Skip to content

feat(client): optional TLS for the MongoDB connection #40

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
abnegate merged 2 commits into from
Jun 7, 2026
Merged

feat(client): optional TLS for the MongoDB connection #40

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
8e872f7
feat(client): optional TLS for the MongoDB connection
abnegate Jun 7, 2026
1fc279e
refactor(client): let caller own TLS verification policy
abnegate Jun 7, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
28 changes: 23 additions & 5 deletions src/Client.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -142,7 +142,9 @@ public function __construct(
int $port,
string $user,
string $password,
bool $useCoroutine = false
bool $useCoroutine = false,
bool $tls = false,
array $tlsOptions = []
) {
if (empty($database)) {
throw new \InvalidArgumentException('Database name cannot be empty');
Expand Down Expand Up @@ -177,18 +179,34 @@ public function __construct(
}
}

$flags = SWOOLE_SOCK_TCP | SWOOLE_KEEP;
if ($tls) {
$flags |= SWOOLE_SSL;
}

$this->client = $useCoroutine
? new CoroutineClient(SWOOLE_SOCK_TCP | SWOOLE_KEEP)
: new SwooleClient(SWOOLE_SOCK_TCP | SWOOLE_KEEP);
? new CoroutineClient($flags)
: new SwooleClient($flags);
Comment on lines +182 to +189

@coderabbitai coderabbitai Bot Jun 7, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "== Files that may declare/runtime-document Swoole requirements =="
fd -HI 'composer\.json|README\.md|Dockerfile|docker-compose.*|\.tool-versions|\.github/workflows/.*'

echo
echo "== References to Swoole/OpenSwoole/SSL support in the repo =="
rg -n -C2 'swoole|openswoole|SWOOLE_SSL|openssl' .

Repository: utopia-php/mongo

Length of output: 5794

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "== composer.json: Swoole/extension requirements =="
rg -n --no-heading 'swoole|ext-swoole|openssl|ssl|tls|SWOOLE_SSL' composer.json || true

echo
echo "== README.md: TLS/SSL/Swoole notes =="
rg -n --no-heading 'tls|ssl|openssl|SWOOLE_SSL|swoole' README.md || true

echo
echo "== src: TLS option usage around $tls in Client.php =="
rg -n -C3 'function __construct|\\$tls\\b|tls\\b|SWOOLE_SSL|CoroutineClient|SwooleClient' src/Client.php

Repository: utopia-php/mongo

Length of output: 421

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "== composer.json: Swoole/extension requirements =="
rg -n --no-heading 'ext-swoole|swoole\/|swoole|openssl|ssl|tls|SWOOLE_SSL' composer.json || true

echo
echo "== README.md: TLS/SSL/Swoole notes =="
rg -n --no-heading 'tls|ssl|openssl|SWOOLE_SSL|swoole' README.md || true

echo
echo "== src/Client.php: $tls handling around lines ~181 =="
sed -n '150,230p' src/Client.php

echo
echo "== src/Client.php: where $tls is defined =="
rg -n '(\$tls\b|function __construct|__construct\(|public function|private function)' src/Client.php

Repository: utopia-php/mongo

Length of output: 517

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "== composer.json: Swoole/extension requirements =="
rg -n --no-heading 'ext-swoole|swoole/|openssl|ssl|tls|SWOOLE_SSL' composer.json || true

echo
echo "== README.md: TLS/SSL/Swoole notes =="
rg -n --no-heading 'tls|ssl|openssl|SWOOLE_SSL|swoole' README.md || true

echo
echo "== src/Client.php: TLS option usage around lines ~181 =="
sed -n '150,230p' src/Client.php

echo
echo "== src/Client.php: where TLS ($tls) is defined/used =="
rg -n '(\$tls\b|__construct\(|new CoroutineClient|new SwooleClient|SWOOLE_SSL)' src/Client.php

Repository: utopia-php/mongo

Length of output: 3233

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "== composer.json: check for ext-swoole/swoole/tls requirements =="
cat composer.json

echo
echo "== src/Client.php: all tls occurrences =="
rg -n '\btls\b|SWOOLE_SSL|ssl_verify_peer|ssl_allow_self_signed' src/Client.php

echo
echo "== src/Client.php: constructor signature/docs =="
rg -n 'function __construct|__construct\(|public function __construct' src/Client.php
sed -n '1,140p' src/Client.php

echo
echo "== repo-wide: tls/ssl/swoole ssl build requirements mentions =="
rg -n --no-heading '\b(ext-swoole|ext_swoole|swoole|SWOOLE_SSL|ssl_verify_peer|ssl_allow_self_signed|tls)\b' README.md src .github workflows Dockerfile docker-compose.yml composer.json || true

Repository: utopia-php/mongo

Length of output: 6483

🏁 Script executed:

#!/bin/bash
set -euo pipefail
sed -n '120,210p' src/Client.php

Repository: utopia-php/mongo

Length of output: 2895

Harden $tls handling when Swoole is not built with SSL

When $tls is true, src/Client.php unconditionally uses SWOOLE_SSL ($flags |= SWOOLE_SSL), but the repo doesn’t declare or document an SSL-enabled Swoole/OpenSwoole build requirement (only swoole/ide-helper is present in require-dev, and README.md has no TLS/SSL requirement). Add a guard (e.g., defined('SWOOLE_SSL') with a descriptive exception) or explicitly enforce/document the “Swoole built with SSL” requirement.

$flags = SWOOLE_SOCK_TCP | SWOOLE_KEEP;
if ($tls) {
    $flags |= SWOOLE_SSL;
}

$this->client = $useCoroutine
    ? new CoroutineClient($flags)
    : new SwooleClient($flags);
🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/Client.php` around lines 181 - 188, The code sets SWOOLE_SSL when $tls is
true without checking if that constant exists; update the logic in Client.php
around $flags, $tls, and the client construction (the block manipulating $flags
and creating CoroutineClient / SwooleClient) to first check
defined('SWOOLE_SSL') before OR-ing SWOOLE_SSL, and if $tls is true but
SWOOLE_SSL is not defined throw a clear descriptive exception (or otherwise
surface a configuration error) indicating "Swoole must be built with SSL to
enable TLS", so consumers get a clear failure instead of undefined constant
behavior.


// Set socket options to prevent hanging
$this->client->set([
$options = [
'open_tcp_keepalive' => true,
'tcp_keepidle' => 4, // Start keepalive after 4s idle
'tcp_keepinterval' => 3, // Keepalive interval 3s
'tcp_keepcount' => 2, // Close after 2 failed keepalives
'timeout' => 30 // 30 second connection timeout
]);
];

if ($tls) {
// TLS is the mechanism; the caller owns the verification policy. Pass
// ssl_verify_peer / ssl_cafile / ssl_host_name (etc.) via $tlsOptions —
// e.g. verify against the system CA in production, or relax verification
// where the endpoint presents an untrusted certificate. Defaults to
// Swoole's behaviour when no options are given.
$options = array_merge($options, $tlsOptions);
}
Comment thread
greptile-apps[bot] marked this conversation as resolved.

$this->client->set($options);

$this->auth = new Auth([
'authcid' => $user,
Expand Down
Loading