fix(http): properly handle cookies lifecycle (#1416)

innocenzi · web-flow · commit 1089f61c4d72 · 2025-07-22T06:56:48.000+02:00
diff --git a/packages/http/src/Cookie/CookieManager.php b/packages/http/src/Cookie/CookieManager.php
@@ -7,9 +7,11 @@
 use Tempest\Clock\Clock;
 use Tempest\Core\AppConfig;
 use Tempest\DateTime\DateTimeInterface;
+use Tempest\Support\Str;
 
-use function Tempest\Support\str;
-
+/**
+ * Manages cookies that will be sent to the client.
+ */
 final class CookieManager
 {
     /** @var \Tempest\Http\Cookie\Cookie[] */
@@ -31,12 +33,15 @@ public function get(string $key): ?Cookie
         return $this->cookies[$key] ?? null;
     }
 
+    /**
+     * Adds or updates a cookie that will be sent to the client in this request.
+     */
     public function set(string $key, string $value, DateTimeInterface|int|null $expiresAt = null): Cookie
     {
         $cookie = $this->get($key) ?? new Cookie(
             key: $key,
-            secure: str($this->appConfig->baseUri)->startsWith('https'),
             path: '/',
+            secure: Str\starts_with($this->appConfig->baseUri, 'https'),
             httpOnly: true,
             sameSite: SameSite::LAX,
         );
@@ -49,6 +54,9 @@ public function set(string $key, string $value, DateTimeInterface|int|null $expi
         return $cookie;
     }
 
+    /**
+     * Adds a cookie that will be sent to the client in this request.
+     */
     public function add(Cookie $cookie): void
     {
         if ($cookie->expiresAt !== null) {
diff --git a/packages/http/src/Cookie/CookieManagerInitializer.php b/packages/http/src/Cookie/CookieManagerInitializer.php
@@ -15,15 +15,9 @@
     #[Singleton]
     public function initialize(Container $container): CookieManager
     {
-        $cookieManager = new CookieManager(
+        return new CookieManager(
             appConfig: $container->get(AppConfig::class),
             clock: $container->get(Clock::class),
         );
-
-        foreach ($_COOKIE as $key => $value) {
-            $cookieManager->add(new Cookie($key, $value));
-        }
-
-        return $cookieManager;
     }
 }
diff --git a/packages/http/src/Input/StdinInputStream.php b/packages/http/src/Input/StdinInputStream.php
@@ -23,7 +23,7 @@ public function parse(): array
             ->mapWithKeys(function (string $item) {
                 $parts = explode('=', $item, 2);
 
-                $key = $parts[0];
+                $key = urldecode($parts[0]);
 
                 $value = $_POST[str_replace('.', '_', $key)] ?? $parts[1] ?? '';
 
diff --git a/packages/http/src/IsRequest.php b/packages/http/src/IsRequest.php
@@ -42,10 +42,13 @@ trait IsRequest
     private(set) array $files;
 
     #[SkipValidation]
-    public array $cookies {
-        get => get(CookieManager::class)->all();
+    public Session $session {
+        get => get(Session::class);
     }
 
+    #[SkipValidation]
+    public array $cookies = [];
+
     public function __construct(
         Method $method,
         string $uri,
@@ -88,10 +91,7 @@ public function getSessionValue(string $name): mixed
 
     public function getCookie(string $name): ?Cookie
     {
-        /** @var CookieManager $cookies */
-        $cookies = get(CookieManager::class);
-
-        return $cookies->get($name);
+        return $this->cookies[$name] ?? null;
     }
 
     private function resolvePath(): string
diff --git a/packages/http/src/Mappers/PsrRequestToGenericRequestMapper.php b/packages/http/src/Mappers/PsrRequestToGenericRequestMapper.php
@@ -6,11 +6,13 @@
 
 use Psr\Http\Message\ServerRequestInterface as PsrRequest;
 use Psr\Http\Message\UploadedFileInterface;
+use Tempest\Http\Cookie\Cookie;
 use Tempest\Http\GenericRequest;
 use Tempest\Http\Method;
 use Tempest\Http\RequestHeaders;
 use Tempest\Http\Upload;
 use Tempest\Mapper\Mapper;
+use Tempest\Support\Arr;
 
 use function Tempest\map;
 use function Tempest\Support\arr;
@@ -53,6 +55,7 @@ public function map(mixed $from, mixed $to): GenericRequest
             'path' => $from->getUri()->getPath(),
             'query' => $query,
             'files' => $uploads,
+            'cookies' => Arr\map_iterable($_COOKIE, static fn (string $value, string $key) => new Cookie($key, $value)),
             ...$data,
             ...$uploads,
         ])
diff --git a/packages/http/src/Session/Config/FileSessionConfig.php b/packages/http/src/Session/Config/FileSessionConfig.php
@@ -17,8 +17,6 @@ public function __construct(
         public string $path,
 
         public Duration $expiration,
-
-        public string $sessionIdResolver = CookieSessionIdResolver::class,
     ) {}
 
     public function createManager(Container $container): FileSessionManager
diff --git a/packages/http/src/Session/Resolvers/CookieSessionIdResolver.php b/packages/http/src/Session/Resolvers/CookieSessionIdResolver.php
@@ -10,6 +10,7 @@
 use Tempest\Http\Cookie\Cookie;
 use Tempest\Http\Cookie\CookieManager;
 use Tempest\Http\Cookie\SameSite;
+use Tempest\Http\Request;
 use Tempest\Http\Session\SessionConfig;
 use Tempest\Http\Session\SessionId;
 use Tempest\Http\Session\SessionIdResolver;
@@ -20,6 +21,7 @@
 {
     public function __construct(
         private AppConfig $appConfig,
+        private Request $request,
         private CookieManager $cookies,
         private SessionConfig $sessionConfig,
         private Clock $clock,
@@ -32,7 +34,7 @@ public function resolve(): SessionId
             ->append('_session_id')
             ->toString();
 
-        $id = $this->cookies->get($sessionKey)->value ?? null;
+        $id = $this->request->getCookie($sessionKey)?->value;
 
         if (! $id) {
             $id = (string) Uuid::v4();
diff --git a/packages/http/src/Session/Session.php b/packages/http/src/Session/Session.php
@@ -11,16 +11,20 @@
 
 final class Session
 {
-    public const string VALIDATION_ERRORS = 'validation_errors';
+    public const string VALIDATION_ERRORS = '#validation_errors';
 
-    public const string ORIGINAL_VALUES = 'original_values';
+    public const string ORIGINAL_VALUES = '#original_values';
 
-    public const string PREVIOUS_URL = '_previous_url';
+    public const string PREVIOUS_URL = '#previous_url';
 
-    public const string CSRF_TOKEN_KEY = '_csrf_token';
+    public const string CSRF_TOKEN_KEY = '#csrf_token';
 
     private array $expiredKeys = [];
 
+    private SessionManager $manager {
+        get => get(SessionManager::class);
+    }
+
     /**
      * Session token used for cross-site request forgery protection.
      */
@@ -43,17 +47,23 @@ public function __construct(
 
     public function set(string $key, mixed $value): void
     {
-        $this->getSessionManager()->set($this->id, $key, $value);
+        $this->manager->set($this->id, $key, $value);
     }
 
+    /**
+     * Stores a value in the session that will be available for the next request only.
+     */
     public function flash(string $key, mixed $value): void
     {
-        $this->getSessionManager()->set($this->id, $key, new FlashValue($value));
+        $this->manager->set($this->id, $key, new FlashValue($value));
     }
 
+    /**
+     * Reflashes all flash values in the session, making them available for the next request.
+     */
     public function reflash(): void
     {
-        foreach ($this->getSessionManager()->all($this->id) as $key => $value) {
+        foreach ($this->manager->all($this->id) as $key => $value) {
             if (! ($value instanceof FlashValue))
                 continue;
 
@@ -63,7 +73,7 @@ public function reflash(): void
 
     public function get(string $key, mixed $default = null): mixed
     {
-        $value = $this->getSessionManager()->get($this->id, $key, $default);
+        $value = $this->manager->get($this->id, $key, $default);
 
         if ($value instanceof FlashValue) {
             $this->expiredKeys[$key] = $key;
@@ -75,14 +85,17 @@ public function get(string $key, mixed $default = null): mixed
 
     public function getPreviousUrl(): string
     {
-        return $this->get(self::PREVIOUS_URL, '');
+        return $this->get(self::PREVIOUS_URL, default: '');
     }
 
     public function setPreviousUrl(string $url): void
     {
         $this->set(self::PREVIOUS_URL, $url);
     }
 
+    /**
+     * Retrieves the value for the given key and removes it from the session.
+     */
     public function consume(string $key, mixed $default = null): mixed
     {
         $value = $this->get($key, $default);
@@ -94,33 +107,28 @@ public function consume(string $key, mixed $default = null): mixed
 
     public function all(): array
     {
-        return $this->getSessionManager()->all($this->id);
+        return $this->manager->all($this->id);
     }
 
     public function remove(string $key): void
     {
-        $this->getSessionManager()->remove($this->id, $key);
+        $this->manager->remove($this->id, $key);
     }
 
     public function destroy(): void
     {
-        $this->getSessionManager()->destroy($this->id);
+        $this->manager->destroy($this->id);
     }
 
     public function isValid(): bool
     {
-        return $this->getSessionManager()->isValid($this->id);
+        return $this->manager->isValid($this->id);
     }
 
     public function cleanup(): void
     {
         foreach ($this->expiredKeys as $key) {
-            $this->getSessionManager()->remove($this->id, $key);
+            $this->manager->remove($this->id, $key);
         }
     }
-
-    private function getSessionManager(): SessionManager
-    {
-        return get(SessionManager::class);
-    }
 }
diff --git a/packages/http/src/Session/SessionConfig.php b/packages/http/src/Session/SessionConfig.php
@@ -15,14 +15,5 @@ interface SessionConfig
         get;
     }
 
-    /**
-     * Class responsible for resolving the session identifier.
-     *
-     * @var class-string<SessionIdResolver>
-     */
-    public string $sessionIdResolver {
-        get;
-    }
-
     public function createManager(Container $container): SessionManager;
 }
diff --git a/packages/http/src/Session/SessionIdResolverInitializer.php b/packages/http/src/Session/SessionIdResolverInitializer.php
@@ -4,16 +4,25 @@
 
 namespace Tempest\Http\Session;
 
+use Tempest\Clock\Clock;
 use Tempest\Container\Container;
 use Tempest\Container\Initializer;
+use Tempest\Core\AppConfig;
+use Tempest\Http\Cookie\CookieManager;
+use Tempest\Http\Request;
+use Tempest\Http\Session\Resolvers\CookieSessionIdResolver;
 use Tempest\Http\Session\SessionConfig;
 
 final readonly class SessionIdResolverInitializer implements Initializer
 {
     public function initialize(Container $container): SessionIdResolver
     {
-        $config = $container->get(SessionConfig::class);
-
-        return $container->get($config->sessionIdResolver);
+        return new CookieSessionIdResolver(
+            appConfig: $container->get(AppConfig::class),
+            request: $container->get(Request::class),
+            cookies: $container->get(CookieManager::class),
+            sessionConfig: $container->get(SessionConfig::class),
+            clock: $container->get(Clock::class),
+        );
     }
 }
diff --git a/packages/http/src/Session/VerifyCsrfMiddleware.php b/packages/http/src/Session/VerifyCsrfMiddleware.php
@@ -15,6 +15,7 @@
 use Tempest\Http\Session\Session;
 use Tempest\Router\HttpMiddleware;
 use Tempest\Router\HttpMiddlewareCallable;
+use Tempest\Support\Str;
 
 #[Priority(Priority::FRAMEWORK)]
 final readonly class VerifyCsrfMiddleware implements HttpMiddleware
@@ -37,7 +38,7 @@ public function __invoke(Request $request, HttpMiddlewareCallable $next): Respon
             value: $this->session->token,
             expiresAt: $this->clock->now()->plus($this->sessionConfig->expiration),
             path: '/',
-            secure: true,
+            secure: Str\starts_with($this->appConfig->baseUri, 'https'),
         ));
 
         if ($this->shouldSkipCheck($request)) {
diff --git a/packages/router/src/GenericResponseSender.php b/packages/router/src/GenericResponseSender.php
@@ -53,7 +53,7 @@ private function sendHeaders(Response $response): void
         }
 
         foreach ($this->resolveHeaders($response) as $header) {
-            header($header);
+            header($header, replace: false);
         }
 
         http_response_code($response->status->value);
diff --git a/packages/router/src/SetCookieMiddleware.php b/packages/router/src/SetCookieMiddleware.php
@@ -9,6 +9,9 @@
 use Tempest\Http\Request;
 use Tempest\Http\Response;
 
+/**
+ * Adds the `Set-Cookie` headers to the response based on the cookie manager.
+ */
 #[Priority(Priority::FRAMEWORK)]
 final readonly class SetCookieMiddleware implements HttpMiddleware
 {
diff --git a/tests/Integration/Http/CookieManagerTest.php b/tests/Integration/Http/CookieManagerTest.php
@@ -15,13 +15,13 @@
  */
 final class CookieManagerTest extends FrameworkIntegrationTestCase
 {
-    public function test_existing_cookies(): void
+    public function test_cookie_manager_does_not_get_initialized_with_request_cookies(): void
     {
         $_COOKIE['existing'] = 'value';
 
         $cookies = $this->container->get(CookieManager::class);
 
-        $this->assertEquals('value', $cookies->get('existing')->value);
+        $this->assertNull($cookies->get('existing'));
     }
 
     public function test_creating_a_cookie(): void
diff --git a/tests/Integration/Http/CsrfTest.php b/tests/Integration/Http/CsrfTest.php
@@ -106,7 +106,7 @@ public function test_csrf_component(): void
         HTML);
 
         $this->assertSame(
-            '<input type="hidden" name="_csrf_token" value="test">',
+            '<input type="hidden" name="#csrf_token" value="test">',
             $rendered,
         );
     }
diff --git a/tests/Integration/Http/SessionFromCookieTest.php b/tests/Integration/Http/SessionFromCookieTest.php
@@ -22,7 +22,6 @@ public function test_resolving_session_from_cookie(): void
         $this->container->config(new FileSessionConfig(
             path: 'test_sessions',
             expiration: Duration::hours(2),
-            sessionIdResolver: CookieSessionIdResolver::class,
         ));
 
         $cookieManager = $this->container->get(CookieManager::class);
diff --git a/tests/Integration/Http/SessionFromHeaderTest.php b/tests/Integration/Http/SessionFromHeaderTest.php
@@ -23,7 +23,6 @@ public function test_resolving_session_from_header(): void
         $this->container->config(new FileSessionConfig(
             path: 'test_sessions',
             expiration: Duration::hours(2),
-            sessionIdResolver: HeaderSessionIdResolver::class,
         ));
 
         $this->setSessionId('session_a');
diff --git a/tests/Integration/Mapper/PsrRequestToRequestMapperTest.php b/tests/Integration/Mapper/PsrRequestToRequestMapperTest.php

Original file line number	Diff line number	Diff line change
`@@ -15,15 +15,9 @@`
`15`	`15`	`#[Singleton]`
`16`	`16`	`public function initialize(Container $container): CookieManager`
`17`	`17`	`{`
`18`		`- $cookieManager = new CookieManager(`
	`18`	`+ return new CookieManager(`
`19`	`19`	`appConfig: $container->get(AppConfig::class),`
`20`	`20`	`clock: $container->get(Clock::class),`
`21`	`21`	`);`
`22`		`-`
`23`		`- foreach ($_COOKIE as $key => $value) {`
`24`		`- $cookieManager->add(new Cookie($key, $value));`
`25`		`- }`
`26`		`-`
`27`		`- return $cookieManager;`
`28`	`22`	`}`
`29`	`23`	`}`
Original file line number	Diff line number	Diff line change
`@@ -11,16 +11,20 @@`
`11`	`11`
`12`	`12`	`final class Session`
`13`	`13`	`{`
`14`		`- public const string VALIDATION_ERRORS = 'validation_errors';`
	`14`	`+ public const string VALIDATION_ERRORS = '#validation_errors';`
`15`	`15`
`16`		`- public const string ORIGINAL_VALUES = 'original_values';`
	`16`	`+ public const string ORIGINAL_VALUES = '#original_values';`
`17`	`17`
`18`		`- public const string PREVIOUS_URL = '_previous_url';`
	`18`	`+ public const string PREVIOUS_URL = '#previous_url';`
`19`	`19`
`20`		`- public const string CSRF_TOKEN_KEY = '_csrf_token';`
	`20`	`+ public const string CSRF_TOKEN_KEY = '#csrf_token';`
`21`	`21`
`22`	`22`	`private array $expiredKeys = [];`
`23`	`23`
	`24`	`+ private SessionManager $manager {`
	`25`	`+ get => get(SessionManager::class);`
	`26`	`+ }`
	`27`	`+`
`24`	`28`	`/**`
`25`	`29`	`* Session token used for cross-site request forgery protection.`
`26`	`30`	`*/`
`@@ -43,17 +47,23 @@ public function __construct(`
`43`	`47`
`44`	`48`	`public function set(string $key, mixed $value): void`
`45`	`49`	`{`
`46`		`- $this->getSessionManager()->set($this->id, $key, $value);`
	`50`	`+ $this->manager->set($this->id, $key, $value);`
`47`	`51`	`}`
`48`	`52`
	`53`	`+ /**`
	`54`	`+ * Stores a value in the session that will be available for the next request only.`
	`55`	`+ */`
`49`	`56`	`public function flash(string $key, mixed $value): void`
`50`	`57`	`{`
`51`		`- $this->getSessionManager()->set($this->id, $key, new FlashValue($value));`
	`58`	`+ $this->manager->set($this->id, $key, new FlashValue($value));`
`52`	`59`	`}`
`53`	`60`
	`61`	`+ /**`
	`62`	`+ * Reflashes all flash values in the session, making them available for the next request.`
	`63`	`+ */`
`54`	`64`	`public function reflash(): void`
`55`	`65`	`{`
`56`		`- foreach ($this->getSessionManager()->all($this->id) as $key => $value) {`
	`66`	`+ foreach ($this->manager->all($this->id) as $key => $value) {`
`57`	`67`	`if (! ($value instanceof FlashValue))`
`58`	`68`	`continue;`
`59`	`69`
`@@ -63,7 +73,7 @@ public function reflash(): void`
`63`	`73`
`64`	`74`	`public function get(string $key, mixed $default = null): mixed`
`65`	`75`	`{`
`66`		`- $value = $this->getSessionManager()->get($this->id, $key, $default);`
	`76`	`+ $value = $this->manager->get($this->id, $key, $default);`
`67`	`77`
`68`	`78`	`if ($value instanceof FlashValue) {`
`69`	`79`	`$this->expiredKeys[$key] = $key;`
`@@ -75,14 +85,17 @@ public function get(string $key, mixed $default = null): mixed`
`75`	`85`
`76`	`86`	`public function getPreviousUrl(): string`
`77`	`87`	`{`
`78`		`- return $this->get(self::PREVIOUS_URL, '');`
	`88`	`+ return $this->get(self::PREVIOUS_URL, default: '');`
`79`	`89`	`}`
`80`	`90`
`81`	`91`	`public function setPreviousUrl(string $url): void`
`82`	`92`	`{`
`83`	`93`	`$this->set(self::PREVIOUS_URL, $url);`
`84`	`94`	`}`
`85`	`95`
	`96`	`+ /**`
	`97`	`+ * Retrieves the value for the given key and removes it from the session.`
	`98`	`+ */`
`86`	`99`	`public function consume(string $key, mixed $default = null): mixed`
`87`	`100`	`{`
`88`	`101`	`$value = $this->get($key, $default);`
`@@ -94,33 +107,28 @@ public function consume(string $key, mixed $default = null): mixed`
`94`	`107`
`95`	`108`	`public function all(): array`
`96`	`109`	`{`
`97`		`- return $this->getSessionManager()->all($this->id);`
	`110`	`+ return $this->manager->all($this->id);`
`98`	`111`	`}`
`99`	`112`
`100`	`113`	`public function remove(string $key): void`
`101`	`114`	`{`
`102`		`- $this->getSessionManager()->remove($this->id, $key);`
	`115`	`+ $this->manager->remove($this->id, $key);`
`103`	`116`	`}`
`104`	`117`
`105`	`118`	`public function destroy(): void`
`106`	`119`	`{`
`107`		`- $this->getSessionManager()->destroy($this->id);`
	`120`	`+ $this->manager->destroy($this->id);`
`108`	`121`	`}`
`109`	`122`
`110`	`123`	`public function isValid(): bool`
`111`	`124`	`{`
`112`		`- return $this->getSessionManager()->isValid($this->id);`
	`125`	`+ return $this->manager->isValid($this->id);`
`113`	`126`	`}`
`114`	`127`
`115`	`128`	`public function cleanup(): void`
`116`	`129`	`{`
`117`	`130`	`foreach ($this->expiredKeys as $key) {`
`118`		`- $this->getSessionManager()->remove($this->id, $key);`
	`131`	`+ $this->manager->remove($this->id, $key);`
`119`	`132`	`}`
`120`	`133`	`}`
`121`		`-`
`122`		`- private function getSessionManager(): SessionManager`
`123`		`- {`
`124`		`- return get(SessionManager::class);`
`125`		`- }`
`126`	`134`	`}`
Original file line number	Diff line number	Diff line change
`@@ -15,14 +15,5 @@ interface SessionConfig`
`15`	`15`	`get;`
`16`	`16`	`}`
`17`	`17`
`18`		`- /**`
`19`		`- * Class responsible for resolving the session identifier.`
`20`		`- *`
`21`		`- * @var class-string<SessionIdResolver>`
`22`		`- */`
`23`		`- public string $sessionIdResolver {`
`24`		`- get;`
`25`		`- }`
`26`		`-`
`27`	`18`	`public function createManager(Container $container): SessionManager;`
`28`	`19`	`}`