adding features from the changelog

niden · niden · commit 4dbd2ce64537 · 2026-04-03T20:10:26.000-05:00
diff --git a/docs/di.md b/docs/di.md
@@ -403,6 +403,12 @@ public function get(
 ```
 Resolves the service based on its configuration
 
+```php
+public function getAlias(string $name): string
+```
+Returns the resolved service name for an alias, or an empty string if the alias does not exist.
+public function setAlias(string $name, string|array $aliases): Di
+
 ```php
 public static function getDefault(): DiInterface | null
 ```
@@ -575,6 +581,11 @@ public function set(
 ```
 Registers a service in the services container
 
+```php
+public function setAlias(string $name, string|array $aliases): Di
+```
+Registers one or more aliases for an existing service.
+
 ```php
 public static function setDefault(<DiInterface> container)
 ```
@@ -1244,6 +1255,38 @@ $requestService->setShared(true);
 $request = $requestService->resolve();
 ```
 
+### Service Aliases
+
+!!! warning "WARNING"
+
+    Alias names must be strings, cannot collide with existing services/aliases, and the target service must already exist.
+
+You can register one or more aliases for an existing service name. Once aliases are set, calls such as `get()`, `getShared()`, `getService()`, `set()`, and `remove()` can resolve through the alias chain.
+
+```php
+<?php
+
+use Phalcon\Di\Di;
+use Phalcon\Http\Request;
+
+$container = new Di();
+
+$container->setShared("request", Request::class);
+
+// single alias
+$container->setAlias("request", "httpRequest");
+
+// multiple aliases
+$container->setAlias("request", ["req", "incomingRequest"]);
+
+$requestA = $container->get("request");
+$requestB = $container->get("httpRequest");
+$requestC = $container->get("req");
+
+var_dump($requestA === $requestB); // true
+var_dump($container->getAlias("incomingRequest")); // "request"
+```
+
 ## Instantiating Classes
 When you request a service from the container, if it cannot be found by using the same name, it will try to load a class with the same name. This behavior allows you to replace any service with another, by simply registering a service with the common name:
 
diff --git a/docs/encryption-security-jwt.md b/docs/encryption-security-jwt.md
@@ -292,9 +292,10 @@ public function addClaim(string $name, mixed $value): Builder
 Adds a custom claim in the claims collection
 
 ```php
-public function getAudience(): array|string
+public function getAudience(): array
 ```
-Returns the `aud` contents
+---
+Returns the `aud` contents. If `aud` is not set, this method returns an empty array.
 
 ```php
 public function getClaims(): array
@@ -394,7 +395,14 @@ Sets the subject (`sub`).
 ```php
 public function setPassphrase(string $passphrase): Builder
 ```
-Sets the passphrase. If the `$passphrase` is weak, a [Phalcon\Encryption\Security\JWT\Exceptions\ValidatorException][security-jwt-exceptions-validatorexception] will be thrown.
+Sets the passphrase. A weak passphrase raises a [Phalcon\Encryption\Security\JWT\Exceptions\ValidatorException][security-jwt-exceptions-validatorexception].
+
+The passphrase must:
+- be at least 16 characters long
+- contain at least one uppercase letter
+- contain at least one lowercase letter
+- contain at least one digit
+- contain at least one special character
 
 ```php
 private function setClaim(string $name, $value): Builder
@@ -492,6 +500,21 @@ public function validateAudience(array|string $audience): Validator
 ```
 Validates the audience. If it is not included in the token's `aud`, a [Phalcon\Encryption\Security\JWT\Exceptions\ValidatorException][security-jwt-exceptions-validatorexception] will be thrown.
 
+```php
+public function validateClaim(string $name, mixed $value): Validator
+```
+Validates a custom claim by name against an expected value.
+
+In a validator example chain, include one custom claim check, e.g.:
+```php
+$validator
+    ->validateAudience($audience)
+    ->validateIssuer($issuer)
+    ->validateClaim("tenantId", "acme")
+;
+```
+
+
 ```php
 public function validateExpiration(int $timestamp): Validator
 ```
diff --git a/docs/filter-filter.md b/docs/filter-filter.md
@@ -119,9 +119,9 @@ Remove all characters except digits, plus and minus sign, and casts the value as
 
 #### `ip`
 ```php
-Ip( string input, int filter = 0 ): int
+Ip( string $input, int $filter = 0 ): string|false
 ```
-Sanitize the IP address or CIDR IP range. Internally it uses [filter_var][filter_var]. You can pass specific filters to sanitize your input:
+Sanitizes an IP address or CIDR IP range. Internally it uses [filter_var][filter_var] for IP validation. CIDR masks are validated according to IP family (`0-32` for IPv4, `0-128` for IPv6). Returns `false` for invalid values.
 
 ```
 FILTER_FLAG_IPV4
diff --git a/docs/forms.md b/docs/forms.md
@@ -334,6 +334,10 @@ The second optional parameter is `entity` (object). If passed, internally the co
 
 Once the `bind()` process finishes, the modified `entity` will be passed in the `beforeValidation` event (if events are enabled) and after that, all the validators will be called on the form using the modified `entity` object.
 
+!!! info "NOTE"
+
+    During `isValid()`, field filters are applied through the form binding flow even when an element has no validators. This keeps entity/input normalization consistent across validated and non-validated fields.
+
 !!! info "NOTE"
 
     Passing an `entity` object will result in the object being modified by the user input as described above. If you do not wish this behavior, you can clone the entity before passing it, to keep a copy of the original object
diff --git a/docs/logger.md b/docs/logger.md
@@ -159,15 +159,15 @@ $logger->warning("This is a warning message");
 The log generated is as follows:
 
 ```bash
-[Tue, 25 Dec 18 12:13:14 -0400][ALERT] This is an alert message
-[Tue, 25 Dec 18 12:13:14 -0400][CRITICAL] This is a critical message
-[Tue, 25 Dec 18 12:13:14 -0400][DEBUG] This is a debug message
-[Tue, 25 Dec 18 12:13:14 -0400][ERROR] This is an error message
-[Tue, 25 Dec 18 12:13:14 -0400][EMERGENCY] This is an emergency message
-[Tue, 25 Dec 18 12:13:14 -0400][INFO] This is an info message
-[Tue, 25 Dec 18 12:13:14 -0400][CRITICAL] This is a log message
-[Tue, 25 Dec 18 12:13:14 -0400][NOTICE] This is a notice message
-[Tue, 25 Dec 18 12:13:14 -0400][WARNING] This is warning message
+[Tue, 25 Dec 18 12:13:14 -0400][alert] This is an alert message
+[Tue, 25 Dec 18 12:13:14 -0400][critical] This is a critical message
+[Tue, 25 Dec 18 12:13:14 -0400][debug] This is a debug message
+[Tue, 25 Dec 18 12:13:14 -0400][error] This is an error message
+[Tue, 25 Dec 18 12:13:14 -0400][emergency] This is an emergency message
+[Tue, 25 Dec 18 12:13:14 -0400][info] This is an info message
+[Tue, 25 Dec 18 12:13:14 -0400][critical] This is a log message
+[Tue, 25 Dec 18 12:13:14 -0400][notice] This is a notice message
+[Tue, 25 Dec 18 12:13:14 -0400][warning] This is warning message
 ```
 
 ## Multiple Adapters
@@ -295,10 +295,10 @@ $logger->warning("This is a warning message");
 The log generated is as follows:
 
 ```bash
-[Tue, 25 Dec 18 12:13:14 -0400][ALERT] This is an alert message
-[Tue, 25 Dec 18 12:13:14 -0400][CRITICAL] This is a critical message
-[Tue, 25 Dec 18 12:13:14 -0400][EMERGENCY] This is an emergency message
-[Tue, 25 Dec 18 12:13:14 -0400][CRITICAL] This is a log message
+[Tue, 25 Dec 18 12:13:14 -0400][alert] This is an alert message
+[Tue, 25 Dec 18 12:13:14 -0400][critical] This is a critical message
+[Tue, 25 Dec 18 12:13:14 -0400][emergency] This is an emergency message
+[Tue, 25 Dec 18 12:13:14 -0400][critical] This is a log message
 ```
 
 The above can be used in situations where you want to log messages above a certain severity based on conditions in your application such as development mode vs. production.
@@ -307,6 +307,10 @@ The above can be used in situations where you want to log messages above a certa
 
     The log level set is included in the logging. Anything **below** that level (i.e. higher number) will not be logged
 
+!!! info "NOTE"
+
+    Log level names are emitted in lowercase (for example: `error`, `warning`, `info`).
+
 !!! danger "DANGER"
 
     It is **never** a good idea to suppress logging levels in your application since even warning errors do require CPU cycles to be processed, and neglecting these errors could potentially lead to unintended circumstances 
@@ -376,11 +380,11 @@ Formats the messages using a one-line string. The default logging format is:
 #### Message Format
 If the default format of the message does not fit the needs of your application you can change it using the `setFormat()` method. The log format variables allowed are:
 
-| Variable    | Description                              |
-|-------------|------------------------------------------|
+| Variable    | Description                                 |
+|-------------|---------------------------------------------|
 | `%message%` | The message itself is expected to be logged |
-| `%date%`    | Date the message was added               |
-| `%level%`   | Uppercase string with message level      |
+| `%date%`    | Date the message was added                  |
+| `%level%`   | Lowercase string with message level         |
 
 The following example demonstrates how to change the message format:
 
@@ -409,7 +413,7 @@ $logger->error('Something went wrong');
 which produces:
 
 ```bash
-[ALERT] - [Tue, 25 Dec 18 12:13:14 -0400] - Something went wrong
+[alert] - [Tue, 25 Dec 18 12:13:14 -0400] - Something went wrong
 ```
 
 If you do not want to use the constructor to change the message, you can always use the `setFormat()` on the formatter:
@@ -473,7 +477,7 @@ $logger->error('Something went wrong');
 which produces:
 
 ```bash
-[ERROR] - [20181225-121314] - Something went wrong
+[error] - [20181225-121314] - Something went wrong
 ```
 
 ### JSON Formatter
diff --git a/docs/request.md b/docs/request.md
@@ -371,12 +371,35 @@ The [Phalcon\Http\Request][http-request] object offers methods that provide addi
 
 ### Client
 
-| Name                  | Description                                                            |
-|-----------------------|------------------------------------------------------------------------|
-| `getClientAddress()`  | Gets most possible client IPv4 Address                                 |
-| `getClientCharsets()` | Gets a charsets array and their quality accepted by the browser/client |
-| `getUserAgent()`      | Gets HTTP user agent used to make the request                          |
-| `getHTTPReferer()`    | Gets web page that refers active request                               |
+| Name                  | Description                                                              |
+|-----------------------|--------------------------------------------------------------------------|
+| `getClientAddress()`  | Gets the most likely client IP address (supports proxy-aware resolution) |
+| `getClientCharsets()` | Gets a charsets array and their quality accepted by the browser/client   |
+| `getUserAgent()`      | Gets HTTP user agent used to make the request                            |
+| `getHTTPReferer()`    | Gets web page that refers active request                                 |
+
+### Trusted Proxy Resolution
+
+When you call `getClientAddress(true)`, the request component can resolve client IPs behind proxies.
+
+Resolution order:
+1. If `trustedProxyHeader` is configured and present, use it first.
+2. If `trustedProxies` is configured and `REMOTE_ADDR` is not trusted, return `REMOTE_ADDR`.
+3. Otherwise, parse `HTTP_X_FORWARDED_FOR` from right to left, skip trusted proxies, and return the first valid public IP.
+
+```php
+<?php
+
+use Phalcon\Http\Request;
+
+$request = new Request();
+
+$request
+    ->setTrustedProxies(["10.0.0.10", "10.0.0.11"])
+    ->setTrustedProxyHeader("HTTP_CLIENT_IP");
+
+$ipAddress = $request->getClientAddress(true);
+```
 
 ### Content
 
