feat: allow to pass list of headers to getIp

[levivannoort]

Summary by CodeRabbit

• Bug Fixes
  • Improved IP address detection with enhanced proxy header validation
  • Added IP format verification (IPv4/IPv6) to ensure reliable address extraction
  • Strengthened fallback behavior when IP address detection fails

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Walkthrough

The pull request introduces IP validation to the getIP() method in src/Request.php. A new protected property $trustedIpHeaders (initialized as ['x-forwarded-for']) stores trusted proxy header names. The updated getIP() method now iterates through these headers, extracts the leftmost IP address from each header value, validates the IP format (IPv4/IPv6), and returns the first valid IP found. If no valid IP is discovered, the method falls back to REMOTE_ADDR. The method's documentation has been updated to reflect this new behavior and specify that it returns a validated IP or '0.0.0.0' if unavailable.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

• IP validation logic for both IPv4 and IPv6 formats — verify implementation correctness
• Leftmost IP extraction mechanism from comma-separated header values — ensure proper parsing
• Fallback behavior to REMOTE_ADDR — confirm it triggers only when no valid IPs are found
• Security implications of proxy header handling — validate that trusted header iteration doesn't introduce vulnerabilities
• Edge cases such as malformed header values, empty headers, or mixed valid/invalid IPs

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'feat: allow to pass list of headers to getIp' clearly and specifically describes the main feature added: enabling users to configure trusted IP headers for the getIp() method.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[levivannoort]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

Actionable comments posted: 2

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 76def92 and 71caddb.

📒 Files selected for processing (1)

• src/Request.php (2 hunks)

🔇 Additional comments (1)

src/Request.php (1)

180-195: IP extraction and validation logic is correct.

The implementation correctly:

• Iterates through trusted headers
• Extracts the leftmost IP from comma-separated proxy chains (the originating client IP)
• Validates IP format for both IPv4 and IPv6 using filter_var
• Returns the first valid IP found

This logic is sound, but its security depends entirely on only trusting headers when requests actually come from trusted proxies (see earlier comment on lines 56-61).