Skip to content

feat: allow HEAD requests in function executions#10385

Merged
loks0n merged 7 commits into1.8.xfrom
allow-head-requests
Aug 27, 2025
Merged

feat: allow HEAD requests in function executions#10385
loks0n merged 7 commits into1.8.xfrom
allow-head-requests

Conversation

@ChiragAgg5k
Copy link
Copy Markdown
Member

@ChiragAgg5k ChiragAgg5k commented Aug 27, 2025
edited
Loading

What does this PR do?

now its possible to make head requests to functions so we should allow /executions endpoint to accept it as well

Test Plan

Related PRs and Issues

Checklist

  • Have you read the Contributing Guidelines on issues?
  • If the PR includes a change to an API's metadata (desc, label, params, etc.), does it also include updated API specs and example docs?

@coderabbitai
Copy link
Copy Markdown
Contributor

coderabbitai bot commented Aug 27, 2025
edited
Loading

📝 Walkthrough

Walkthrough

Adds HTTP HEAD to the whitelist of allowed methods for the function execution creation endpoint (src/Appwrite/Platform/Modules/Functions/Http/Executions/Create.php). Also adds an end-to-end test verifying HEAD-based execution behavior and cleanup (tests/e2e/Services/Functions/FunctionsCustomServerTest.php). No other logic, control flow, signatures, or public/exported entities were changed.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

Suggested reviewers

  • loks0n
  • Meldiron

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 PHPStan (2.1.17)

Note: Using configuration file /phpstan.neon.
Invalid entry in excludePaths:
Path "/app/sdks" is neither a directory, nor a file path, nor a fnmatch pattern.

If the excluded path can sometimes exist, append (?)
to its config entry to mark it as optional. Example:

parameters:
excludePaths:
analyseAndScan:
- app/sdks (?)

📜 Recent review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

💡 Knowledge Base configuration:

  • MCP integration is disabled by default for public repositories
  • Jira integration is disabled by default for public repositories
  • Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between f4ea5fa and ee292d0.

📒 Files selected for processing (1)
  • tests/e2e/Services/Functions/FunctionsCustomServerTest.php (2 hunks)
🚧 Files skipped from review as they are similar to previous changes (1)
  • tests/e2e/Services/Functions/FunctionsCustomServerTest.php
✨ Finishing Touches
  • 📝 Generate Docstrings
🧪 Generate unit tests
  • Create PR with unit tests
  • Post copyable unit tests in a comment
  • Commit unit tests in branch allow-head-requests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share
🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

  • Review comments: Directly reply to a review comment made by CodeRabbit. Example:
    • I pushed a fix in commit <commit_id>, please review it.
    • Open a follow-up GitHub issue for this discussion.
  • Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query.
  • PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
    • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
    • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

CodeRabbit Commands (Invoked using PR/Issue comments)

Type @coderabbitai help to get the list of available commands.

Other keywords and placeholders

  • Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
  • Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
  • Add @coderabbitai anywhere in the PR title to generate the title automatically.

Status, Documentation and Community

  • Visit our Status Page to check the current availability of CodeRabbit.
  • Visit our Documentation for detailed information on how to use CodeRabbit.
  • Join our Discord Community to get help, request features, and share feedback.
  • Follow us on X/Twitter for updates and announcements.

@github-actions
Copy link
Copy Markdown

github-actions bot commented Aug 27, 2025
edited
Loading

Security Scan Results for PR

Docker Image Scan Results

Package Version Vulnerability Severity
golang.org/x/crypto v0.31.0 CVE-2025-22869 HIGH
golang.org/x/oauth2 v0.24.0 CVE-2025-22868 HIGH
stdlib 1.22.10 CVE-2025-47907 HIGH

Source Code Scan Results

🎉 No vulnerabilities found!

@pkg-pr-new
Copy link
Copy Markdown

pkg-pr-new bot commented Aug 27, 2025
edited
Loading

Open in StackBlitz

npm i https://pkg.pr.new/appwrite/appwrite/@appwrite.io/console@10385

commit: ee292d0

coderabbitai[bot]
coderabbitai bot reviewed Aug 27, 2025
View reviewed changes
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)
src/Appwrite/Platform/Modules/Functions/Http/Executions/Create.php (1)

137-141: Bug: constant string used in !empty check — always true.

!empty('headers') is always true, which alters intent and can cause unintended JSON decoding. Should check the variable instead.

Apply:

-        foreach ($assocParams as $assocParam) {
-            if (!empty('headers') && !is_array($$assocParam)) {
-                $$assocParam = \json_decode($$assocParam, true);
-            }
-        }
+        foreach ($assocParams as $assocParam) {
+            if (!empty($$assocParam) && !is_array($$assocParam)) {
+                $$assocParam = \json_decode($$assocParam, true);
+            }
+        }
🧹 Nitpick comments (4)
src/Appwrite/Platform/Modules/Functions/Http/Executions/Create.php (4)

143-148: Nit: variable name typo ($booleamParam).

Use $booleanParam for clarity.

-        $booleanParams = ['async'];
-        foreach ($booleanParams as $booleamParam) {
-            if (!empty($$booleamParam) && !is_bool($$booleamParam)) {
-                $$booleamParam = $$booleamParam === "true" ? true : false;
-            }
-        }
+        $booleanParams = ['async'];
+        foreach ($booleanParams as $booleanParam) {
+            if (!empty($$booleanParam) && !is_bool($$booleanParam)) {
+                $$booleanParam = $$booleanParam === "true";
+            }
+        }

120-132: Optional: enforce no body for HEAD to match RFC semantics.

Pre-empt confusing behavior by rejecting bodies with HEAD.

         if (!is_null($scheduledAt)) {
             $validator = new DatetimeValidator(requireDateInFuture: true, precision: DateTimeValidator::PRECISION_MINUTES, offset: 60);
             if (!$validator->isValid($scheduledAt)) {
                 throw new Exception(Exception::GENERAL_BAD_REQUEST, 'Execution schedule must be a valid date, and at least 1 minute from now');
             }
         }
+
+        // Disallow body for HEAD requests
+        if (\strtoupper($method) === 'HEAD' && \strlen($body) > 0) {
+            throw new Exception(Exception::GENERAL_BAD_REQUEST, 'HEAD requests must not contain a body.');
+        }

60-62: Duplicate label('resourceType', ...) declaration.

Remove one to avoid confusion.

-            ->label('resourceType', RESOURCE_TYPE_FUNCTIONS)
-            ->label('event', 'functions.[functionId].executions.[executionId].create')
-            ->label('resourceType', RESOURCE_TYPE_FUNCTIONS)
+            ->label('resourceType', RESOURCE_TYPE_FUNCTIONS)
+            ->label('event', 'functions.[functionId].executions.[executionId].create')

100-119: Add a test for HEAD path end-to-end (sync and async).

Validate: param acceptance, executor receives method=HEAD, response body handling, and persistence of requestMethod in execution doc.

I can draft an integration test covering: createExecution with method=HEAD (async=false), assert persisted requestMethod=HEAD and responseBody handling; plus async scheduled flow.

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

💡 Knowledge Base configuration:

  • MCP integration is disabled by default for public repositories
  • Jira integration is disabled by default for public repositories
  • Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 9fc39dd and cc73621.

⛔ Files ignored due to path filters (12)
  • app/config/specs/open-api3-1.8.x-client.json is excluded by !app/config/specs/**
  • app/config/specs/open-api3-1.8.x-console.json is excluded by !app/config/specs/**
  • app/config/specs/open-api3-1.8.x-server.json is excluded by !app/config/specs/**
  • app/config/specs/open-api3-latest-client.json is excluded by !app/config/specs/**
  • app/config/specs/open-api3-latest-console.json is excluded by !app/config/specs/**
  • app/config/specs/open-api3-latest-server.json is excluded by !app/config/specs/**
  • app/config/specs/swagger2-1.8.x-client.json is excluded by !app/config/specs/**
  • app/config/specs/swagger2-1.8.x-console.json is excluded by !app/config/specs/**
  • app/config/specs/swagger2-1.8.x-server.json is excluded by !app/config/specs/**
  • app/config/specs/swagger2-latest-client.json is excluded by !app/config/specs/**
  • app/config/specs/swagger2-latest-console.json is excluded by !app/config/specs/**
  • app/config/specs/swagger2-latest-server.json is excluded by !app/config/specs/**
📒 Files selected for processing (2)
  • src/Appwrite/Platform/Modules/Functions/Http/Executions/Create.php (1 hunks)
  • src/Appwrite/Utopia/Request/Filters/V20.php (1 hunks)
🧰 Additional context used
🧠 Learnings (1)
📚 Learning: 2025-05-03T05:58:34.294Z 
Learnt from: ItzNotABug
PR: appwrite/appwrite#9669
File: src/Appwrite/Utopia/Request/Filters/V19.php:56-71
Timestamp: 2025-05-03T05:58:34.294Z
Learning: According to the developer, wildcard select handling in V19 request filter is only needed for `listDocuments` operations, not for `getDocument` operations, despite the doc-block mentioning both.

Applied to files:

  • src/Appwrite/Utopia/Request/Filters/V20.php
🧬 Code graph analysis (1)
src/Appwrite/Platform/Modules/Functions/Http/Executions/Create.php (1)
src/Appwrite/GraphQL/Types/Mapper.php (1)
  • param (253-354)
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (11)
  • GitHub Check: E2E Service Test (VCS)
  • GitHub Check: E2E Service Test (Realtime)
  • GitHub Check: E2E Service Test (Locale)
  • GitHub Check: E2E Service Test (Databases/TablesDB)
  • GitHub Check: E2E Service Test (Databases/Legacy)
  • GitHub Check: E2E Service Test (Console)
  • GitHub Check: E2E Service Test (Site Screenshots)
  • GitHub Check: E2E General Test
  • GitHub Check: Benchmark
  • GitHub Check: Setup & Build SDK
  • GitHub Check: scan
🔇 Additional comments (4)
src/Appwrite/Utopia/Request/Filters/V20.php (2)

55-63: LGTM: style-only change to elseif.

No functional impact.

25-33: Double-check docblock claim about getDocument.

Retrieved learnings indicate wildcard select handling was only needed for listDocuments in V19. Please confirm V20 behavior and either keep as-is for backward-compat or narrow the docblock/scope accordingly.

Note: Referencing previously stored learnings from #9669 (May 2025).

src/Appwrite/Platform/Modules/Functions/Http/Executions/Create.php (2)

83-83: HEAD added to whitelist — good addition.

This aligns the execution API with typical HTTP method support.

83-83: No additional method whitelists found—HEAD support is already consistent.

  • Ripgrep across the PHP codebase for ->param('method', … new WhiteList( yields only the Create execution endpoint in src/Appwrite/Platform/Modules/Functions/Http/Executions/Create.php at line 83, which already includes 'HEAD'.
  • There are no other user-facing "method" parameters validated by a WhiteList outside of that location.
  • Task schedulers and other HTTP actions use fixed .setHttpMethod(...) calls (GET, POST, DELETE, etc.) rather than a dynamic "method" parameter, so no further whitelists need updating.

All relevant code paths now allow HEAD; no changes required.

src/Appwrite/Platform/Modules/Functions/Http/Executions/Create.php Outdated
->param('async', false, new Boolean(true), 'Execute code in the background. Default value is false.', true)
->param('path', '/', new Text(2048), 'HTTP path of execution. Path can include query params. Default value is /', true)
->param('method', 'POST', new Whitelist(['GET', 'POST', 'PUT', 'PATCH', 'DELETE', 'OPTIONS'], true), 'HTTP method of execution. Default value is GET.', true)
->param('method', 'POST', new Whitelist(['GET', 'POST', 'PUT', 'PATCH', 'DELETE', 'OPTIONS', 'HEAD'], true), 'HTTP method of execution. Default value is GET.', true)
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai bot Aug 27, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Verification agent

🧩 Analysis chain

Fix default value mismatch (doc says GET, code default is POST) and class casing.

The parameter description says “Default value is GET.” but the default is 'POST'. Also, instantiated class name differs in casing from the imported WhiteList. Pick one of the following:

Option A — keep default POST and fix description + casing:

-            ->param('method', 'POST', new Whitelist(['GET', 'POST', 'PUT', 'PATCH', 'DELETE', 'OPTIONS', 'HEAD'], true), 'HTTP method of execution. Default value is GET.', true)
+            ->param('method', 'POST', new WhiteList(['GET', 'POST', 'PUT', 'PATCH', 'DELETE', 'OPTIONS', 'HEAD'], true), 'HTTP method of execution. Default value is POST.', true)

Option B — revert default to GET to match description + casing:

-            ->param('method', 'POST', new Whitelist(['GET', 'POST', 'PUT', 'PATCH', 'DELETE', 'OPTIONS', 'HEAD'], true), 'HTTP method of execution. Default value is GET.', true)
+            ->param('method', 'GET', new WhiteList(['GET', 'POST', 'PUT', 'PATCH', 'DELETE', 'OPTIONS', 'HEAD'], true), 'HTTP method of execution. Default value is GET.', true)

🏁 Script executed:

#!/bin/bash
# Confirm presence and casing of Whitelist/WhiteList classes in the codebase
grep -R "class Whitelist" -n src
grep -R "class WhiteList" -n src

# Check import in the target file
grep -R "use .*White" -n src/Appwrite/Platform/Modules/Functions/Http/Executions/Create.php

# Show context around the param definition
grep -nC2 "->param('method'" -n src/Appwrite/Platform/Modules/Functions/Http/Executions/Create.php

# Verify the documentation string in this file
grep -R "HTTP method of execution" -n src/Appwrite/Platform/Modules/Functions/Http/Executions/Create.php

Length of output: 704

Fix default value mismatch and class casing in Create.php

The ->param('method', …) call in src/Appwrite/Platform/Modules/Functions/Http/Executions/Create.php has two issues:

  • Default value mismatch (code uses 'POST', but the description says “Default value is GET.”)
  • Class name casing (new Whitelist vs. imported WhiteList)

Please apply the following changes to keep the default as POST and correct the validator class name:

--- a/src/Appwrite/Platform/Modules/Functions/Http/Executions/Create.php
+++ b/src/Appwrite/Platform/Modules/Functions/Http/Executions/Create.php
@@ -80,7 +80,7 @@
             ->param(
-               'method',
-               'POST',
-               new Whitelist(['GET', 'POST', 'PUT', 'PATCH', 'DELETE', 'OPTIONS', 'HEAD'], true),
-               'HTTP method of execution. Default value is GET.',
-               true
+               'method',
+               'POST',
+               new WhiteList(['GET', 'POST', 'PUT', 'PATCH', 'DELETE', 'OPTIONS', 'HEAD'], true),
+               'HTTP method of execution. Default value is POST.',
+               true
             )

Locations to update:

  • Line 83: adjust default value in the docstring to “POST”
  • Line 83: update instantiation to new WhiteList to match the use statement
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
->param('method', 'POST', new Whitelist(['GET', 'POST', 'PUT', 'PATCH', 'DELETE', 'OPTIONS', 'HEAD'], true), 'HTTP method of execution. Default value is GET.', true)
->param(
- 'method',
- 'POST',
- new Whitelist(['GET', 'POST', 'PUT', 'PATCH', 'DELETE', 'OPTIONS', 'HEAD'], true),
- 'HTTP method of execution. Default value is GET.',
'method',
'POST',
new WhiteList(['GET', 'POST', 'PUT', 'PATCH', 'DELETE', 'OPTIONS', 'HEAD'], true),
'HTTP method of execution. Default value is POST.',
true
)
🤖 Prompt for AI Agents 
In src/Appwrite/Platform/Modules/Functions/Http/Executions/Create.php around
line 83, the param call documents the default as "GET" but the code uses 'POST'
and the validator class is instantiated as Whitelist while the imported class is
WhiteList; update the docstring/default text to say "Default value is POST." and
change the instantiation from new Whitelist(...) to new WhiteList(...) so the
default matches the code and the class name matches the import.

@github-actions
Copy link
Copy Markdown

github-actions bot commented Aug 27, 2025
edited
Loading

✨ Benchmark results

  • Requests per second: 1,214
  • Requests with 200 status code: 218,596
  • P99 latency: 0.160684304

⚡ Benchmark Comparison

Metric This PR Latest version
RPS 1,214 994
200 218,596 178,878
P99 0.160684304 0.194072539

coderabbitai[bot]
coderabbitai bot reviewed Aug 27, 2025
View reviewed changes
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🧹 Nitpick comments (2)
tests/e2e/Services/Functions/FunctionsCustomServerTest.php (2)

928-939: Prevent test pollution: delete the HEAD execution if it’s persisted

If HEAD executions still persist, later assertions (e.g., listExecutions expecting total=1) will break. Clean up conditionally so the suite remains stable regardless of backend behavior.

Apply this diff just after the HEAD assertions:

         $this->assertEquals('completed', $execution['body']['status']);
         $this->assertEquals(200, $execution['body']['responseStatusCode']);
         $this->assertIsArray($execution['body']['responseHeaders']);
         $this->assertEmpty($execution['body']['responseBody']); // For head requests, response body is empty
+
+        // Cleanup to avoid inflating listExecutions totals if an execution document was created
+        $headExecutionId = $execution['body']['$id'] ?? null;
+        if (!empty($headExecutionId)) {
+            $this->client->call(
+                Client::METHOD_DELETE,
+                '/functions/' . $data['functionId'] . '/executions/' . $headExecutionId,
+                array_merge([
+                    'content-type' => 'application/json',
+                    'x-appwrite-project' => $this->getProject()['$id'],
+                ], $this->getHeaders()),
+                []
+            );
+        }

939-939: Capitalize HTTP method in comment

Use standard casing for HTTP verbs.

-        $this->assertEmpty($execution['body']['responseBody']); // For head requests, response body is empty
+        $this->assertEmpty($execution['body']['responseBody']); // For HEAD requests, response body is empty
📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

💡 Knowledge Base configuration:

  • MCP integration is disabled by default for public repositories
  • Jira integration is disabled by default for public repositories
  • Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 0a2fb92 and f4ea5fa.

⛔ Files ignored due to path filters (12)
  • app/config/specs/open-api3-1.8.x-client.json is excluded by !app/config/specs/**
  • app/config/specs/open-api3-1.8.x-console.json is excluded by !app/config/specs/**
  • app/config/specs/open-api3-1.8.x-server.json is excluded by !app/config/specs/**
  • app/config/specs/open-api3-latest-client.json is excluded by !app/config/specs/**
  • app/config/specs/open-api3-latest-console.json is excluded by !app/config/specs/**
  • app/config/specs/open-api3-latest-server.json is excluded by !app/config/specs/**
  • app/config/specs/swagger2-1.8.x-client.json is excluded by !app/config/specs/**
  • app/config/specs/swagger2-1.8.x-console.json is excluded by !app/config/specs/**
  • app/config/specs/swagger2-1.8.x-server.json is excluded by !app/config/specs/**
  • app/config/specs/swagger2-latest-client.json is excluded by !app/config/specs/**
  • app/config/specs/swagger2-latest-console.json is excluded by !app/config/specs/**
  • app/config/specs/swagger2-latest-server.json is excluded by !app/config/specs/**
📒 Files selected for processing (1)
  • tests/e2e/Services/Functions/FunctionsCustomServerTest.php (1 hunks)
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (4)
  • GitHub Check: Setup & Build Appwrite Image
  • GitHub Check: Linter
  • GitHub Check: Setup & Build SDK
  • GitHub Check: scan

@loks0n loks0n merged commit f30dc5d into 1.8.x Aug 27, 2025
43 checks passed
@ChiragAgg5k ChiragAgg5k deleted the allow-head-requests branch September 15, 2025 04:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

+1 more reviewer

@vermakhushboo vermakhushboo vermakhushboo approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@ChiragAgg5k @vermakhushboo @loks0n