perf: inject Superglobals into IncomingRequest constructor instead of service() calls

- Add optional ?Superglobals  parameter to constructor
  (defaults to service('superglobals') when null, fully backward compatible)
- Replace service('superglobals') calls in isSecure(), getPostGet(),
  getGetPost() with ->superglobals property
- Add tests verifying injected instance takes precedence over the service

Author: gr8man

system/HTTP/IncomingRequest.php

@@ -17,6 +17,7 @@
 use CodeIgniter\HTTP\Exceptions\HTTPException;
 use CodeIgniter\HTTP\Files\FileCollection;
 use CodeIgniter\HTTP\Files\UploadedFile;
+use CodeIgniter\Superglobals;
 use Config\App;
 use Config\Services;
 use Locale;
@@ -123,18 +124,27 @@ class IncomingRequest extends Request
      */
     protected $userAgent;
 
+    /**
+     * Superglobals instance.
+     *
+     * @var Superglobals|null
+     */
+    protected $superglobals;
+
     /**
      * Constructor
      *
      * @param App         $config
      * @param string|null $body
      */
-    public function __construct($config, ?URI $uri = null, $body = 'php://input', ?UserAgent $userAgent = null)
+    public function __construct($config, ?URI $uri = null, $body = 'php://input', ?UserAgent $userAgent = null, ?Superglobals $superglobals = null)
     {
         if (! $uri instanceof URI || ! $userAgent instanceof UserAgent) {
             throw new InvalidArgumentException('You must supply the parameters: uri, userAgent.');
         }
 
+        $this->superglobals = $superglobals ?? service('superglobals');
+
         $this->populateHeaders();
 
         if (
@@ -266,7 +276,7 @@ public function isAJAX(): bool
      */
     public function isSecure(): bool
     {
-        $https = service('superglobals')->server('HTTPS');
+        $https = $this->superglobals->server('HTTPS');
 
         if ($https !== null && strtolower($https) !== 'off') {
             return true;
@@ -601,9 +611,11 @@ public function getPostGet($index = null, $filter = null, $flags = null)
         // Use $_POST directly here, since filter_has_var only
         // checks the initial POST data, not anything that might
         // have been added since.
-        return service('superglobals')->post($index) !== null
+        $superglobals = $this->superglobals;
+
+        return $superglobals->post($index) !== null
             ? $this->getPost($index, $filter, $flags)
-            : (service('superglobals')->get($index) !== null ? $this->getGet($index, $filter, $flags) : $this->getPost($index, $filter, $flags));
+            : ($superglobals->get($index) !== null ? $this->getGet($index, $filter, $flags) : $this->getPost($index, $filter, $flags));
     }
 
     /**
@@ -624,9 +636,11 @@ public function getGetPost($index = null, $filter = null, $flags = null)
         // Use $_GET directly here, since filter_has_var only
         // checks the initial GET data, not anything that might
         // have been added since.
-        return service('superglobals')->get($index) !== null
+        $superglobals = $this->superglobals;
+
+        return $superglobals->get($index) !== null
             ? $this->getGet($index, $filter, $flags)
-            : (service('superglobals')->post($index) !== null ? $this->getPost($index, $filter, $flags) : $this->getGet($index, $filter, $flags));
+            : ($superglobals->post($index) !== null ? $this->getPost($index, $filter, $flags) : $this->getGet($index, $filter, $flags));
     }
 
     /**

tests/system/HTTP/IncomingRequestTest.php

@@ -1167,5 +1167,63 @@ public function testGetIPAddressThruProxyInvalidConfigArray(): void
         $this->request->getIPAddress();
     }
 
+    public function testInjectedSuperglobalsIsSecure(): void
+    {
+        $superglobals = new Superglobals(server: ['HTTPS' => 'on']);
+
+        $config  = new App();
+        $uri     = new SiteURI($config);
+        $request = new IncomingRequest($config, $uri, null, new UserAgent(), $superglobals);
+
+        $this->assertTrue($request->isSecure());
+    }
+
+    public function testInjectedSuperglobalsIsSecureNoOverride(): void
+    {
+        service('superglobals')->setServer('HTTPS', 'on');
+
+        $superglobals = new Superglobals(server: []);
+
+        $config  = new App();
+        $uri     = new SiteURI($config);
+        $request = new IncomingRequest($config, $uri, null, new UserAgent(), $superglobals);
+
+        $this->assertFalse($request->isSecure());
+    }
+
+    public function testInjectedSuperglobalsGetPostGet(): void
+    {
+        // Service has only GET data
+        service('superglobals')->setGet('key', 'service_get');
+
+        // Injected mock has only POST data
+        $superglobals = new Superglobals(post: ['key' => 'mock_post'], get: []);
+
+        $config  = new App();
+        $uri     = new SiteURI($config);
+        $request = new IncomingRequest($config, $uri, null, new UserAgent(), $superglobals);
+
+        // Mock says POST exists -> choose POST -> service has no POST -> null
+        // Without injection, would have found no POST in service, fallen back to GET -> 'service_get'
+        $this->assertNull($request->getPostGet('key'));
+    }
+
+    public function testInjectedSuperglobalsGetGetPost(): void
+    {
+        // Service has only POST data
+        service('superglobals')->setPost('key', 'service_post');
+
+        // Injected mock has only GET data
+        $superglobals = new Superglobals(get: ['key' => 'mock_get'], post: []);
+
+        $config  = new App();
+        $uri     = new SiteURI($config);
+        $request = new IncomingRequest($config, $uri, null, new UserAgent(), $superglobals);
+
+        // Mock says GET exists -> choose GET -> service has no GET -> null
+        // Without injection, would have found no GET in service, fallen back to POST -> 'service_post'
+        $this->assertNull($request->getGetPost('key'));
+    }
+
     // @TODO getIPAddress should have more testing, to 100% code coverage
 }