6
File: tests/http/RequestTest.php:1536-1552
Timestamp: 2025-07-20T16:35:15.300Z
Learning: In the yii2-extensions/psr-bridge project, the base TestCase class already handles $_SERVER cleanup in setUp() and tearDown() methods (lines 28 and 32), so individual test methods that extend TestCase don't need manual $_SERVER restoration.

Learnt from: terabytesoftw
PR: yii2-extensions/psr-bridge#21
File: tests/http/PSR7ResponseTest.php:0-0
Timestamp: 2025-07-22T00:50:26.524Z
Learning: In yii2-extensions/psr-bridge, the ResponseAdapter::formatCookieHeader() method uses `$expire !== 1` to skip validation for Yii2's special deletion cookies, but this should be extended to handle all expired cookies, not just the special case where expire=1.

Learnt from: terabytesoftw
PR: yii2-extensions/psr-bridge#21
File: tests/http/PSR7ResponseTest.php:0-0
Timestamp: 2025-07-22T01:01:13.402Z
Learning: In yii2-extensions/psr-bridge, expired cookies should not be hashed/validated because they are deletion cookies meant to remove existing cookies from the client browser. The validation logic should only apply to live cookies (expire=0 or expire >= current time) and skip validation for both the special Yii2 deletion case (expire=1) and regular expired cookies.

Learnt from: terabytesoftw
PR: yii2-extensions/psr-bridge#21
File: src/adapter/ResponseAdapter.php:86-98
Timestamp: 2025-07-21T23:28:20.055Z
Learning: In Yii2, cookies with `expire == 1` are treated as delete cookies and cookie validation is skipped for them. The official Yii2 Response::sendCookies() method uses `if ($expire != 1 && isset($validationKey))` to determine when to apply validation hashing.

tests/adapter/ResponseAdapterTest.php (6)

Learnt from: terabytesoftw
PR: #21
File: tests/http/PSR7ResponseTest.php:0-0
Timestamp: 2025-07-22T00:50:26.524Z
Learning: In yii2-extensions/psr-bridge, the ResponseAdapter::formatCookieHeader() method uses $expire !== 1 to skip validation for Yii2's special deletion cookies, but this should be extended to handle all expired cookies, not just the special case where expire=1.

Learnt from: terabytesoftw
PR: #6
File: tests/http/RequestTest.php:1536-1552
Timestamp: 2025-07-20T16:35:15.300Z
Learning: In the yii2-extensions/psr-bridge project, the base TestCase class already handles $_SERVER cleanup in setUp() and tearDown() methods, so individual test methods that extend TestCase don't need manual $_SERVER restoration.

Learnt from: terabytesoftw
PR: #6
File: tests/http/RequestTest.php:1536-1552
Timestamp: 2025-07-20T16:35:15.300Z
Learning: In the yii2-extensions/psr-bridge project, the base TestCase class already handles $_SERVER cleanup in setUp() and tearDown() methods (lines 28 and 32), so individual test methods that extend TestCase don't need manual $_SERVER restoration.

Learnt from: terabytesoftw
PR: #6
File: tests/http/RequestTest.php:1564-1578
Timestamp: 2025-07-20T16:33:57.457Z
Learning: The TestCase class in yii2-extensions/psr-bridge automatically handles $_SERVER superglobal cleanup by saving its original state before each test and restoring it afterward in setUp() and tearDown() methods. Manual $_SERVER cleanup in individual test methods is unnecessary when extending this TestCase.

Learnt from: terabytesoftw
PR: #21
File: tests/http/PSR7ResponseTest.php:0-0
Timestamp: 2025-07-22T01:01:13.402Z
Learning: In yii2-extensions/psr-bridge, expired cookies should not be hashed/validated because they are deletion cookies meant to remove existing cookies from the client browser. The validation logic should only apply to live cookies (expire=0 or expire >= current time) and skip validation for both the special Yii2 deletion case (expire=1) and regular expired cookies.

Learnt from: terabytesoftw
PR: #21
File: src/adapter/ResponseAdapter.php:86-98
Timestamp: 2025-07-21T23:28:20.055Z
Learning: In Yii2, cookies with expire == 1 are treated as delete cookies and cookie validation is skipped for them. The official Yii2 Response::sendCookies() method uses if ($expire != 1 && isset($validationKey)) to determine when to apply validation hashing.

🪛 Gitleaks (8.27.2)

tests/adapter/ResponseAdapterTest.php

170-170: Detected a Generic API Key, potentially exposing access to various services and sensitive operations.

(generic-api-key)

---

404-404: Detected a Generic API Key, potentially exposing access to various services and sensitive operations.

(generic-api-key)

---

503-503: Detected a Generic API Key, potentially exposing access to various services and sensitive operations.

(generic-api-key)

---

650-650: Detected a Generic API Key, potentially exposing access to various services and sensitive operations.

(generic-api-key)

---

719-719: Detected a Generic API Key, potentially exposing access to various services and sensitive operations.

(generic-api-key)

---

863-863: Detected a Generic API Key, potentially exposing access to various services and sensitive operations.

(generic-api-key)

---

1029-1029: Detected a Generic API Key, potentially exposing access to various services and sensitive operations.

(generic-api-key)

---

1229-1229: Detected a Generic API Key, potentially exposing access to various services and sensitive operations.

(generic-api-key)

🧰 Additional context used

🧠 Learnings (2)

📓 Common learnings

Learnt from: terabytesoftw
PR: yii2-extensions/psr-bridge#6
File: tests/http/RequestTest.php:1536-1552
Timestamp: 2025-07-20T16:35:15.300Z
Learning: In the yii2-extensions/psr-bridge project, the base TestCase class already handles $_SERVER cleanup in setUp() and tearDown() methods, so individual test methods that extend TestCase don't need manual $_SERVER restoration.

Learnt from: terabytesoftw
PR: yii2-extensions/psr-bridge#6
File: tests/http/RequestTest.php:1536-1552
Timestamp: 2025-07-20T16:35:15.300Z
Learning: In the yii2-extensions/psr-bridge project, the base TestCase class already handles $_SERVER cleanup in setUp() and tearDown() methods (lines 28 and 32), so individual test methods that extend TestCase don't need manual $_SERVER restoration.

Learnt from: terabytesoftw
PR: yii2-extensions/psr-bridge#21
File: tests/http/PSR7ResponseTest.php:0-0
Timestamp: 2025-07-22T00:50:26.524Z
Learning: In yii2-extensions/psr-bridge, the ResponseAdapter::formatCookieHeader() method uses `$expire !== 1` to skip validation for Yii2's special deletion cookies, but this should be extended to handle all expired cookies, not just the special case where expire=1.

Learnt from: terabytesoftw
PR: yii2-extensions/psr-bridge#21
File: tests/http/PSR7ResponseTest.php:0-0
Timestamp: 2025-07-22T01:01:13.402Z
Learning: In yii2-extensions/psr-bridge, expired cookies should not be hashed/validated because they are deletion cookies meant to remove existing cookies from the client browser. The validation logic should only apply to live cookies (expire=0 or expire >= current time) and skip validation for both the special Yii2 deletion case (expire=1) and regular expired cookies.

Learnt from: terabytesoftw
PR: yii2-extensions/psr-bridge#21
File: src/adapter/ResponseAdapter.php:86-98
Timestamp: 2025-07-21T23:28:20.055Z
Learning: In Yii2, cookies with `expire == 1` are treated as delete cookies and cookie validation is skipped for them. The official Yii2 Response::sendCookies() method uses `if ($expire != 1 && isset($validationKey))` to determine when to apply validation hashing.

tests/adapter/ResponseAdapterTest.php (6)

Learnt from: terabytesoftw
PR: #21
File: tests/http/PSR7ResponseTest.php:0-0
Timestamp: 2025-07-22T00:50:26.524Z
Learning: In yii2-extensions/psr-bridge, the ResponseAdapter::formatCookieHeader() method uses $expire !== 1 to skip validation for Yii2's special deletion cookies, but this should be extended to handle all expired cookies, not just the special case where expire=1.

Learnt from: terabytesoftw
PR: #6
File: tests/http/RequestTest.php:1536-1552
Timestamp: 2025-07-20T16:35:15.300Z
Learning: In the yii2-extensions/psr-bridge project, the base TestCase class already handles $_SERVER cleanup in setUp() and tearDown() methods, so individual test methods that extend TestCase don't need manual $_SERVER restoration.

Learnt from: terabytesoftw
PR: #6
File: tests/http/RequestTest.php:1536-1552
Timestamp: 2025-07-20T16:35:15.300Z
Learning: In the yii2-extensions/psr-bridge project, the base TestCase class already handles $_SERVER cleanup in setUp() and tearDown() methods (lines 28 and 32), so individual test methods that extend TestCase don't need manual $_SERVER restoration.

Learnt from: terabytesoftw
PR: #6
File: tests/http/RequestTest.php:1564-1578
Timestamp: 2025-07-20T16:33:57.457Z
Learning: The TestCase class in yii2-extensions/psr-bridge automatically handles $_SERVER superglobal cleanup by saving its original state before each test and restoring it afterward in setUp() and tearDown() methods. Manual $_SERVER cleanup in individual test methods is unnecessary when extending this TestCase.

Learnt from: terabytesoftw
PR: #21
File: tests/http/PSR7ResponseTest.php:0-0
Timestamp: 2025-07-22T01:01:13.402Z
Learning: In yii2-extensions/psr-bridge, expired cookies should not be hashed/validated because they are deletion cookies meant to remove existing cookies from the client browser. The validation logic should only apply to live cookies (expire=0 or expire >= current time) and skip validation for both the special Yii2 deletion case (expire=1) and regular expired cookies.

Learnt from: terabytesoftw
PR: #21
File: src/adapter/ResponseAdapter.php:86-98
Timestamp: 2025-07-21T23:28:20.055Z
Learning: In Yii2, cookies with expire == 1 are treated as delete cookies and cookie validation is skipped for them. The official Yii2 Response::sendCookies() method uses if ($expire != 1 && isset($validationKey)) to determine when to apply validation hashing.

🪛 Gitleaks (8.27.2)

tests/adapter/ResponseAdapterTest.php

170-170: Detected a Generic API Key, potentially exposing access to various services and sensitive operations.

(generic-api-key)

---

404-404: Detected a Generic API Key, potentially exposing access to various services and sensitive operations.

(generic-api-key)

---

503-503: Detected a Generic API Key, potentially exposing access to various services and sensitive operations.

(generic-api-key)

---

650-650: Detected a Generic API Key, potentially exposing access to various services and sensitive operations.

(generic-api-key)

---

719-719: Detected a Generic API Key, potentially exposing access to various services and sensitive operations.

(generic-api-key)

---

863-863: Detected a Generic API Key, potentially exposing access to various services and sensitive operations.

(generic-api-key)

---

1029-1029: Detected a Generic API Key, potentially exposing access to various services and sensitive operations.

(generic-api-key)

---

1229-1229: Detected a Generic API Key, potentially exposing access to various services and sensitive operations.

(generic-api-key)

🔇 Additional comments (23)

tests/adapter/ResponseAdapterTest.php (23)

1-24: Well-structured test file setup!

The file has proper namespace, imports, and class declaration. Good use of PHPUnit attributes and function imports.

---

25-106: Comprehensive test for all cookie attributes!

Excellent coverage of all cookie attributes with proper assertions. The test correctly verifies that the cookie value is hashed when validation is enabled.

---

108-160: Good coverage of basic cookie scenario!

The test properly verifies default attribute values and hashed cookie value.

---

162-220: Correctly tests DateTimeImmutable expiration handling!

The test properly verifies that expired cookies bypass validation/hashing, which aligns with the expected behavior for deletion cookies.

---

222-259: Clean test for default validation behavior!

---

261-328: Excellent edge case testing for optional attributes!

The test thoroughly verifies that empty/false/null attributes are properly excluded from the Set-Cookie header.

---

330-394: Proper session cookie testing!

Correctly verifies that session cookies (expire=0) don't include Expires or Max-Age attributes.

---

396-451: Good edge case testing for current time expiration!

Correctly verifies that cookies expiring at the current time are still validated/hashed with Max-Age=0.

---

453-493: Proper Max-Age clamping verification!

Good test ensuring Max-Age is never negative for expired cookies.

---

495-543: Correctly tests Yii2's special expire=1 behavior!

The test properly verifies that cookies with expire=1 bypass validation, which aligns with Yii2's deletion cookie handling.

---

545-585: Good test for future expiration handling!

---

587-640: Excellent special character handling test!

Properly verifies URL encoding and value hashing for cookies with special characters.

---

642-709: Thorough string expiration testing!

Good coverage of string-based expiration dates with proper validation.

---

762-812: Good test for disabled validation!

Correctly verifies that cookies use plain values when validation is disabled.

---

814-853: Clean test for validation disabled without key!

---

855-906: Correctly tests expired cookie validation bypass!

The test properly verifies that expired cookies are not hashed even when validation is enabled.

---

908-953: Precise Max-Age=0 verification!

Good use of regex to ensure exact Max-Age value.

---

955-1019: Excellent integration test!

Comprehensive test covering status codes, headers, body content, and cookies in a single response.

---

1021-1080: Important security test for hash uniqueness!

Excellent test verifying that cookie names are included in hash calculations, preventing value swapping attacks.

---

1082-1136: Good multiple cookie handling test!

Correctly verifies that each cookie gets its own Set-Cookie header.

---

1138-1186: Excellent empty value filtering test!

Properly verifies that cookies with empty or null values are excluded from Set-Cookie headers.

---

1188-1219: Proper validation key error handling!

Good test ensuring proper exception is thrown with the correct message when validation key is missing.

---

711-760: Verify expire comparison logic for string '1' in ResponseAdapter

I wasn’t able to locate any strict (!== 1) or loose (!= 1) comparison against the cookie’s expire value in the ResponseAdapter. Please confirm that the adapter treats a string "1" the same as integer 1—i.e., both should bypass cookie-validation hashing just like Yii’s deletion cookies.

• Check in src/adapter/ResponseAdapter.php for the conditional that skips validation when expire == 1
• Ensure it accommodates both integer 1 and string "1" (or convert to int before comparing)
• Add/adjust tests if needed to cover "1" vs 1 behavior explicitly

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between e1b83e1 and a4b0e90.

📒 Files selected for processing (1)

• tests/adapter/ResponseAdapterTest.php (1 hunks)

🧠 Learnings (2)

📓 Common learnings

Learnt from: terabytesoftw
PR: yii2-extensions/psr-bridge#6
File: tests/http/RequestTest.php:1536-1552
Timestamp: 2025-07-20T16:35:15.300Z
Learning: In the yii2-extensions/psr-bridge project, the base TestCase class already handles $_SERVER cleanup in setUp() and tearDown() methods, so individual test methods that extend TestCase don't need manual $_SERVER restoration.

Learnt from: terabytesoftw
PR: yii2-extensions/psr-bridge#6
File: tests/http/RequestTest.php:1536-1552
Timestamp: 2025-07-20T16:35:15.300Z
Learning: In the yii2-extensions/psr-bridge project, the base TestCase class already handles $_SERVER cleanup in setUp() and tearDown() methods (lines 28 and 32), so individual test methods that extend TestCase don't need manual $_SERVER restoration.

Learnt from: terabytesoftw
PR: yii2-extensions/psr-bridge#21
File: tests/http/PSR7ResponseTest.php:0-0
Timestamp: 2025-07-22T00:50:26.524Z
Learning: In yii2-extensions/psr-bridge, the ResponseAdapter::formatCookieHeader() method uses `$expire !== 1` to skip validation for Yii2's special deletion cookies, but this should be extended to handle all expired cookies, not just the special case where expire=1.

Learnt from: terabytesoftw
PR: yii2-extensions/psr-bridge#21
File: tests/http/PSR7ResponseTest.php:0-0
Timestamp: 2025-07-22T01:01:13.402Z
Learning: In yii2-extensions/psr-bridge, expired cookies should not be hashed/validated because they are deletion cookies meant to remove existing cookies from the client browser. The validation logic should only apply to live cookies (expire=0 or expire >= current time) and skip validation for both the special Yii2 deletion case (expire=1) and regular expired cookies.

Learnt from: terabytesoftw
PR: yii2-extensions/psr-bridge#21
File: src/adapter/ResponseAdapter.php:86-98
Timestamp: 2025-07-21T23:28:20.055Z
Learning: In Yii2, cookies with `expire == 1` are treated as delete cookies and cookie validation is skipped for them. The official Yii2 Response::sendCookies() method uses `if ($expire != 1 && isset($validationKey))` to determine when to apply validation hashing.

tests/adapter/ResponseAdapterTest.php (6)

Learnt from: terabytesoftw
PR: #21
File: tests/http/PSR7ResponseTest.php:0-0
Timestamp: 2025-07-22T00:50:26.524Z
Learning: In yii2-extensions/psr-bridge, the ResponseAdapter::formatCookieHeader() method uses $expire !== 1 to skip validation for Yii2's special deletion cookies, but this should be extended to handle all expired cookies, not just the special case where expire=1.

Learnt from: terabytesoftw
PR: #6
File: tests/http/RequestTest.php:1536-1552
Timestamp: 2025-07-20T16:35:15.300Z
Learning: In the yii2-extensions/psr-bridge project, the base TestCase class already handles $_SERVER cleanup in setUp() and tearDown() methods, so individual test methods that extend TestCase don't need manual $_SERVER restoration.

Learnt from: terabytesoftw
PR: #6
File: tests/http/RequestTest.php:1536-1552
Timestamp: 2025-07-20T16:35:15.300Z
Learning: In the yii2-extensions/psr-bridge project, the base TestCase class already handles $_SERVER cleanup in setUp() and tearDown() methods (lines 28 and 32), so individual test methods that extend TestCase don't need manual $_SERVER restoration.

Learnt from: terabytesoftw
PR: #21
File: tests/http/PSR7ResponseTest.php:0-0
Timestamp: 2025-07-22T01:01:13.402Z
Learning: In yii2-extensions/psr-bridge, expired cookies should not be hashed/validated because they are deletion cookies meant to remove existing cookies from the client browser. The validation logic should only apply to live cookies (expire=0 or expire >= current time) and skip validation for both the special Yii2 deletion case (expire=1) and regular expired cookies.

Learnt from: terabytesoftw
PR: #6
File: tests/http/RequestTest.php:1564-1578
Timestamp: 2025-07-20T16:33:57.457Z
Learning: The TestCase class in yii2-extensions/psr-bridge automatically handles $_SERVER superglobal cleanup by saving its original state before each test and restoring it afterward in setUp() and tearDown() methods. Manual $_SERVER cleanup in individual test methods is unnecessary when extending this TestCase.

Learnt from: terabytesoftw
PR: #21
File: src/adapter/ResponseAdapter.php:86-98
Timestamp: 2025-07-21T23:28:20.055Z
Learning: In Yii2, cookies with expire == 1 are treated as delete cookies and cookie validation is skipped for them. The official Yii2 Response::sendCookies() method uses if ($expire != 1 && isset($validationKey)) to determine when to apply validation hashing.

🪛 Gitleaks (8.27.2)

tests/adapter/ResponseAdapterTest.php

170-170: Detected a Generic API Key, potentially exposing access to various services and sensitive operations.

(generic-api-key)

---

404-404: Detected a Generic API Key, potentially exposing access to various services and sensitive operations.

(generic-api-key)

---

503-503: Detected a Generic API Key, potentially exposing access to various services and sensitive operations.

(generic-api-key)

---

650-650: Detected a Generic API Key, potentially exposing access to various services and sensitive operations.

(generic-api-key)

---

719-719: Detected a Generic API Key, potentially exposing access to various services and sensitive operations.

(generic-api-key)

---

863-863: Detected a Generic API Key, potentially exposing access to various services and sensitive operations.

(generic-api-key)

---

916-916: Detected a Generic API Key, potentially exposing access to various services and sensitive operations.

(generic-api-key)

---

1088-1088: Detected a Generic API Key, potentially exposing access to various services and sensitive operations.

(generic-api-key)

🧰 Additional context used

🧠 Learnings (2)

📓 Common learnings

Learnt from: terabytesoftw
PR: yii2-extensions/psr-bridge#6
File: tests/http/RequestTest.php:1536-1552
Timestamp: 2025-07-20T16:35:15.300Z
Learning: In the yii2-extensions/psr-bridge project, the base TestCase class already handles $_SERVER cleanup in setUp() and tearDown() methods, so individual test methods that extend TestCase don't need manual $_SERVER restoration.

Learnt from: terabytesoftw
PR: yii2-extensions/psr-bridge#6
File: tests/http/RequestTest.php:1536-1552
Timestamp: 2025-07-20T16:35:15.300Z
Learning: In the yii2-extensions/psr-bridge project, the base TestCase class already handles $_SERVER cleanup in setUp() and tearDown() methods (lines 28 and 32), so individual test methods that extend TestCase don't need manual $_SERVER restoration.

Learnt from: terabytesoftw
PR: yii2-extensions/psr-bridge#21
File: tests/http/PSR7ResponseTest.php:0-0
Timestamp: 2025-07-22T00:50:26.524Z
Learning: In yii2-extensions/psr-bridge, the ResponseAdapter::formatCookieHeader() method uses `$expire !== 1` to skip validation for Yii2's special deletion cookies, but this should be extended to handle all expired cookies, not just the special case where expire=1.

Learnt from: terabytesoftw
PR: yii2-extensions/psr-bridge#21
File: tests/http/PSR7ResponseTest.php:0-0
Timestamp: 2025-07-22T01:01:13.402Z
Learning: In yii2-extensions/psr-bridge, expired cookies should not be hashed/validated because they are deletion cookies meant to remove existing cookies from the client browser. The validation logic should only apply to live cookies (expire=0 or expire >= current time) and skip validation for both the special Yii2 deletion case (expire=1) and regular expired cookies.

Learnt from: terabytesoftw
PR: yii2-extensions/psr-bridge#21
File: src/adapter/ResponseAdapter.php:86-98
Timestamp: 2025-07-21T23:28:20.055Z
Learning: In Yii2, cookies with `expire == 1` are treated as delete cookies and cookie validation is skipped for them. The official Yii2 Response::sendCookies() method uses `if ($expire != 1 && isset($validationKey))` to determine when to apply validation hashing.

tests/adapter/ResponseAdapterTest.php (6)

Learnt from: terabytesoftw
PR: #21
File: tests/http/PSR7ResponseTest.php:0-0
Timestamp: 2025-07-22T00:50:26.524Z
Learning: In yii2-extensions/psr-bridge, the ResponseAdapter::formatCookieHeader() method uses $expire !== 1 to skip validation for Yii2's special deletion cookies, but this should be extended to handle all expired cookies, not just the special case where expire=1.

Learnt from: terabytesoftw
PR: #6
File: tests/http/RequestTest.php:1536-1552
Timestamp: 2025-07-20T16:35:15.300Z
Learning: In the yii2-extensions/psr-bridge project, the base TestCase class already handles $_SERVER cleanup in setUp() and tearDown() methods, so individual test methods that extend TestCase don't need manual $_SERVER restoration.

Learnt from: terabytesoftw
PR: #6
File: tests/http/RequestTest.php:1536-1552
Timestamp: 2025-07-20T16:35:15.300Z
Learning: In the yii2-extensions/psr-bridge project, the base TestCase class already handles $_SERVER cleanup in setUp() and tearDown() methods (lines 28 and 32), so individual test methods that extend TestCase don't need manual $_SERVER restoration.

Learnt from: terabytesoftw
PR: #21
File: tests/http/PSR7ResponseTest.php:0-0
Timestamp: 2025-07-22T01:01:13.402Z
Learning: In yii2-extensions/psr-bridge, expired cookies should not be hashed/validated because they are deletion cookies meant to remove existing cookies from the client browser. The validation logic should only apply to live cookies (expire=0 or expire >= current time) and skip validation for both the special Yii2 deletion case (expire=1) and regular expired cookies.

Learnt from: terabytesoftw
PR: #6
File: tests/http/RequestTest.php:1564-1578
Timestamp: 2025-07-20T16:33:57.457Z
Learning: The TestCase class in yii2-extensions/psr-bridge automatically handles $_SERVER superglobal cleanup by saving its original state before each test and restoring it afterward in setUp() and tearDown() methods. Manual $_SERVER cleanup in individual test methods is unnecessary when extending this TestCase.

Learnt from: terabytesoftw
PR: #21
File: src/adapter/ResponseAdapter.php:86-98
Timestamp: 2025-07-21T23:28:20.055Z
Learning: In Yii2, cookies with expire == 1 are treated as delete cookies and cookie validation is skipped for them. The official Yii2 Response::sendCookies() method uses if ($expire != 1 && isset($validationKey)) to determine when to apply validation hashing.

🪛 Gitleaks (8.27.2)

tests/adapter/ResponseAdapterTest.php

170-170: Detected a Generic API Key, potentially exposing access to various services and sensitive operations.

(generic-api-key)

---

404-404: Detected a Generic API Key, potentially exposing access to various services and sensitive operations.

(generic-api-key)

---

503-503: Detected a Generic API Key, potentially exposing access to various services and sensitive operations.

(generic-api-key)

---

650-650: Detected a Generic API Key, potentially exposing access to various services and sensitive operations.

(generic-api-key)

---

719-719: Detected a Generic API Key, potentially exposing access to various services and sensitive operations.

(generic-api-key)

---

863-863: Detected a Generic API Key, potentially exposing access to various services and sensitive operations.

(generic-api-key)

---

916-916: Detected a Generic API Key, potentially exposing access to various services and sensitive operations.

(generic-api-key)

---

1088-1088: Detected a Generic API Key, potentially exposing access to various services and sensitive operations.

(generic-api-key)

🔇 Additional comments (2)

tests/adapter/ResponseAdapterTest.php (2)

1217-1226: No changes required: Yii’s Cookie class accepts null values and ResponseAdapter correctly skips null/empty cookies

The yii\web\Cookie class inherits from yii\base\BaseObject, which assigns any passed config—including value => null—directly to the property without error. The ResponseAdapter::formatCookieHeader() method then properly omits cookies with null or empty-string values, so your test for skipping a null-valued cookie is valid.

All existing assertions remain correct; you can safely ignore the earlier concern about null handling.

Likely an incorrect or invalid review comment.

---

711-760: Review testFormatCookieWithStringExpireOne behavior

The test’s rationale—asserting that a cookie with expire='1' (string) bypasses validation—is correct per Yii2’s use of loose comparison (!= 1), not strict (!== 1). The comment should be updated to reference the loose comparison behavior rather than a strict one.

• Please confirm that in ResponseAdapter::formatCookieHeader() the code uses
if ($expire != 1 && isset($validationKey))
so that both integer 1 and string '1' are treated as “delete” cookies and skip hashing.
• If that’s the case, no functional change is needed; simply adjust the test comment to:
“String '1' should bypass validation due to loose != 1 comparison.”

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

tests/http/ResponseTest.php (1)

373-373: Consider explicitly verifying default cookie params.

While setting empty array works, it would be more explicit to verify the actual default values are applied.

Consider enhancing the test to verify actual default values:

-        $session->setCookieParams([]);
+        // Verify defaults by not setting cookie params at all
+        // or explicitly check the default values after setting empty array
+        $session->setCookieParams([]);
+        $params = $session->getCookieParams();
+        self::assertArrayHasKey('httponly', $params);
+        self::assertTrue($params['httponly'], 'HttpOnly should be true by default');

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between a4b0e90 and 65b21f1.

📒 Files selected for processing (2)

• tests/TestCase.php (1 hunks)
• tests/http/ResponseTest.php (1 hunks)

🧠 Learnings (3)

📓 Common learnings

Learnt from: terabytesoftw
PR: yii2-extensions/psr-bridge#6
File: tests/http/RequestTest.php:1536-1552
Timestamp: 2025-07-20T16:35:15.300Z
Learning: In the yii2-extensions/psr-bridge project, the base TestCase class already handles $_SERVER cleanup in setUp() and tearDown() methods, so individual test methods that extend TestCase don't need manual $_SERVER restoration.

Learnt from: terabytesoftw
PR: yii2-extensions/psr-bridge#6
File: tests/http/RequestTest.php:1536-1552
Timestamp: 2025-07-20T16:35:15.300Z
Learning: In the yii2-extensions/psr-bridge project, the base TestCase class already handles $_SERVER cleanup in setUp() and tearDown() methods (lines 28 and 32), so individual test methods that extend TestCase don't need manual $_SERVER restoration.

Learnt from: terabytesoftw
PR: yii2-extensions/psr-bridge#21
File: tests/http/PSR7ResponseTest.php:0-0
Timestamp: 2025-07-22T00:50:26.524Z
Learning: In yii2-extensions/psr-bridge, the ResponseAdapter::formatCookieHeader() method uses `$expire !== 1` to skip validation for Yii2's special deletion cookies, but this should be extended to handle all expired cookies, not just the special case where expire=1.

Learnt from: terabytesoftw
PR: yii2-extensions/psr-bridge#21
File: tests/http/PSR7ResponseTest.php:0-0
Timestamp: 2025-07-22T01:01:13.402Z
Learning: In yii2-extensions/psr-bridge, expired cookies should not be hashed/validated because they are deletion cookies meant to remove existing cookies from the client browser. The validation logic should only apply to live cookies (expire=0 or expire >= current time) and skip validation for both the special Yii2 deletion case (expire=1) and regular expired cookies.

Learnt from: terabytesoftw
PR: yii2-extensions/psr-bridge#21
File: src/adapter/ResponseAdapter.php:86-98
Timestamp: 2025-07-21T23:28:20.055Z
Learning: In Yii2, cookies with `expire == 1` are treated as delete cookies and cookie validation is skipped for them. The official Yii2 Response::sendCookies() method uses `if ($expire != 1 && isset($validationKey))` to determine when to apply validation hashing.

Learnt from: terabytesoftw
PR: yii2-extensions/psr-bridge#6
File: tests/http/RequestTest.php:1564-1578
Timestamp: 2025-07-20T16:33:57.457Z
Learning: The TestCase class in yii2-extensions/psr-bridge automatically handles $_SERVER superglobal cleanup by saving its original state before each test and restoring it afterward in setUp() and tearDown() methods. Manual $_SERVER cleanup in individual test methods is unnecessary when extending this TestCase.

Learnt from: terabytesoftw
PR: yii2-extensions/psr-bridge#21
File: tests/adapter/ResponseAdapterTest.php:436-450
Timestamp: 2025-07-22T10:56:44.383Z
Learning: In yii2-extensions/psr-bridge cookie validation logic, a cookie is only considered expired when expire < current time (strictly less than). When expire == current time, the cookie is still valid and validation/hashing should apply. Only cookies with expire < current time should skip validation.

tests/TestCase.php (3)

Learnt from: terabytesoftw
PR: #6
File: tests/http/RequestTest.php:1536-1552
Timestamp: 2025-07-20T16:35:15.300Z
Learning: In the yii2-extensions/psr-bridge project, the base TestCase class already handles $_SERVER cleanup in setUp() and tearDown() methods (lines 28 and 32), so individual test methods that extend TestCase don't need manual $_SERVER restoration.

Learnt from: terabytesoftw
PR: #6
File: tests/http/RequestTest.php:1536-1552
Timestamp: 2025-07-20T16:35:15.300Z
Learning: In the yii2-extensions/psr-bridge project, the base TestCase class already handles $_SERVER cleanup in setUp() and tearDown() methods, so individual test methods that extend TestCase don't need manual $_SERVER restoration.

Learnt from: terabytesoftw
PR: #6
File: tests/http/RequestTest.php:1564-1578
Timestamp: 2025-07-20T16:33:57.457Z
Learning: The TestCase class in yii2-extensions/psr-bridge automatically handles $_SERVER superglobal cleanup by saving its original state before each test and restoring it afterward in setUp() and tearDown() methods. Manual $_SERVER cleanup in individual test methods is unnecessary when extending this TestCase.

tests/http/ResponseTest.php (7)

Learnt from: terabytesoftw
PR: #6
File: tests/http/RequestTest.php:1536-1552
Timestamp: 2025-07-20T16:35:15.300Z
Learning: In the yii2-extensions/psr-bridge project, the base TestCase class already handles $_SERVER cleanup in setUp() and tearDown() methods, so individual test methods that extend TestCase don't need manual $_SERVER restoration.

Learnt from: terabytesoftw
PR: #6
File: tests/http/RequestTest.php:1536-1552
Timestamp: 2025-07-20T16:35:15.300Z
Learning: In the yii2-extensions/psr-bridge project, the base TestCase class already handles $_SERVER cleanup in setUp() and tearDown() methods (lines 28 and 32), so individual test methods that extend TestCase don't need manual $_SERVER restoration.

Learnt from: terabytesoftw
PR: #6
File: tests/http/RequestTest.php:1564-1578
Timestamp: 2025-07-20T16:33:57.457Z
Learning: The TestCase class in yii2-extensions/psr-bridge automatically handles $_SERVER superglobal cleanup by saving its original state before each test and restoring it afterward in setUp() and tearDown() methods. Manual $_SERVER cleanup in individual test methods is unnecessary when extending this TestCase.

Learnt from: terabytesoftw
PR: #21
File: tests/http/PSR7ResponseTest.php:0-0
Timestamp: 2025-07-22T00:50:26.524Z
Learning: In yii2-extensions/psr-bridge, the ResponseAdapter::formatCookieHeader() method uses $expire !== 1 to skip validation for Yii2's special deletion cookies, but this should be extended to handle all expired cookies, not just the special case where expire=1.

Learnt from: terabytesoftw
PR: #21
File: tests/http/PSR7ResponseTest.php:0-0
Timestamp: 2025-07-22T01:01:13.402Z
Learning: In yii2-extensions/psr-bridge, expired cookies should not be hashed/validated because they are deletion cookies meant to remove existing cookies from the client browser. The validation logic should only apply to live cookies (expire=0 or expire >= current time) and skip validation for both the special Yii2 deletion case (expire=1) and regular expired cookies.

Learnt from: terabytesoftw
PR: #21
File: tests/adapter/ResponseAdapterTest.php:436-450
Timestamp: 2025-07-22T10:56:44.383Z
Learning: In yii2-extensions/psr-bridge cookie validation logic, a cookie is only considered expired when expire < current time (strictly less than). When expire == current time, the cookie is still valid and validation/hashing should apply. Only cookies with expire < current time should skip validation.

Learnt from: terabytesoftw
PR: #21
File: src/adapter/ResponseAdapter.php:86-98
Timestamp: 2025-07-21T23:28:20.055Z
Learning: In Yii2, cookies with expire == 1 are treated as delete cookies and cookie validation is skipped for them. The official Yii2 Response::sendCookies() method uses if ($expire != 1 && isset($validationKey)) to determine when to apply validation hashing.

🧰 Additional context used

🧠 Learnings (3)

📓 Common learnings

Learnt from: terabytesoftw
PR: yii2-extensions/psr-bridge#6
File: tests/http/RequestTest.php:1536-1552
Timestamp: 2025-07-20T16:35:15.300Z
Learning: In the yii2-extensions/psr-bridge project, the base TestCase class already handles $_SERVER cleanup in setUp() and tearDown() methods, so individual test methods that extend TestCase don't need manual $_SERVER restoration.

Learnt from: terabytesoftw
PR: yii2-extensions/psr-bridge#6
File: tests/http/RequestTest.php:1536-1552
Timestamp: 2025-07-20T16:35:15.300Z
Learning: In the yii2-extensions/psr-bridge project, the base TestCase class already handles $_SERVER cleanup in setUp() and tearDown() methods (lines 28 and 32), so individual test methods that extend TestCase don't need manual $_SERVER restoration.

Learnt from: terabytesoftw
PR: yii2-extensions/psr-bridge#21
File: tests/http/PSR7ResponseTest.php:0-0
Timestamp: 2025-07-22T00:50:26.524Z
Learning: In yii2-extensions/psr-bridge, the ResponseAdapter::formatCookieHeader() method uses `$expire !== 1` to skip validation for Yii2's special deletion cookies, but this should be extended to handle all expired cookies, not just the special case where expire=1.

Learnt from: terabytesoftw
PR: yii2-extensions/psr-bridge#21
File: tests/http/PSR7ResponseTest.php:0-0
Timestamp: 2025-07-22T01:01:13.402Z
Learning: In yii2-extensions/psr-bridge, expired cookies should not be hashed/validated because they are deletion cookies meant to remove existing cookies from the client browser. The validation logic should only apply to live cookies (expire=0 or expire >= current time) and skip validation for both the special Yii2 deletion case (expire=1) and regular expired cookies.

Learnt from: terabytesoftw
PR: yii2-extensions/psr-bridge#21
File: src/adapter/ResponseAdapter.php:86-98
Timestamp: 2025-07-21T23:28:20.055Z
Learning: In Yii2, cookies with `expire == 1` are treated as delete cookies and cookie validation is skipped for them. The official Yii2 Response::sendCookies() method uses `if ($expire != 1 && isset($validationKey))` to determine when to apply validation hashing.

Learnt from: terabytesoftw
PR: yii2-extensions/psr-bridge#6
File: tests/http/RequestTest.php:1564-1578
Timestamp: 2025-07-20T16:33:57.457Z
Learning: The TestCase class in yii2-extensions/psr-bridge automatically handles $_SERVER superglobal cleanup by saving its original state before each test and restoring it afterward in setUp() and tearDown() methods. Manual $_SERVER cleanup in individual test methods is unnecessary when extending this TestCase.

Learnt from: terabytesoftw
PR: yii2-extensions/psr-bridge#21
File: tests/adapter/ResponseAdapterTest.php:436-450
Timestamp: 2025-07-22T10:56:44.383Z
Learning: In yii2-extensions/psr-bridge cookie validation logic, a cookie is only considered expired when expire < current time (strictly less than). When expire == current time, the cookie is still valid and validation/hashing should apply. Only cookies with expire < current time should skip validation.

tests/TestCase.php (3)

Learnt from: terabytesoftw
PR: #6
File: tests/http/RequestTest.php:1536-1552
Timestamp: 2025-07-20T16:35:15.300Z
Learning: In the yii2-extensions/psr-bridge project, the base TestCase class already handles $_SERVER cleanup in setUp() and tearDown() methods (lines 28 and 32), so individual test methods that extend TestCase don't need manual $_SERVER restoration.

Learnt from: terabytesoftw
PR: #6
File: tests/http/RequestTest.php:1536-1552
Timestamp: 2025-07-20T16:35:15.300Z
Learning: In the yii2-extensions/psr-bridge project, the base TestCase class already handles $_SERVER cleanup in setUp() and tearDown() methods, so individual test methods that extend TestCase don't need manual $_SERVER restoration.

Learnt from: terabytesoftw
PR: #6
File: tests/http/RequestTest.php:1564-1578
Timestamp: 2025-07-20T16:33:57.457Z
Learning: The TestCase class in yii2-extensions/psr-bridge automatically handles $_SERVER superglobal cleanup by saving its original state before each test and restoring it afterward in setUp() and tearDown() methods. Manual $_SERVER cleanup in individual test methods is unnecessary when extending this TestCase.

tests/http/ResponseTest.php (7)

Learnt from: terabytesoftw
PR: #6
File: tests/http/RequestTest.php:1536-1552
Timestamp: 2025-07-20T16:35:15.300Z
Learning: In the yii2-extensions/psr-bridge project, the base TestCase class already handles $_SERVER cleanup in setUp() and tearDown() methods, so individual test methods that extend TestCase don't need manual $_SERVER restoration.

Learnt from: terabytesoftw
PR: #6
File: tests/http/RequestTest.php:1536-1552
Timestamp: 2025-07-20T16:35:15.300Z
Learning: In the yii2-extensions/psr-bridge project, the base TestCase class already handles $_SERVER cleanup in setUp() and tearDown() methods (lines 28 and 32), so individual test methods that extend TestCase don't need manual $_SERVER restoration.

Learnt from: terabytesoftw
PR: #6
File: tests/http/RequestTest.php:1564-1578
Timestamp: 2025-07-20T16:33:57.457Z
Learning: The TestCase class in yii2-extensions/psr-bridge automatically handles $_SERVER superglobal cleanup by saving its original state before each test and restoring it afterward in setUp() and tearDown() methods. Manual $_SERVER cleanup in individual test methods is unnecessary when extending this TestCase.

Learnt from: terabytesoftw
PR: #21
File: tests/http/PSR7ResponseTest.php:0-0
Timestamp: 2025-07-22T00:50:26.524Z
Learning: In yii2-extensions/psr-bridge, the ResponseAdapter::formatCookieHeader() method uses $expire !== 1 to skip validation for Yii2's special deletion cookies, but this should be extended to handle all expired cookies, not just the special case where expire=1.

Learnt from: terabytesoftw
PR: #21
File: tests/http/PSR7ResponseTest.php:0-0
Timestamp: 2025-07-22T01:01:13.402Z
Learning: In yii2-extensions/psr-bridge, expired cookies should not be hashed/validated because they are deletion cookies meant to remove existing cookies from the client browser. The validation logic should only apply to live cookies (expire=0 or expire >= current time) and skip validation for both the special Yii2 deletion case (expire=1) and regular expired cookies.

Learnt from: terabytesoftw
PR: #21
File: tests/adapter/ResponseAdapterTest.php:436-450
Timestamp: 2025-07-22T10:56:44.383Z
Learning: In yii2-extensions/psr-bridge cookie validation logic, a cookie is only considered expired when expire < current time (strictly less than). When expire == current time, the cookie is still valid and validation/hashing should apply. Only cookies with expire < current time should skip validation.

Learnt from: terabytesoftw
PR: #21
File: src/adapter/ResponseAdapter.php:86-98
Timestamp: 2025-07-21T23:28:20.055Z
Learning: In Yii2, cookies with expire == 1 are treated as delete cookies and cookie validation is skipped for them. The official Yii2 Response::sendCookies() method uses if ($expire != 1 && isset($validationKey)) to determine when to apply validation hashing.

🔇 Additional comments (1)

tests/http/ResponseTest.php (1)

18-187: Well-structured test with comprehensive session cookie verification!

The test thoroughly validates the PSR-7 response conversion with an active session, including proper event handling, cookie hashing, and all session cookie attributes.