refactor(Request): Implement getServerName() method with PSR-7 support and fallback to Yii2, including comprehensive tests.

[terabytesoftw]

Q	A
Is bugfix?	✔️
New feature?	❌
Breaks BC?	❌

Summary by CodeRabbit

• New Features
  • Added support for retrieving the server name from requests, with improved handling of edge cases.
• Bug Fixes
  • Enhanced error handling for missing server variables, ensuring clear exceptions are raised when necessary.
• Tests
  • Expanded test coverage for server name retrieval, cookie validation, and error scenarios.
  • Improved assertion accuracy and consistency in test messages.
  • Simplified test cleanup and global state management for better reliability.
• Chores
  • Introduced a constant for cookie validation keys to standardize test configurations.

[coderabbitai]

Walkthrough

A new getServerName() method was introduced to the Request class, supporting PSR-7 adapters with fallback logic. Comprehensive tests were added and updated to cover edge cases for server name retrieval, cookie validation, and error handling. Assertion consistency and test robustness were improved across related test suites.

Changes

Cohort / File(s)	Change Summary
Request Class Enhancement src/http/Request.php	Added the public method getServerName() to the Request class. The method retrieves the server name using a PSR-7 adapter if present, otherwise falls back to the parent implementation. Docblock and type annotations were included. No other logic was changed.
ServerRequest Adapter Test Improvements tests/adapter/ServerRequestAdapterTest.php	Added and updated tests for getServerName() covering various edge cases (empty, missing, non-string, null values). Introduced tests for cookie validation errors and immutability. Assertion messages were standardized and code style improved. Deprecated tests were removed and replaced with more explicit exception tests. Enhanced coverage for secure header filtering and independent request handling. Minor fixes and formatting adjustments were applied.
Request Test Suite Updates tests/http/RequestTest.php	Removed the tearDown() override, replacing it with explicit application closure in relevant tests. Assertion messages were standardized. Tests now use assertSame for stricter equality. Added tests for error handling when server variables are missing and for fallback behavior when the PSR-7 adapter is not set. Simplified handling of global variables in tests. Minor comment and formatting fixes.
Test Case Constant Addition tests/TestCase.php	Added a protected constant COOKIE_VALIDATION_KEY to centralize the cookie validation key used in tests, replacing hardcoded strings.
Response Adapter Test Cleanup tests/adapter/ResponseAdapterTest.php	Removed hardcoded cookie validation key strings in test configurations, replacing some with the class constant COOKIE_VALIDATION_KEY. No logic or assertion changes.

Sequence Diagram(s)

sequenceDiagram
    participant Client
    participant Request
    participant PSR7Adapter
    participant ParentRequest

    Client->>Request: getServerName()
    alt PSR-7 adapter is set
        Request->>PSR7Adapter: getServerParam('SERVER_NAME')
        alt SERVER_NAME is valid string
            PSR7Adapter-->>Request: server name (string)
            Request-->>Client: server name
        else SERVER_NAME missing/invalid
            PSR7Adapter-->>Request: null
            Request-->>Client: null
        end
    else No PSR-7 adapter
        Request->>ParentRequest: getServerName()
        ParentRequest-->>Request: server name or null
        Request-->>Client: server name or null
    end

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~18 minutes

Possibly related PRs

• refactor(Request): Implement getRemoteHost() method with PSR-7 support and fallback to Yii2, including comprehensive tests. #70: Adds a getRemoteHost() method with PSR-7 support and fallback, modifying the same class with a similar approach.
• feat(request): Enhance PSR-7 integration with detailed method documentation and improved fallback handling. #19: Introduces the PSR-7 adapter integration and fallback infrastructure in Request, which the new getServerName() method leverages.
• refactor(Request): Add methods to getRemoteIP(), getServerParams() and getServerParam() with PSR-7 support. (#69) #69: Adds methods for broader PSR-7 server parameter access in Request, extending similar functionality as the new getServerName().

Suggested labels

bug

Poem

A rabbit hopped through lines of code,
Where server names and cookies strode.
With tests anew and errors caught,
Each edge case covered, nothing forgot!
Now every request, with adapter or not,
Knows its own name—oh, what a plot!
🐇✨

Note

🔌 MCP (Model Context Protocol) integration is now available in Early Access!

Pro users can now connect to remote MCP servers under the Integrations page to get reviews and chat conversations that understand additional development context.

---

📜 Recent review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 06d8333 and ae5a64d.

📒 Files selected for processing (1)

• tests/http/RequestTest.php (50 hunks)

🧰 Additional context used

🧠 Learnings (12)

📓 Common learnings

Learnt from: terabytesoftw
PR: yii2-extensions/psr-bridge#6
File: tests/http/RequestTest.php:1536-1552
Timestamp: 2025-07-20T16:35:15.341Z
Learning: In the yii2-extensions/psr-bridge project, the base TestCase class already handles $_SERVER cleanup in setUp() and tearDown() methods, so individual test methods that extend TestCase don't need manual $_SERVER restoration.

Learnt from: terabytesoftw
PR: yii2-extensions/psr-bridge#6
File: tests/http/RequestTest.php:1536-1552
Timestamp: 2025-07-20T16:35:15.341Z
Learning: In the yii2-extensions/psr-bridge project, the base TestCase class already handles $_SERVER cleanup in setUp() and tearDown() methods (lines 28 and 32), so individual test methods that extend TestCase don't need manual $_SERVER restoration.

Learnt from: terabytesoftw
PR: yii2-extensions/psr-bridge#6
File: tests/http/RequestTest.php:1564-1578
Timestamp: 2025-07-20T16:33:57.495Z
Learning: The TestCase class in yii2-extensions/psr-bridge automatically handles $_SERVER superglobal cleanup by saving its original state before each test and restoring it afterward in setUp() and tearDown() methods. Manual $_SERVER cleanup in individual test methods is unnecessary when extending this TestCase.

Learnt from: terabytesoftw
PR: yii2-extensions/psr-bridge#64
File: tests/http/StatelessApplicationTest.php:1939-1967
Timestamp: 2025-08-06T22:52:05.608Z
Learning: In yii2-extensions/psr-bridge tests, when testing specific component methods like Request::resolve(), it's necessary to call $app->handle($request) first to initialize all application components before testing the method in isolation. This ensures proper component lifecycle initialization.

Learnt from: terabytesoftw
PR: yii2-extensions/psr-bridge#71
File: tests/TestCase.php:23-27
Timestamp: 2025-08-08T15:24:06.045Z
Learning: In yii2-extensions/psr-bridge (tests/TestCase.php), maintainer preference: it’s acceptable to use random-looking strings for test-only constants like COOKIE_VALIDATION_KEY; no need to replace with an obviously non-secret value unless CI/secret scanners become problematic.

Learnt from: terabytesoftw
PR: yii2-extensions/psr-bridge#71
File: tests/adapter/ServerRequestAdapterTest.php:2215-2215
Timestamp: 2025-08-08T15:28:00.137Z
Learning: In yii2-extensions/psr-bridge tests, prefer using self::COOKIE_VALIDATION_KEY from tests/TestCase over hardcoded 'cookieValidationKey' strings to avoid secret scanners FP and improve maintainability.

Learnt from: terabytesoftw
PR: yii2-extensions/psr-bridge#71
File: tests/adapter/ServerRequestAdapterTest.php:2215-2215
Timestamp: 2025-08-08T15:28:00.137Z
Learning: In yii2-extensions/psr-bridge, tests extend tests/TestCase which defines a protected const COOKIE_VALIDATION_KEY. Test code should use self::COOKIE_VALIDATION_KEY instead of hardcoded cookieValidationKey literals.

📚 Learning: 2025-07-20T16:35:15.341Z

Learnt from: terabytesoftw
PR: yii2-extensions/psr-bridge#6
File: tests/http/RequestTest.php:1536-1552
Timestamp: 2025-07-20T16:35:15.341Z
Learning: In the yii2-extensions/psr-bridge project, the base TestCase class already handles $_SERVER cleanup in setUp() and tearDown() methods (lines 28 and 32), so individual test methods that extend TestCase don't need manual $_SERVER restoration.

Applied to files:

• tests/http/RequestTest.php

📚 Learning: 2025-07-20T16:33:57.495Z

Learnt from: terabytesoftw
PR: yii2-extensions/psr-bridge#6
File: tests/http/RequestTest.php:1564-1578
Timestamp: 2025-07-20T16:33:57.495Z
Learning: The TestCase class in yii2-extensions/psr-bridge automatically handles $_SERVER superglobal cleanup by saving its original state before each test and restoring it afterward in setUp() and tearDown() methods. Manual $_SERVER cleanup in individual test methods is unnecessary when extending this TestCase.

Applied to files:

• tests/http/RequestTest.php

📚 Learning: 2025-07-20T16:35:15.341Z

Learnt from: terabytesoftw
PR: yii2-extensions/psr-bridge#6
File: tests/http/RequestTest.php:1536-1552
Timestamp: 2025-07-20T16:35:15.341Z
Learning: In the yii2-extensions/psr-bridge project, the base TestCase class already handles $_SERVER cleanup in setUp() and tearDown() methods, so individual test methods that extend TestCase don't need manual $_SERVER restoration.

Applied to files:

• tests/http/RequestTest.php

📚 Learning: 2025-08-06T22:52:05.608Z

Learnt from: terabytesoftw
PR: yii2-extensions/psr-bridge#64
File: tests/http/StatelessApplicationTest.php:1939-1967
Timestamp: 2025-08-06T22:52:05.608Z
Learning: In yii2-extensions/psr-bridge tests, when testing specific component methods like Request::resolve(), it's necessary to call $app->handle($request) first to initialize all application components before testing the method in isolation. This ensures proper component lifecycle initialization.

Applied to files:

• tests/http/RequestTest.php

📚 Learning: 2025-08-08T15:28:00.137Z

Learnt from: terabytesoftw
PR: yii2-extensions/psr-bridge#71
File: tests/adapter/ServerRequestAdapterTest.php:2215-2215
Timestamp: 2025-08-08T15:28:00.137Z
Learning: In yii2-extensions/psr-bridge tests, prefer using self::COOKIE_VALIDATION_KEY from tests/TestCase over hardcoded 'cookieValidationKey' strings to avoid secret scanners FP and improve maintainability.

Applied to files:

• tests/http/RequestTest.php

📚 Learning: 2025-08-08T15:28:00.137Z

Learnt from: terabytesoftw
PR: yii2-extensions/psr-bridge#71
File: tests/adapter/ServerRequestAdapterTest.php:2215-2215
Timestamp: 2025-08-08T15:28:00.137Z
Learning: In yii2-extensions/psr-bridge, tests extend tests/TestCase which defines a protected const COOKIE_VALIDATION_KEY. Test code should use self::COOKIE_VALIDATION_KEY instead of hardcoded cookieValidationKey literals.

Applied to files:

• tests/http/RequestTest.php

📚 Learning: 2025-08-08T15:24:06.045Z

Learnt from: terabytesoftw
PR: yii2-extensions/psr-bridge#71
File: tests/TestCase.php:23-27
Timestamp: 2025-08-08T15:24:06.045Z
Learning: In yii2-extensions/psr-bridge (tests/TestCase.php), maintainer preference: it’s acceptable to use random-looking strings for test-only constants like COOKIE_VALIDATION_KEY; no need to replace with an obviously non-secret value unless CI/secret scanners become problematic.

Applied to files:

• tests/http/RequestTest.php

📚 Learning: 2025-08-03T16:24:09.241Z

Learnt from: terabytesoftw
PR: yii2-extensions/psr-bridge#53
File: src/http/ErrorHandler.php:258-272
Timestamp: 2025-08-03T16:24:09.241Z
Learning: In yii2-extensions/psr-bridge, the StatelessApplication creates a new Response instance for each request in the reset() method (line 408: `$this->response = new Response($this->components['response'] ?? []);`), then passes it to ErrorHandler::setResponse(). This means the template response is not shared across requests, so calling clear() on it in createErrorResponse() is safe and doesn't cause side effects.

Applied to files:

• tests/http/RequestTest.php

📚 Learning: 2025-08-03T16:24:09.241Z

Learnt from: terabytesoftw
PR: yii2-extensions/psr-bridge#53
File: src/http/ErrorHandler.php:258-272
Timestamp: 2025-08-03T16:24:09.241Z
Learning: In yii2-extensions/psr-bridge, the StatelessApplication creates a new Response instance for each request in the reset() method, then passes it to ErrorHandler::setResponse(). This means the template response is not shared across requests, so calling clear() on it in createErrorResponse() is safe and doesn't cause side effects.

Applied to files:

• tests/http/RequestTest.php

📚 Learning: 2025-07-22T00:50:26.546Z

Learnt from: terabytesoftw
PR: yii2-extensions/psr-bridge#21
File: tests/http/PSR7ResponseTest.php:0-0
Timestamp: 2025-07-22T00:50:26.546Z
Learning: In yii2-extensions/psr-bridge, the ResponseAdapter::formatCookieHeader() method uses `$expire !== 1` to skip validation for Yii2's special deletion cookies, but this should be extended to handle all expired cookies, not just the special case where expire=1.

Applied to files:

• tests/http/RequestTest.php

📚 Learning: 2025-07-22T01:01:13.426Z

Learnt from: terabytesoftw
PR: yii2-extensions/psr-bridge#21
File: tests/http/PSR7ResponseTest.php:0-0
Timestamp: 2025-07-22T01:01:13.426Z
Learning: In yii2-extensions/psr-bridge, expired cookies should not be hashed/validated because they are deletion cookies meant to remove existing cookies from the client browser. The validation logic should only apply to live cookies (expire=0 or expire >= current time) and skip validation for both the special Yii2 deletion case (expire=1) and regular expired cookies.

Applied to files:

• tests/http/RequestTest.php

🧬 Code Graph Analysis (1)

tests/http/RequestTest.php (4)

src/http/Request.php (9)

• Request (52-801)
• getAuthCredentials (94-139)
• getCsrfTokenFromHeader (242-245)
• getServerName (544-551)
• resolve (696-716)
• getRemoteHost (464-471)
• reset (672-675)
• getScriptUrl (518-525)
• getUrl (649-656)

tests/TestCase.php (1)

• closeApplication (62-76)

tests/provider/RequestProvider.php (2)

• getHostInfo (85-190)
• getUrl (287-303)

src/adapter/ServerRequestAdapter.php (2)

• getScriptUrl (304-316)
• getUrl (379-389)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (4)

• GitHub Check: phpunit / PHP 8.3-windows-latest
• GitHub Check: phpunit / PHP 8.4-windows-latest
• GitHub Check: mutation / PHP 8.3-ubuntu-latest
• GitHub Check: mutation / PHP 8.3-ubuntu-latest

✨ Finishing Touches

• 📝 Generate Docstrings

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch fix_mini_58

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Explain this complex logic.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai explain this code block.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and explain its main purpose.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR.
• @coderabbitai generate sequence diagram to generate a sequence diagram of the changes in this PR.
• @coderabbitai generate unit tests to generate unit tests for this PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 100.00%. Comparing base (3a8419a) to head (ae5a64d).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files

@@             Coverage Diff             @@
##                main       #71   +/-   ##
===========================================
  Coverage     100.00%   100.00%           
- Complexity       307       309    +2     
===========================================
  Files             12        12           
  Lines            780       784    +4     
===========================================
+ Hits             780       784    +4     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[coderabbitai]

Actionable comments posted: 3

🧹 Nitpick comments (6)

tests/adapter/ServerRequestAdapterTest.php (4)

1018-1031: Test name vs. expectation mismatch

Method name says “ReturnNull…” but the assertion expects an empty string. Rename for clarity.

-    public function testReturnNullFromHeaderWhenCsrfHeaderEmptyAndAdapterIsSet(): void
+    public function testReturnEmptyStringFromHeaderWhenCsrfHeaderPresentButEmpty(): void

---

1048-1106: Server name test coverage is thorough

Good coverage for:

• Present string
• Missing
• Null
• Non-string
• Empty array
• Reset behavior
• Independent instances

Optional: consolidate the “null-ish / invalid types” cases into a data provider to reduce duplication.

Also applies to: 1522-1536, 2122-2197

---

590-608: Direct $_SERVER manipulation in tests — OK given base TestCase cleanup

Per project learnings, TestCase setUp/tearDown handles $_SERVER snapshot/restore, so this is safe. Consider a brief inline comment referencing that to preempt future cleanup code additions.

Also applies to: 1482-1499, 2043-2059

---

1630-1637: filesize() assertions — pragmatic but consider robustness

Assertions guard against false, good. If flakiness ever appears across environments, consider virtual FS (e.g., vfsStream) to avoid relying on real paths. Not required now.

Also applies to: 804-811

tests/http/RequestTest.php (2)

624-627: Strengthen the assertion – check the actual value, not just non-null

assertNotNull() only proves that some token is returned; it doesn’t guarantee you are falling back to the expected header value (parent-csrf-token-456).
Using assertSame('parent-csrf-token-456', …) would catch regressions where an unexpected default is returned.

---

1597-1609: Move reset() after you prepare $_SERVER

reset() clears internal caches; calling it before you populate $_SERVER risks the object still carrying a stale script URL if anything is cached between the constructor and this test.
Safer sequence:

-        $request->reset();
-
-        $_SERVER['SCRIPT_NAME'] = '/test.php';
-        $_SERVER['SCRIPT_FILENAME'] = '/path/to/test.php';
+        $_SERVER['SCRIPT_NAME'] = '/test.php';
+        $_SERVER['SCRIPT_FILENAME'] = '/path/to/test.php';
+
+        $request->reset();

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 3a8419a and 086fba2.

📒 Files selected for processing (3)

• src/http/Request.php (1 hunks)
• tests/adapter/ServerRequestAdapterTest.php (68 hunks)
• tests/http/RequestTest.php (50 hunks)

🧰 Additional context used

🧠 Learnings (9)

📓 Common learnings

Learnt from: terabytesoftw
PR: yii2-extensions/psr-bridge#6
File: tests/http/RequestTest.php:1536-1552
Timestamp: 2025-07-20T16:35:15.341Z
Learning: In the yii2-extensions/psr-bridge project, the base TestCase class already handles $_SERVER cleanup in setUp() and tearDown() methods, so individual test methods that extend TestCase don't need manual $_SERVER restoration.

Learnt from: terabytesoftw
PR: yii2-extensions/psr-bridge#6
File: tests/http/RequestTest.php:1536-1552
Timestamp: 2025-07-20T16:35:15.341Z
Learning: In the yii2-extensions/psr-bridge project, the base TestCase class already handles $_SERVER cleanup in setUp() and tearDown() methods (lines 28 and 32), so individual test methods that extend TestCase don't need manual $_SERVER restoration.

Learnt from: terabytesoftw
PR: yii2-extensions/psr-bridge#6
File: tests/http/RequestTest.php:1564-1578
Timestamp: 2025-07-20T16:33:57.495Z
Learning: The TestCase class in yii2-extensions/psr-bridge automatically handles $_SERVER superglobal cleanup by saving its original state before each test and restoring it afterward in setUp() and tearDown() methods. Manual $_SERVER cleanup in individual test methods is unnecessary when extending this TestCase.

Learnt from: terabytesoftw
PR: yii2-extensions/psr-bridge#64
File: tests/http/StatelessApplicationTest.php:1939-1967
Timestamp: 2025-08-06T22:52:05.608Z
Learning: In yii2-extensions/psr-bridge tests, when testing specific component methods like Request::resolve(), it's necessary to call $app->handle($request) first to initialize all application components before testing the method in isolation. This ensures proper component lifecycle initialization.

📚 Learning: 2025-07-20T16:33:57.495Z

Learnt from: terabytesoftw
PR: yii2-extensions/psr-bridge#6
File: tests/http/RequestTest.php:1564-1578
Timestamp: 2025-07-20T16:33:57.495Z
Learning: The TestCase class in yii2-extensions/psr-bridge automatically handles $_SERVER superglobal cleanup by saving its original state before each test and restoring it afterward in setUp() and tearDown() methods. Manual $_SERVER cleanup in individual test methods is unnecessary when extending this TestCase.

Applied to files:

• tests/adapter/ServerRequestAdapterTest.php
• tests/http/RequestTest.php

📚 Learning: 2025-07-20T16:35:15.341Z

Learnt from: terabytesoftw
PR: yii2-extensions/psr-bridge#6
File: tests/http/RequestTest.php:1536-1552
Timestamp: 2025-07-20T16:35:15.341Z
Learning: In the yii2-extensions/psr-bridge project, the base TestCase class already handles $_SERVER cleanup in setUp() and tearDown() methods (lines 28 and 32), so individual test methods that extend TestCase don't need manual $_SERVER restoration.

Applied to files:

• tests/adapter/ServerRequestAdapterTest.php
• tests/http/RequestTest.php

📚 Learning: 2025-07-20T16:35:15.341Z

Learnt from: terabytesoftw
PR: yii2-extensions/psr-bridge#6
File: tests/http/RequestTest.php:1536-1552
Timestamp: 2025-07-20T16:35:15.341Z
Learning: In the yii2-extensions/psr-bridge project, the base TestCase class already handles $_SERVER cleanup in setUp() and tearDown() methods, so individual test methods that extend TestCase don't need manual $_SERVER restoration.

Applied to files:

• tests/adapter/ServerRequestAdapterTest.php
• tests/http/RequestTest.php

📚 Learning: 2025-08-06T22:52:05.608Z

Learnt from: terabytesoftw
PR: yii2-extensions/psr-bridge#64
File: tests/http/StatelessApplicationTest.php:1939-1967
Timestamp: 2025-08-06T22:52:05.608Z
Learning: In yii2-extensions/psr-bridge tests, when testing specific component methods like Request::resolve(), it's necessary to call $app->handle($request) first to initialize all application components before testing the method in isolation. This ensures proper component lifecycle initialization.

Applied to files:

• tests/adapter/ServerRequestAdapterTest.php
• tests/http/RequestTest.php

📚 Learning: 2025-07-22T01:01:13.426Z

Learnt from: terabytesoftw
PR: yii2-extensions/psr-bridge#21
File: tests/http/PSR7ResponseTest.php:0-0
Timestamp: 2025-07-22T01:01:13.426Z
Learning: In yii2-extensions/psr-bridge, expired cookies should not be hashed/validated because they are deletion cookies meant to remove existing cookies from the client browser. The validation logic should only apply to live cookies (expire=0 or expire >= current time) and skip validation for both the special Yii2 deletion case (expire=1) and regular expired cookies.

Applied to files:

• tests/adapter/ServerRequestAdapterTest.php
• tests/http/RequestTest.php

📚 Learning: 2025-07-21T23:28:20.089Z

Learnt from: terabytesoftw
PR: yii2-extensions/psr-bridge#21
File: src/adapter/ResponseAdapter.php:86-98
Timestamp: 2025-07-21T23:28:20.089Z
Learning: In Yii2, cookies with `expire == 1` are treated as delete cookies and cookie validation is skipped for them. The official Yii2 Response::sendCookies() method uses `if ($expire != 1 && isset($validationKey))` to determine when to apply validation hashing.

Applied to files:

• tests/adapter/ServerRequestAdapterTest.php

📚 Learning: 2025-07-22T00:50:26.546Z

Learnt from: terabytesoftw
PR: yii2-extensions/psr-bridge#21
File: tests/http/PSR7ResponseTest.php:0-0
Timestamp: 2025-07-22T00:50:26.546Z
Learning: In yii2-extensions/psr-bridge, the ResponseAdapter::formatCookieHeader() method uses `$expire !== 1` to skip validation for Yii2's special deletion cookies, but this should be extended to handle all expired cookies, not just the special case where expire=1.

Applied to files:

• tests/adapter/ServerRequestAdapterTest.php
• tests/http/RequestTest.php

📚 Learning: 2025-07-22T10:56:44.424Z

Learnt from: terabytesoftw
PR: yii2-extensions/psr-bridge#21
File: tests/adapter/ResponseAdapterTest.php:436-450
Timestamp: 2025-07-22T10:56:44.424Z
Learning: In yii2-extensions/psr-bridge cookie validation logic, a cookie is only considered expired when expire < current time (strictly less than). When expire == current time, the cookie is still valid and validation/hashing should apply. Only cookies with expire < current time should skip validation.

Applied to files:

• tests/adapter/ServerRequestAdapterTest.php

🪛 Gitleaks (8.27.2)

tests/adapter/ServerRequestAdapterTest.php

2215-2215: Detected a Generic API Key, potentially exposing access to various services and sensitive operations.

(generic-api-key)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (4)

• GitHub Check: phpunit / PHP 8.3-windows-latest
• GitHub Check: phpunit / PHP 8.4-windows-latest
• GitHub Check: mutation / PHP 8.3-ubuntu-latest
• GitHub Check: mutation / PHP 8.3-ubuntu-latest

🔇 Additional comments (11)

src/http/Request.php (1)

527-551: Add getServerName() with PSR-7 support — looks correct

• Uses getServerParam('SERVER_NAME') ensuring type-safety (string|null).
• Falls back cleanly to parent implementation when adapter is null.
• Docblock matches behavior and return type.

No changes requested.

tests/adapter/ServerRequestAdapterTest.php (10)

21-23: Import additions are appropriate

Adding is_array and stream_get_meta_data imports is warranted and used below.

---

100-124: Cookie collection after reset — solid behavior assertions

Confirms a new CookieCollection instance is returned and old state doesn’t leak post-reset. Good.

---

2201-2232: Read-only CookieCollection mutation test is correct

Expecting InvalidCallException on add() against read-only collection is appropriate.

---

2234-2250: InvalidConfigException when validation enabled but key empty — correct

This enforces configuration correctness early. Good guardrail.

---

523-525: Invalid cookies with validation enabled — behavior confirmed

Asserting an empty collection when cookies fail validation is consistent with the adapter contract.

---

2082-2120: Secure headers filtering logic — strong negative test

Properly filters X-Forwarded-* and related headers when request isn’t from a trusted host, while preserving normal headers. Good assertions.

---

567-571: Script URL tests are precise

• Empty in worker mode or traditional mode without SCRIPT_NAME.
• Uses SCRIPT_NAME when traditional mode and present.

Matches adapter behavior; messages are clear.

Also applies to: 584-587, 1512-1518

---

1900-1903: General adapter behavior tests — LGTM

Query params/string, raw body, remote host/IP, and uploaded files conversions are well-covered and assertions are crisp.

Also applies to: 1404-1407, 1358-1389, 1425-1429, 1440-1443, 1454-1458, 1473-1477, 1761-1761, 1846-1847

---

931-969: Multiple validated cookies — comprehensive

Validates multiple signatures and ensures decrypted values and names match. Solid coverage.

Also applies to: 953-990

---

1936-1956: Validated cookie(s) happy path — correct

Ensures only valid signed cookies pass, name/value integrity preserved, and expire null as expected.

Also applies to: 1961-2015

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

tests/TestCase.php (1)

193-193: Good centralization of cookieValidationKey

Replacing per-test literals with a single source in TestCase improves consistency and reduces drift across the suite.

Consider adding a brief docblock on the constant noting it’s test-only and intentionally non-secret to document intent (and help future readers/scanners).

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 086fba2 and 61552dd.

📒 Files selected for processing (3)

• tests/TestCase.php (2 hunks)
• tests/adapter/ResponseAdapterTest.php (1 hunks)
• tests/http/RequestTest.php (50 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• tests/http/RequestTest.php

🧰 Additional context used

🧠 Learnings (7)

📓 Common learnings

Learnt from: terabytesoftw
PR: yii2-extensions/psr-bridge#6
File: tests/http/RequestTest.php:1536-1552
Timestamp: 2025-07-20T16:35:15.341Z
Learning: In the yii2-extensions/psr-bridge project, the base TestCase class already handles $_SERVER cleanup in setUp() and tearDown() methods, so individual test methods that extend TestCase don't need manual $_SERVER restoration.

Learnt from: terabytesoftw
PR: yii2-extensions/psr-bridge#6
File: tests/http/RequestTest.php:1536-1552
Timestamp: 2025-07-20T16:35:15.341Z
Learning: In the yii2-extensions/psr-bridge project, the base TestCase class already handles $_SERVER cleanup in setUp() and tearDown() methods (lines 28 and 32), so individual test methods that extend TestCase don't need manual $_SERVER restoration.

Learnt from: terabytesoftw
PR: yii2-extensions/psr-bridge#6
File: tests/http/RequestTest.php:1564-1578
Timestamp: 2025-07-20T16:33:57.495Z
Learning: The TestCase class in yii2-extensions/psr-bridge automatically handles $_SERVER superglobal cleanup by saving its original state before each test and restoring it afterward in setUp() and tearDown() methods. Manual $_SERVER cleanup in individual test methods is unnecessary when extending this TestCase.

Learnt from: terabytesoftw
PR: yii2-extensions/psr-bridge#64
File: tests/http/StatelessApplicationTest.php:1939-1967
Timestamp: 2025-08-06T22:52:05.608Z
Learning: In yii2-extensions/psr-bridge tests, when testing specific component methods like Request::resolve(), it's necessary to call $app->handle($request) first to initialize all application components before testing the method in isolation. This ensures proper component lifecycle initialization.

📚 Learning: 2025-07-22T00:50:26.546Z

Learnt from: terabytesoftw
PR: yii2-extensions/psr-bridge#21
File: tests/http/PSR7ResponseTest.php:0-0
Timestamp: 2025-07-22T00:50:26.546Z
Learning: In yii2-extensions/psr-bridge, the ResponseAdapter::formatCookieHeader() method uses `$expire !== 1` to skip validation for Yii2's special deletion cookies, but this should be extended to handle all expired cookies, not just the special case where expire=1.

Applied to files:

• tests/adapter/ResponseAdapterTest.php

📚 Learning: 2025-07-21T23:28:20.089Z

Learnt from: terabytesoftw
PR: yii2-extensions/psr-bridge#21
File: src/adapter/ResponseAdapter.php:86-98
Timestamp: 2025-07-21T23:28:20.089Z
Learning: In Yii2, cookies with `expire == 1` are treated as delete cookies and cookie validation is skipped for them. The official Yii2 Response::sendCookies() method uses `if ($expire != 1 && isset($validationKey))` to determine when to apply validation hashing.

Applied to files:

• tests/adapter/ResponseAdapterTest.php

📚 Learning: 2025-07-22T01:01:13.426Z

Learnt from: terabytesoftw
PR: yii2-extensions/psr-bridge#21
File: tests/http/PSR7ResponseTest.php:0-0
Timestamp: 2025-07-22T01:01:13.426Z
Learning: In yii2-extensions/psr-bridge, expired cookies should not be hashed/validated because they are deletion cookies meant to remove existing cookies from the client browser. The validation logic should only apply to live cookies (expire=0 or expire >= current time) and skip validation for both the special Yii2 deletion case (expire=1) and regular expired cookies.

Applied to files:

• tests/adapter/ResponseAdapterTest.php
• tests/TestCase.php

📚 Learning: 2025-07-20T16:33:57.495Z

Learnt from: terabytesoftw
PR: yii2-extensions/psr-bridge#6
File: tests/http/RequestTest.php:1564-1578
Timestamp: 2025-07-20T16:33:57.495Z
Learning: The TestCase class in yii2-extensions/psr-bridge automatically handles $_SERVER superglobal cleanup by saving its original state before each test and restoring it afterward in setUp() and tearDown() methods. Manual $_SERVER cleanup in individual test methods is unnecessary when extending this TestCase.

Applied to files:

• tests/TestCase.php

📚 Learning: 2025-07-20T16:35:15.341Z

Learnt from: terabytesoftw
PR: yii2-extensions/psr-bridge#6
File: tests/http/RequestTest.php:1536-1552
Timestamp: 2025-07-20T16:35:15.341Z
Learning: In the yii2-extensions/psr-bridge project, the base TestCase class already handles $_SERVER cleanup in setUp() and tearDown() methods (lines 28 and 32), so individual test methods that extend TestCase don't need manual $_SERVER restoration.

Applied to files:

• tests/TestCase.php

📚 Learning: 2025-07-20T16:35:15.341Z

Learnt from: terabytesoftw
PR: yii2-extensions/psr-bridge#6
File: tests/http/RequestTest.php:1536-1552
Timestamp: 2025-07-20T16:35:15.341Z
Learning: In the yii2-extensions/psr-bridge project, the base TestCase class already handles $_SERVER cleanup in setUp() and tearDown() methods, so individual test methods that extend TestCase don't need manual $_SERVER restoration.

Applied to files:

• tests/TestCase.php

🪛 Gitleaks (8.27.2)

tests/TestCase.php

26-26: Detected a Generic API Key, potentially exposing access to various services and sensitive operations.

(generic-api-key)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (4)

• GitHub Check: phpunit / PHP 8.4-windows-latest
• GitHub Check: phpunit / PHP 8.1-windows-latest
• GitHub Check: mutation / PHP 8.3-ubuntu-latest
• GitHub Check: mutation / PHP 8.3-ubuntu-latest

🔇 Additional comments (1)

tests/adapter/ResponseAdapterTest.php (1)

909-909: LGTM: use inherited test key via self::COOKIE_VALIDATION_KEY

Clean replacement of hardcoded literal with the shared constant. Visibility is protected in the parent TestCase, so inheritance here is valid.

[coderabbitai]

Actionable comments posted: 0

🔭 Outside diff range comments (2)

tests/http/RequestTest.php (2)

77-103: CSRF “unsafe” / “safe” method lists are reversed

GET and HEAD are safe methods; DELETE, PATCH, PUT are unsafe.
The test currently expects the opposite, so it will fail against the real implementation (and mask regressions).

-foreach (['GET', 'HEAD', 'POST'] as $method) {   // unsafe
+foreach (['POST', 'PUT', 'PATCH', 'DELETE'] as $method) {   // unsafe
...
-foreach (['DELETE', 'PATCH', 'PUT', 'OPTIONS'] as $method) { // safe
+foreach (['GET', 'HEAD', 'OPTIONS'] as $method) {            // safe

---

924-932: Set $_SERVER['SERVER_NAME'] before instantiating Request

Request may snapshot super-globals in its constructor.
Instantiate the object only after populating $_SERVER to avoid false-positives.

-    $request = new Request();
-
-    $_SERVER['SERVER_NAME'] = 'servername';
+    $_SERVER['SERVER_NAME'] = 'servername';
+    $request = new Request();

♻️ Duplicate comments (3)

tests/http/RequestTest.php (2)

1733-1741: Same ordering issue for getScriptUrl()

Clear $_SERVER prior to new Request(); otherwise SCRIPT_NAME from the runtime environment prevents the expected exception.

-    $request = new Request();
-
+    $_SERVER = [];
+    $request = new Request();

---

1723-1731: getScriptFile() exception test can pass even when it shouldn’t

The environment already contains SCRIPT_FILENAME when PHPUnit runs, so the call will not throw.
Blank $_SERVER before creating Request:

-    $request = new Request();
-
+    $_SERVER = [];
+    $request = new Request();

tests/adapter/ServerRequestAdapterTest.php (1)

95-97: Centralise the dummy cookieValidationKey constant

The literal string 'test-validation-key-32-characters' is repeated throughout the test suite. A shared constant already exists in TestCase (see previous PR discussion); use it instead to:

• eliminate duplication
• silence generic-API-key scanners (Gitleaks) with a single allow-list entry
• simplify future changes to the value

Example diff:

- $request->cookieValidationKey = 'test-validation-key-32-characters';
+ $request->cookieValidationKey = self::COOKIE_VALIDATION_KEY;

Apply the same replacement in every occurrence listed above (and any future tests).

Also applies to: 305-307, 378-380, 517-518, 940-964, 1912-1933, 2214-2216

🧹 Nitpick comments (2)

tests/adapter/ServerRequestAdapterTest.php (2)

21-22: Avoid unnecessary use function import for built-ins

is_array() is a core PHP function and does not need to be imported explicitly. Removing the import keeps the header cleaner without changing behaviour.

---

95-97: Remove redundant key assignment when validation is disabled

In tests where $request->enableCookieValidation = false, setting cookieValidationKey is unnecessary noise and can be removed after the constant refactor.

Also applies to: 305-307, 378-380

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 61552dd and 06d8333.

📒 Files selected for processing (2)

• tests/adapter/ServerRequestAdapterTest.php (67 hunks)
• tests/http/RequestTest.php (50 hunks)

🧰 Additional context used

🧠 Learnings (11)

📓 Common learnings

Learnt from: terabytesoftw
PR: yii2-extensions/psr-bridge#6
File: tests/http/RequestTest.php:1536-1552
Timestamp: 2025-07-20T16:35:15.341Z
Learning: In the yii2-extensions/psr-bridge project, the base TestCase class already handles $_SERVER cleanup in setUp() and tearDown() methods, so individual test methods that extend TestCase don't need manual $_SERVER restoration.

Learnt from: terabytesoftw
PR: yii2-extensions/psr-bridge#6
File: tests/http/RequestTest.php:1536-1552
Timestamp: 2025-07-20T16:35:15.341Z
Learning: In the yii2-extensions/psr-bridge project, the base TestCase class already handles $_SERVER cleanup in setUp() and tearDown() methods (lines 28 and 32), so individual test methods that extend TestCase don't need manual $_SERVER restoration.

Learnt from: terabytesoftw
PR: yii2-extensions/psr-bridge#6
File: tests/http/RequestTest.php:1564-1578
Timestamp: 2025-07-20T16:33:57.495Z
Learning: The TestCase class in yii2-extensions/psr-bridge automatically handles $_SERVER superglobal cleanup by saving its original state before each test and restoring it afterward in setUp() and tearDown() methods. Manual $_SERVER cleanup in individual test methods is unnecessary when extending this TestCase.

Learnt from: terabytesoftw
PR: yii2-extensions/psr-bridge#64
File: tests/http/StatelessApplicationTest.php:1939-1967
Timestamp: 2025-08-06T22:52:05.608Z
Learning: In yii2-extensions/psr-bridge tests, when testing specific component methods like Request::resolve(), it's necessary to call $app->handle($request) first to initialize all application components before testing the method in isolation. This ensures proper component lifecycle initialization.

📚 Learning: 2025-07-20T16:35:15.341Z

Learnt from: terabytesoftw
PR: yii2-extensions/psr-bridge#6
File: tests/http/RequestTest.php:1536-1552
Timestamp: 2025-07-20T16:35:15.341Z
Learning: In the yii2-extensions/psr-bridge project, the base TestCase class already handles $_SERVER cleanup in setUp() and tearDown() methods (lines 28 and 32), so individual test methods that extend TestCase don't need manual $_SERVER restoration.

Applied to files:

• tests/http/RequestTest.php
• tests/adapter/ServerRequestAdapterTest.php

📚 Learning: 2025-07-20T16:33:57.495Z

Learnt from: terabytesoftw
PR: yii2-extensions/psr-bridge#6
File: tests/http/RequestTest.php:1564-1578
Timestamp: 2025-07-20T16:33:57.495Z
Learning: The TestCase class in yii2-extensions/psr-bridge automatically handles $_SERVER superglobal cleanup by saving its original state before each test and restoring it afterward in setUp() and tearDown() methods. Manual $_SERVER cleanup in individual test methods is unnecessary when extending this TestCase.

Applied to files:

• tests/http/RequestTest.php
• tests/adapter/ServerRequestAdapterTest.php

📚 Learning: 2025-07-20T16:35:15.341Z

Learnt from: terabytesoftw
PR: yii2-extensions/psr-bridge#6
File: tests/http/RequestTest.php:1536-1552
Timestamp: 2025-07-20T16:35:15.341Z
Learning: In the yii2-extensions/psr-bridge project, the base TestCase class already handles $_SERVER cleanup in setUp() and tearDown() methods, so individual test methods that extend TestCase don't need manual $_SERVER restoration.

Applied to files:

• tests/http/RequestTest.php
• tests/adapter/ServerRequestAdapterTest.php

📚 Learning: 2025-08-06T22:52:05.608Z

Learnt from: terabytesoftw
PR: yii2-extensions/psr-bridge#64
File: tests/http/StatelessApplicationTest.php:1939-1967
Timestamp: 2025-08-06T22:52:05.608Z
Learning: In yii2-extensions/psr-bridge tests, when testing specific component methods like Request::resolve(), it's necessary to call $app->handle($request) first to initialize all application components before testing the method in isolation. This ensures proper component lifecycle initialization.

Applied to files:

• tests/http/RequestTest.php
• tests/adapter/ServerRequestAdapterTest.php

📚 Learning: 2025-08-03T16:24:09.241Z

Learnt from: terabytesoftw
PR: yii2-extensions/psr-bridge#53
File: src/http/ErrorHandler.php:258-272
Timestamp: 2025-08-03T16:24:09.241Z
Learning: In yii2-extensions/psr-bridge, the StatelessApplication creates a new Response instance for each request in the reset() method (line 408: `$this->response = new Response($this->components['response'] ?? []);`), then passes it to ErrorHandler::setResponse(). This means the template response is not shared across requests, so calling clear() on it in createErrorResponse() is safe and doesn't cause side effects.

Applied to files:

• tests/http/RequestTest.php

📚 Learning: 2025-08-03T16:24:09.241Z

Learnt from: terabytesoftw
PR: yii2-extensions/psr-bridge#53
File: src/http/ErrorHandler.php:258-272
Timestamp: 2025-08-03T16:24:09.241Z
Learning: In yii2-extensions/psr-bridge, the StatelessApplication creates a new Response instance for each request in the reset() method, then passes it to ErrorHandler::setResponse(). This means the template response is not shared across requests, so calling clear() on it in createErrorResponse() is safe and doesn't cause side effects.

Applied to files:

• tests/http/RequestTest.php

📚 Learning: 2025-07-22T00:50:26.546Z

Learnt from: terabytesoftw
PR: yii2-extensions/psr-bridge#21
File: tests/http/PSR7ResponseTest.php:0-0
Timestamp: 2025-07-22T00:50:26.546Z
Learning: In yii2-extensions/psr-bridge, the ResponseAdapter::formatCookieHeader() method uses `$expire !== 1` to skip validation for Yii2's special deletion cookies, but this should be extended to handle all expired cookies, not just the special case where expire=1.

Applied to files:

• tests/http/RequestTest.php
• tests/adapter/ServerRequestAdapterTest.php

📚 Learning: 2025-07-22T01:01:13.426Z

Learnt from: terabytesoftw
PR: yii2-extensions/psr-bridge#21
File: tests/http/PSR7ResponseTest.php:0-0
Timestamp: 2025-07-22T01:01:13.426Z
Learning: In yii2-extensions/psr-bridge, expired cookies should not be hashed/validated because they are deletion cookies meant to remove existing cookies from the client browser. The validation logic should only apply to live cookies (expire=0 or expire >= current time) and skip validation for both the special Yii2 deletion case (expire=1) and regular expired cookies.

Applied to files:

• tests/http/RequestTest.php
• tests/adapter/ServerRequestAdapterTest.php

📚 Learning: 2025-07-21T23:28:20.089Z

Learnt from: terabytesoftw
PR: yii2-extensions/psr-bridge#21
File: src/adapter/ResponseAdapter.php:86-98
Timestamp: 2025-07-21T23:28:20.089Z
Learning: In Yii2, cookies with `expire == 1` are treated as delete cookies and cookie validation is skipped for them. The official Yii2 Response::sendCookies() method uses `if ($expire != 1 && isset($validationKey))` to determine when to apply validation hashing.

Applied to files:

• tests/adapter/ServerRequestAdapterTest.php

📚 Learning: 2025-07-22T10:56:44.424Z

Learnt from: terabytesoftw
PR: yii2-extensions/psr-bridge#21
File: tests/adapter/ResponseAdapterTest.php:436-450
Timestamp: 2025-07-22T10:56:44.424Z
Learning: In yii2-extensions/psr-bridge cookie validation logic, a cookie is only considered expired when expire < current time (strictly less than). When expire == current time, the cookie is still valid and validation/hashing should apply. Only cookies with expire < current time should skip validation.

Applied to files:

• tests/adapter/ServerRequestAdapterTest.php

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)

• GitHub Check: phpunit / PHP 8.3-windows-latest
• GitHub Check: mutation / PHP 8.3-ubuntu-latest
• GitHub Check: mutation / PHP 8.3-ubuntu-latest