utopia-php/framework was the old name for utopia-php/http. Replacing it
with utopia-php/http 0.34.19 which fixes getCookie() to use Swoole's
native cookie store (populated via php_raw_url_decode) instead of
re-parsing the raw Cookie header without URL-decoding.
This fixes a production auth bug where Swoole's setcookie() URL-encodes
base64 session values (+ → %2B, / → %2F, = → %3D) in Set-Cookie headers.
RFC 6265 clients (Dart, Swift) reflect these verbatim; the old getCookie()
returned %2B/%2F/%3D to base64_decode() which produced corrupted output,
rejecting valid sessions.
Also updates the e2e test client to use cURL's built-in RFC 6265 cookie
engine (CURLOPT_COOKIEFILE) instead of parse_str() which silently
URL-decoded values, masking the bug in tests. Adds a cookie roundtrip
assertion to testCreateAccountSession.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
parse_str() URL-decodes cookie values, causing the test client to behave
differently from real clients (Dart, Swift) which store values verbatim
per RFC 6265. This masked a production bug where base64 session values
containing %3D%3D would fail to decode on real devices.
Replaces the manual Set-Cookie header parsing with cURL's built-in cookie
engine (CURLOPT_COOKIEFILE='') and reads cookies via CURLINFO_COOKIELIST,
which stores and returns values verbatim without any decoding.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Adds testEmailPasswordSessionNotCorruptedByConcurrentRequests which
reproduces the cross-worker Redis cache race that caused 401s after
login. The test fires a login request, waits for it to reach the cache
purge point, then injects concurrent GET /v1/account requests that
re-cache a stale user document. Verifies the new session is immediately
usable.
Fails against the old ordering (purge before create), passes with the
fix (create before purge).
Resolve merge conflicts in app/init/resources.php and app/worker.php
caused by the DI container migration (Http::setResource/Server::setResource
to $container->set). Port separate-pool shared tables logic for
getDatabasesDB to the new file locations (request.php and message.php)
with the correct $databaseDSN->getParam('namespace') fix.
- Bump utopia-php/database from 5.3.17 to 5.3.19
- Remove invalid (int) cast on tenant sequence in shared tables mode
- Fix DSN construction for documentsdb/vectorsdb: filter empty strings
from explode(), skip pool filtering when shared tables env vars unset,
fail fast when no pool found
- Use dedicated mode for separate database pools in getDatabasesDB
since shared tables can't work across engines (PostgreSQL integer
_tenant vs MongoDB UUID tenant). Auto-init schema on first use.
- Add documentsdb/vectorsdb shared tables env vars to CI workflow
- Fix testChannelTablesDBRowUpdate race condition with deterministic
event drain loop
- Add getDatabaseResourceType() helper to map database types to resource constants
- Use database-specific resourceType for CSV/JSON import/export instead of hardcoded TYPE_DATABASE
- Skip attribute validation for schemaless databases (DocumentsDB/VectorsDB) in exports
- Parse JSON export queries in migration worker
- Restore MigrationsBase from 1.9.x and append VectorsDB/DocumentsDB E2E tests
loks0n
Matej Bačo
Matej Bačo
Parth Bhardwaj
premtsd-code
Chirag Aggarwal