Merge pull request #36 from utopia-php/clo-3704-duplicate-changes-to-swoole-due-to-overwrite

chore: duplicate changes from http to swoole

Author: loks0n

composer.json

@@ -15,7 +15,7 @@
     "require": {
         "php": ">=8.0",
         "ext-swoole": "*",
-        "utopia-php/framework": "0.33.*"
+        "utopia-php/framework": "0.33.35"
     },
     "require-dev": {
         "phpunit/phpunit": "^9.3",

composer.lock

@@ -1,5 +1,3 @@
-version: '3'
-
 services:
     php:
         image: swoole-dev

docker-compose.yml

@@ -14,6 +14,13 @@ class Request extends UtopiaRequest
      */
     protected SwooleRequest $swoole;
 
+    /**
+     * List of trusted proxy header names to check for client IP address
+     *
+     * @var array<string>
+     */
+    protected array $trustedIpHeaders = [];
+
     /**
      * Request constructor.
      */
@@ -64,18 +71,55 @@ public function setServer(string $key, string $value): static
         return $this;
     }
 
+    /**
+     * Set trusted ip headers
+     *
+     * WARNING: Only set these headers if your application is behind a trusted proxy.
+     * Trusting these headers when accepting direct client connections is a security risk.
+     *
+     * @param array<string> $headers List of header names to trust (e.g., ['x-forwarded-for', 'x-real-ip'])
+     * @return static
+     */
+    public function setTrustedIpHeaders(array $headers): static
+    {
+        $normalized = array_map('strtolower', $headers);
+        $trimmed = array_map('trim', $normalized);
+        $this->trustedIpHeaders = array_filter($trimmed);
+
+        return $this;
+    }
+
     /**
      * Get IP
      *
-     * Returns users IP address.
-     * Support HTTP_X_FORWARDED_FOR header usually return
-     *  from different proxy servers or PHP default REMOTE_ADDR
+     * Extracts the client's IP address from trusted headers or falls back to the remote address.
+     * Prioritizes headers like X-Forwarded-For when behind proxies or load balancers,
+     * defaulting to REMOTE_ADDR when trusted headers are unavailable.
+     *
+     * @return string The validated client IP address or '0.0.0.0' if unavailable
      */
     public function getIP(): string
     {
-        $ips = explode(',', $this->getHeader('x-forwarded-for', $this->getServer('remote_addr') ?? '0.0.0.0'));
+        $remoteAddr = $this->getServer('REMOTE_ADDR') ?? '0.0.0.0';
+
+        foreach ($this->trustedIpHeaders as $header) {
+            $headerValue = $this->getHeader($header);
+
+            if (empty($headerValue)) {
+                continue;
+            }
+
+            // Leftmost IP address is the address of the originating client
+            $ips = explode(',', $headerValue);
+            $ip = trim($ips[0]);
+
+            // Validate IP format (supports both IPv4 and IPv6)
+            if (filter_var($ip, FILTER_VALIDATE_IP)) {
+                return $ip;
+            }
+        }
 
-        return trim($ips[0] ?? '');
+        return $remoteAddr;
     }
 
     /**

src/Swoole/Request.php

@@ -71,8 +71,8 @@
     ->inject('request')
     ->inject('response')
     ->action(function (Request $request, Response $response) {
-        $response->addHeader('Set-Cookie', 'key1=value1');
-        $response->addHeader('Set-Cookie', 'key2=value2');
+        $response->addHeader('Set-Cookie', 'key1=value1', override: false);
+        $response->addHeader('Set-Cookie', 'key2=value2', override: false);
         $response->send('OK');
     });