From 9429abbf7e39e86aea6ff4fefe0e04ee1c11cae8 Mon Sep 17 00:00:00 2001
From: Matthew Weier O'Phinney <matthew@weierophinney.net>
Date: Mon, 27 Jun 2022 12:13:24 -0500
Subject: [PATCH] refactor: initialize properties in constructor, not named
 constructors

Adds `$trustedProxies` and `$trustedHeaders` as optional array arguments to the constructor; `trustedProxies()` now passes those.

Signed-off-by: Matthew Weier O'Phinney <matthew@weierophinney.net>
---
 .../FilterUsingXForwardedHeaders.php          | 116 +++++++++---------
 1 file changed, 58 insertions(+), 58 deletions(-)

diff --git a/src/ServerRequestFilter/FilterUsingXForwardedHeaders.php b/src/ServerRequestFilter/FilterUsingXForwardedHeaders.php
index 37738c6c..c23ecdd9 100644
--- a/src/ServerRequestFilter/FilterUsingXForwardedHeaders.php
+++ b/src/ServerRequestFilter/FilterUsingXForwardedHeaders.php
@@ -33,62 +33,20 @@ final class FilterUsingXForwardedHeaders implements FilterServerRequestInterface
     /**
      * @var list<FilterUsingXForwardedHeaders::HEADER_*>
      */
-    private $trustedHeaders = [];
+    private $trustedHeaders;
 
     /** @var list<non-empty-string> */
-    private $trustedProxies = [];
+    private $trustedProxies;
 
     /**
-     * Do not trust any proxies, nor any X-FORWARDED-* headers.
-     *
-     * This is functionally equivalent to calling `trustProxies([], [])`.
-     */
-    public static function trustNone(): self
-    {
-        return new self();
-    }
-
-    /**
-     * Trust any X-FORWARDED-* headers from any address.
-     *
-     * This is functionally equivalent to calling `trustProxies(['*'])`.
-     *
-     * WARNING: Only do this if you know for certain that your application
-     * sits behind a trusted proxy that cannot be spoofed. This should only
-     * be the case if your server is not publicly addressable, and all requests
-     * are routed via a reverse proxy (e.g., a load balancer, a server such as
-     * Caddy, when using Traefik, etc.).
-     */
-    public static function trustAny(): self
-    {
-        return self::trustProxies(['*']);
-    }
-
-    /**
-     * Indicate which proxies and which X-Forwarded headers to trust.
-     *
-     * @param list<non-empty-string> $proxyCIDRList Each element may
-     *     be an IP address or a subnet specified using CIDR notation; both IPv4
-     *     and IPv6 are supported. The special string "*" will be translated to
-     *     two entries, "0.0.0.0/0" and "::/0". An empty list indicates no
-     *     proxies are trusted.
-     * @param list<FilterUsingXForwardedHeaders::HEADER_*> $trustedHeaders If
-     *     the list is empty, all X-Forwarded headers are trusted.
-     * @throws InvalidProxyAddressException
-     * @throws InvalidForwardedHeaderNameException
+     * Only allow construction via named constructors
      */
-    public static function trustProxies(
-        array $proxyCIDRList,
-        array $trustedHeaders = self::X_FORWARDED_HEADERS
-    ): self {
-        $proxyCIDRList = self::normalizeProxiesList($proxyCIDRList);
-        self::validateTrustedHeaders($trustedHeaders);
-
-        $filter = new self();
-        $filter->trustedProxies = $proxyCIDRList;
-        $filter->trustedHeaders = $trustedHeaders;
-
-        return $filter;
+    private function __construct(
+        array $trustedProxies = [],
+        array $trustedHeaders = []
+    ) {
+        $this->trustedProxies = $trustedProxies;
+        $this->trustedHeaders = $trustedHeaders;
     }
 
     public function __invoke(ServerRequestInterface $request): ServerRequestInterface
@@ -136,6 +94,55 @@ public function __invoke(ServerRequestInterface $request): ServerRequestInterfac
         return $request;
     }
 
+    /**
+     * Do not trust any proxies, nor any X-FORWARDED-* headers.
+     *
+     * This is functionally equivalent to calling `trustProxies([], [])`.
+     */
+    public static function trustNone(): self
+    {
+        return new self();
+    }
+
+    /**
+     * Trust any X-FORWARDED-* headers from any address.
+     *
+     * This is functionally equivalent to calling `trustProxies(['*'])`.
+     *
+     * WARNING: Only do this if you know for certain that your application
+     * sits behind a trusted proxy that cannot be spoofed. This should only
+     * be the case if your server is not publicly addressable, and all requests
+     * are routed via a reverse proxy (e.g., a load balancer, a server such as
+     * Caddy, when using Traefik, etc.).
+     */
+    public static function trustAny(): self
+    {
+        return self::trustProxies(['*']);
+    }
+
+    /**
+     * Indicate which proxies and which X-Forwarded headers to trust.
+     *
+     * @param list<non-empty-string> $proxyCIDRList Each element may
+     *     be an IP address or a subnet specified using CIDR notation; both IPv4
+     *     and IPv6 are supported. The special string "*" will be translated to
+     *     two entries, "0.0.0.0/0" and "::/0". An empty list indicates no
+     *     proxies are trusted.
+     * @param list<FilterUsingXForwardedHeaders::HEADER_*> $trustedHeaders If
+     *     the list is empty, all X-Forwarded headers are trusted.
+     * @throws InvalidProxyAddressException
+     * @throws InvalidForwardedHeaderNameException
+     */
+    public static function trustProxies(
+        array $proxyCIDRList,
+        array $trustedHeaders = self::X_FORWARDED_HEADERS
+    ): self {
+        $proxyCIDRList = self::normalizeProxiesList($proxyCIDRList);
+        self::validateTrustedHeaders($trustedHeaders);
+
+        return new self($proxyCIDRList, $trustedHeaders);
+    }
+
     private function isFromTrustedProxy(string $remoteAddress): bool
     {
         foreach ($this->trustedProxies as $proxy) {
@@ -224,11 +231,4 @@ private static function validateProxyCIDR($cidr): bool
                 )
             );
     }
-
-    /**
-     * Only allow construction via named constructors
-     */
-    private function __construct()
-    {
-    }
 }