Fix: Re-read request params at each hook/action call site

loks0n · claude · loks0n · commit 07087af8f0e8 · 2026-04-24T16:49:39.000+01:00
Dispatcher::execute hoisted \$this-&gt;request-&gt;getParams() into a local
before any init hooks fired, then passed that stale array to every
subsequent getArguments() call. That broke the init-hook-mutates-params
contract: if an init hook applied filter/rewrite via
\$request-&gt;setQueryString(), the route action and shutdown hooks would
still see the pre-mutation view.

The old Http::execute called \$request-&gt;getParams() inline at each call
site specifically to preserve this ordering. Restore that behaviour.

Adds two regression tests: init-hook mutation visible to the route
action, and init-hook mutation visible to a shutdown hook's params.

Co-Authored-By: Claude Opus 4.7 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/src/Http/Dispatcher.php b/src/Http/Dispatcher.php
@@ -143,41 +143,45 @@ public function execute(RouteMatch $match): void
         $route = $match->route;
         $groups = $route->getGroups();
         $pathValues = $route->getPathValues($this->request, $match->preparedPath);
-        $requestParams = $this->request->getParams();
+
+        // Request params are re-read at each call site: init/request hooks
+        // may mutate the request (e.g. applying filters), and later hooks +
+        // the route action must see the updated view. Hoisting this into a
+        // local would cache stale params across the lifecycle.
 
         try {
             if ($route->getHook()) {
                 foreach (Hooks::$init as $hook) {
                     if (\in_array('*', $hook->getGroups())) {
-                        \call_user_func_array($hook->getAction(), $this->http->getArguments($hook, $pathValues, $requestParams));
+                        \call_user_func_array($hook->getAction(), $this->http->getArguments($hook, $pathValues, $this->request->getParams()));
                     }
                 }
             }
 
             foreach ($groups as $group) {
                 foreach (Hooks::$init as $hook) {
                     if (\in_array($group, $hook->getGroups())) {
-                        \call_user_func_array($hook->getAction(), $this->http->getArguments($hook, $pathValues, $requestParams));
+                        \call_user_func_array($hook->getAction(), $this->http->getArguments($hook, $pathValues, $this->request->getParams()));
                     }
                 }
             }
 
             if (!$this->response->isSent()) {
-                \call_user_func_array($route->getAction(), $this->http->getArguments($route, $pathValues, $requestParams));
+                \call_user_func_array($route->getAction(), $this->http->getArguments($route, $pathValues, $this->request->getParams()));
             }
 
             foreach ($groups as $group) {
                 foreach (Hooks::$shutdown as $hook) {
                     if (\in_array($group, $hook->getGroups())) {
-                        \call_user_func_array($hook->getAction(), $this->http->getArguments($hook, $pathValues, $requestParams));
+                        \call_user_func_array($hook->getAction(), $this->http->getArguments($hook, $pathValues, $this->request->getParams()));
                     }
                 }
             }
 
             if ($route->getHook()) {
                 foreach (Hooks::$shutdown as $hook) {
                     if (\in_array('*', $hook->getGroups())) {
-                        \call_user_func_array($hook->getAction(), $this->http->getArguments($hook, $pathValues, $requestParams));
+                        \call_user_func_array($hook->getAction(), $this->http->getArguments($hook, $pathValues, $this->request->getParams()));
                     }
                 }
             }
@@ -188,7 +192,7 @@ public function execute(RouteMatch $match): void
                 foreach (Hooks::$errors as $error) {
                     if (\in_array($group, $error->getGroups())) {
                         try {
-                            \call_user_func_array($error->getAction(), $this->http->getArguments($error, $pathValues, $requestParams));
+                            \call_user_func_array($error->getAction(), $this->http->getArguments($error, $pathValues, $this->request->getParams()));
                         } catch (\Throwable $e) {
                             throw new Exception('Error handler had an error: ' . $e->getMessage(), 500, $e);
                         }
@@ -199,7 +203,7 @@ public function execute(RouteMatch $match): void
             foreach (Hooks::$errors as $error) {
                 if (\in_array('*', $error->getGroups())) {
                     try {
-                        \call_user_func_array($error->getAction(), $this->http->getArguments($error, $pathValues, $requestParams));
+                        \call_user_func_array($error->getAction(), $this->http->getArguments($error, $pathValues, $this->request->getParams()));
                     } catch (\Throwable $e) {
                         throw new Exception('Error handler had an error: ' . $e->getMessage(), 500, $e);
                     }
diff --git a/tests/DispatcherTest.php b/tests/DispatcherTest.php
@@ -9,6 +9,7 @@
 use Utopia\Http\Adapter\FPM\Request;
 use Utopia\Http\Adapter\FPM\Response;
 use Utopia\Http\Adapter\FPM\Server;
+use Utopia\Validator\Text;
 
 /**
  * End-to-end coverage for {@see Dispatcher} via Http::run().
@@ -220,6 +221,60 @@ public function testOptionsHookFiresForOptionsMethod(): void
         $this->assertStringNotContainsString('GET-HANDLER', $output);
     }
 
+    public function testInitHookMutationsToRequestParamsAreVisibleToRouteAction(): void
+    {
+        // Regression: Dispatcher::execute must re-read $request->getParams()
+        // at each hook/action call site. Hoisting the array into a local
+        // before init hooks fire would cache a pre-hook snapshot, so the
+        // route action would see stale params despite an init hook having
+        // mutated them (e.g. to apply auth/filter rewrites).
+        Http::init()
+            ->inject('request')
+            ->action(function (Request $request) {
+                $request->setQueryString(['x' => 'from-init-hook']);
+            });
+
+        Http::get('/filter-me')
+            ->param('x', 'original', new Text(64), 'x param', true)
+            ->inject('response')
+            ->action(function (string $x, Response $response) {
+                $response->send($x);
+            });
+
+        $output = $this->runRequest('GET', '/filter-me');
+
+        $this->assertSame('from-init-hook', $output);
+    }
+
+    public function testShutdownHookSeesMutationsFromInitHook(): void
+    {
+        // The same guarantee for the init → shutdown path: shutdown hooks
+        // read getArguments() fresh, so an init-time mutation is visible.
+        Http::init()
+            ->inject('request')
+            ->action(function (Request $request) {
+                $request->setQueryString(['token' => 'init-token']);
+            });
+
+        Http::shutdown()
+            ->param('token', '', new Text(64), 'token param', true)
+            ->inject('response')
+            ->action(function (string $token, Response $response) {
+                echo '|shutdown:' . $token;
+            });
+
+        Http::get('/lifecycle-params')
+            ->inject('response')
+            ->action(function (Response $response) {
+                $response->send('ok');
+            });
+
+        $output = $this->runRequest('GET', '/lifecycle-params');
+
+        $this->assertStringContainsString('ok', $output);
+        $this->assertStringContainsString('|shutdown:init-token', $output);
+    }
+
     public function testWildcardRouteMatchCarriesWildcardToken(): void
     {
         Http::wildcard()

Original file line number	Diff line number	Diff line change
`@@ -143,41 +143,45 @@ public function execute(RouteMatch $match): void`
`143`	`143`	`$route = $match->route;`
`144`	`144`	`$groups = $route->getGroups();`
`145`	`145`	`$pathValues = $route->getPathValues($this->request, $match->preparedPath);`
`146`		`- $requestParams = $this->request->getParams();`
	`146`	`+`
	`147`	`+ // Request params are re-read at each call site: init/request hooks`
	`148`	`+ // may mutate the request (e.g. applying filters), and later hooks +`
	`149`	`+ // the route action must see the updated view. Hoisting this into a`
	`150`	`+ // local would cache stale params across the lifecycle.`
`147`	`151`
`148`	`152`	`try {`
`149`	`153`	`if ($route->getHook()) {`
`150`	`154`	`foreach (Hooks::$init as $hook) {`
`151`	`155`	`if (\in_array('*', $hook->getGroups())) {`
`152`		`- \call_user_func_array($hook->getAction(), $this->http->getArguments($hook, $pathValues, $requestParams));`
	`156`	`+ \call_user_func_array($hook->getAction(), $this->http->getArguments($hook, $pathValues, $this->request->getParams()));`
`153`	`157`	`}`
`154`	`158`	`}`
`155`	`159`	`}`
`156`	`160`
`157`	`161`	`foreach ($groups as $group) {`
`158`	`162`	`foreach (Hooks::$init as $hook) {`
`159`	`163`	`if (\in_array($group, $hook->getGroups())) {`
`160`		`- \call_user_func_array($hook->getAction(), $this->http->getArguments($hook, $pathValues, $requestParams));`
	`164`	`+ \call_user_func_array($hook->getAction(), $this->http->getArguments($hook, $pathValues, $this->request->getParams()));`
`161`	`165`	`}`
`162`	`166`	`}`
`163`	`167`	`}`
`164`	`168`
`165`	`169`	`if (!$this->response->isSent()) {`
`166`		`- \call_user_func_array($route->getAction(), $this->http->getArguments($route, $pathValues, $requestParams));`
	`170`	`+ \call_user_func_array($route->getAction(), $this->http->getArguments($route, $pathValues, $this->request->getParams()));`
`167`	`171`	`}`
`168`	`172`
`169`	`173`	`foreach ($groups as $group) {`
`170`	`174`	`foreach (Hooks::$shutdown as $hook) {`
`171`	`175`	`if (\in_array($group, $hook->getGroups())) {`
`172`		`- \call_user_func_array($hook->getAction(), $this->http->getArguments($hook, $pathValues, $requestParams));`
	`176`	`+ \call_user_func_array($hook->getAction(), $this->http->getArguments($hook, $pathValues, $this->request->getParams()));`
`173`	`177`	`}`
`174`	`178`	`}`
`175`	`179`	`}`
`176`	`180`
`177`	`181`	`if ($route->getHook()) {`
`178`	`182`	`foreach (Hooks::$shutdown as $hook) {`
`179`	`183`	`if (\in_array('*', $hook->getGroups())) {`
`180`		`- \call_user_func_array($hook->getAction(), $this->http->getArguments($hook, $pathValues, $requestParams));`
	`184`	`+ \call_user_func_array($hook->getAction(), $this->http->getArguments($hook, $pathValues, $this->request->getParams()));`
`181`	`185`	`}`
`182`	`186`	`}`
`183`	`187`	`}`
`@@ -188,7 +192,7 @@ public function execute(RouteMatch $match): void`
`188`	`192`	`foreach (Hooks::$errors as $error) {`
`189`	`193`	`if (\in_array($group, $error->getGroups())) {`
`190`	`194`	`try {`
`191`		`- \call_user_func_array($error->getAction(), $this->http->getArguments($error, $pathValues, $requestParams));`
	`195`	`+ \call_user_func_array($error->getAction(), $this->http->getArguments($error, $pathValues, $this->request->getParams()));`
`192`	`196`	`} catch (\Throwable $e) {`
`193`	`197`	`throw new Exception('Error handler had an error: ' . $e->getMessage(), 500, $e);`
`194`	`198`	`}`
`@@ -199,7 +203,7 @@ public function execute(RouteMatch $match): void`
`199`	`203`	`foreach (Hooks::$errors as $error) {`
`200`	`204`	`if (\in_array('*', $error->getGroups())) {`
`201`	`205`	`try {`
`202`		`- \call_user_func_array($error->getAction(), $this->http->getArguments($error, $pathValues, $requestParams));`
	`206`	`+ \call_user_func_array($error->getAction(), $this->http->getArguments($error, $pathValues, $this->request->getParams()));`
`203`	`207`	`} catch (\Throwable $e) {`
`204`	`208`	`throw new Exception('Error handler had an error: ' . $e->getMessage(), 500, $e);`
`205`	`209`	`}`