Validate HTTP message inputs and expand Request and Code APIs.#57
Merged
Conversation
…ControlDirective trait. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…uest. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
- Validate cookie path and domain attributes on withPath and withDomain. - Enable Secure automatically when SameSite=None is set. - Make Max-Age and Expires mutually exclusive (last-write-wins). - Emit both Max-Age=0 and Expires=epoch when expiring a cookie. - Drop ConflictingLifetimeAttributes and SameSiteNoneRequiresSecure in favor of auto-coercion. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…ADME. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…rns. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
There was a problem hiding this comment.
Pull request overview
This PR hardens HTTP message construction by validating inputs (base URLs, headers, User-Agent tokens, cookie attributes), expands the outbound Request API with method shortcuts, and extends Code/server response behavior with additional helpers.
Changes:
- Add stricter validation and dedicated exceptions for base URLs, headers, User-Agent tokens, cookie domain/path, and unsupported response body types.
- Expand
Client\Requestwith shortcut factories (get,post,put,patch,delete,head),withHeader, andwithQueryParameters, and update request resolution accordingly. - Enhance HTTP modeling/documentation and add helpers (
Method::isSafe/isIdempotent,Code::isInformational/isRedirection/isClientError/isServerError, response reason phrase honoring).
Reviewed changes
Copilot reviewed 68 out of 68 changed files in this pull request and generated 4 comments.
Show a summary per file
| File | Description |
|---|---|
| tests/Unit/UserAgentTest.php | Adds User-Agent validation test cases (control chars, slash) and happy paths. |
| tests/Unit/Server/ResponseWithCookiesTest.php | Updates expected expired cookie serialization to include Expires epoch. |
| tests/Unit/Server/ResponseTest.php | Updates response behavior tests (reason phrase preservation, unsupported body type). |
| tests/Unit/MethodTest.php | Adds coverage for Method::isSafe() and Method::isIdempotent(). |
| tests/Unit/HttpTest.php | Migrates to new Request shortcuts and adds base URL validation tests. |
| tests/Unit/HttpBuilderTest.php | Migrates to new Request shortcuts and adds withBaseUrl validation tests. |
| tests/Unit/HeadersTest.php | Switches to Headers::fromArray(), adds header name/value validation and with() behavior tests. |
| tests/Unit/CookieTest.php | Updates cookie invariants (SameSite None auto-secure, max-age/expires last-write-wins) and adds domain/path validation tests. |
| tests/Unit/CodeTest.php | Adds unit tests for new Code classification helpers. |
| tests/Unit/Client/Transports/NetworkTransportTest.php | Updates tests to use new Request factories and Headers::fromArray(). |
| tests/Unit/Client/Transports/InMemoryTransportTest.php | Updates tests to use new Request::get() shortcut. |
| tests/Unit/Client/ResponseTest.php | Updates synthesized response header construction to use Headers::fromArray(). |
| tests/Unit/Client/RequestTest.php | Reworks client request tests for Request::for, shortcuts, header/query APIs. |
| src/UserAgent.php | Validates product/version tokens and normalizes optional version (?string). |
| src/Server/Responses.php | Refines interface documentation for response factories. |
| src/Server/Response.php | Adds class-level documentation for server response factory. |
| src/Server/Request.php | Adds class-level documentation for typed server request wrapper. |
| src/Server/Decoded/Uri.php | Adds/expands docs for URI decoding and route scoping behavior. |
| src/Server/Decoded/QueryParameters.php | Adds docs for typed query parameter collection. |
| src/Server/Decoded/DecodedRequest.php | Adds docs for decoded request view. |
| src/SameSite.php | Adds enum documentation for cookie SameSite. |
| src/ResponseCacheDirectives.php | Replaces trait-based directive builder with explicit value object + factories. |
| src/Method.php | Adds RFC 9110 isSafe() / isIdempotent() helpers. |
| src/Internal/Server/Stream/StreamFactory.php | Rejects arbitrary objects as response bodies via BodyTypeIsUnsupported. |
| src/Internal/Server/Response/InternalResponse.php | Persists custom reason phrase across response mutations. |
| src/Internal/Server/Exceptions/SameSiteNoneRequiresSecure.php | Removes exception (behavior now auto-enables Secure). |
| src/Internal/Server/Exceptions/CookiePathIsInvalid.php | Adds dedicated cookie path invariant exception. |
| src/Internal/Server/Exceptions/CookieDomainIsInvalid.php | Adds dedicated cookie domain invariant exception. |
| src/Internal/Server/Exceptions/ConflictingLifetimeAttributes.php | Removes exception (behavior now last-write-wins). |
| src/Internal/Server/Cookies/CookiePath.php | Introduces cookie path value object + validation. |
| src/Internal/Server/Cookies/CookieDomain.php | Introduces cookie domain value object + validation. |
| src/Internal/Server/CacheControl/CacheControlDirective.php | Removes shared directive trait (replaced by explicit modeling). |
| src/Internal/Client/Url.php | Renames/reorders compose args and uses queryParameters naming consistently. |
| src/Internal/Client/RequestResolver.php | Composes URL with new query API and clears query parameters after embedding. |
| src/Internal/Client/BaseUrl.php | Adds base URL value object validation (http/https/empty + no control chars). |
| src/HttpBuilder.php | Validates base URL via BaseUrl and expands builder documentation. |
| src/Http.php | Validates base URL at construction time and expands facade documentation. |
| src/Headers.php | Makes constructor private, adds fromArray() validation and with() mutator. |
| src/Exceptions/UserAgentValueIsInvalid.php | Adds dedicated exception for invalid User-Agent tokens. |
| src/Exceptions/UserAgentProductIsEmpty.php | Adds documentation for empty User-Agent product token exception. |
| src/Exceptions/TransportFailure.php | Adds interface docs for transport failure exceptions. |
| src/Exceptions/SynthesizedResponseHasNoRaw.php | Adds documentation clarifying synthesized response limitation. |
| src/Exceptions/NoMoreResponses.php | Adds documentation for in-memory transport queue exhaustion. |
| src/Exceptions/MalformedPath.php | Adds documentation clarifying malformed path conditions. |
| src/Exceptions/HttpRequestInvalid.php | Adds documentation for transport-level invalid request failures. |
| src/Exceptions/HttpRequestFailed.php | Adds documentation for general PSR-18 client failures. |
| src/Exceptions/HttpNetworkFailed.php | Adds documentation for network-level transport failures. |
| src/Exceptions/HttpException.php | Adds/updates documentation for the library exception contract. |
| src/Exceptions/HttpConfigurationInvalid.php | Adds documentation for builder misconfiguration. |
| src/Exceptions/HeaderValueIsInvalid.php | Adds dedicated exception for invalid header values. |
| src/Exceptions/HeaderNameIsInvalid.php | Adds dedicated exception for invalid header names. |
| src/Exceptions/BodyTypeIsUnsupported.php | Adds dedicated exception for unsupported response body object types. |
| src/Exceptions/BaseUrlIsInvalid.php | Adds dedicated exception for invalid base URL forms. |
| src/Cookie.php | Enforces cookie invariants by construction (auto-secure, last-write-wins, expire emits both). |
| src/ContentType.php | Adds documentation for Content-Type value object. |
| src/Code.php | Adds instance helpers for status code classification and related docs. |
| src/Client/Transports/NetworkTransport.php | Adds transport documentation. |
| src/Client/Transports/InMemoryTransport.php | Adds transport documentation. |
| src/Client/Transport.php | Clarifies interface contract wording. |
| src/Client/Response.php | Defaults headers via Headers::fromArray() and adds documentation. |
| src/Client/Request.php | Adds shortcut factories, new header/query APIs, and documentation. |
| src/Charset.php | Adds enum documentation. |
| src/CacheControl.php | Adds documentation. |
| src/Body.php | Makes JSON decoding explicit/robust and updates documentation. |
| src/Attribute.php | Adds documentation for typed attribute wrapper. |
| README.md | Updates examples and documents new behaviors (reason phrase, cookie invariants, request shortcuts, code/method helpers). |
| phpstan.neon.dist | Adds targeted ignores for new analysis edge cases. |
| composer.json | Updates package metadata/keywords and bumps dev dependency versions. |
gustavofreze
added a commit
that referenced
this pull request
May 22, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
What this pull request does.
Related issue
Closes #...
Checklist
composer reviewpasses.composer testspasses.