Merge pull request 'fix: trusted IP session bypass + CI workflow syncs' (#60) from dev into main

CHANGELOG.md

@@ -37,6 +37,9 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - Each entry has a label and enabled toggle for easy management
 - Current IP display above trusted IPs table so admins can easily add their own IP
 
+### Fixed
+- Trusted IP session bypass: moved from `onAfterInitialise` to `boot()` so Joomla's session lifetime is extended before the session handler validates it (was too late, Joomla expired the session first)
+
 ## [02.06.00] - 2026-05-25
 
 ### Added

README.md

@@ -9,7 +9,7 @@
  DEFGROUP: Joomla.Plugin
  INGROUP: MokoWaaS
  REPO: https://git.mokoconsulting.tech/MokoConsulting/MokoWaaS
- VERSION: 02.11.01
+ VERSION: 02.11.02
  PATH: /README.md
  BRIEF: MokoWaaS platform plugin for Joomla
 -->

src/packages/com_mokowaas/mokowaas.xml

@@ -7,7 +7,7 @@
 	<license>GPL-3.0-or-later</license>
 	<authorEmail>hello@mokoconsulting.tech</authorEmail>
 	<authorUrl>https://mokoconsulting.tech</authorUrl>
-	<version>02.11.01</version>
+	<version>02.11.02</version>
 	<description>Minimal API-only component for MokoWaaS. Provides REST endpoints for site health, cache, updates, and backups.</description>
 	<namespace path="api/src">Moko\Component\MokoWaaS\Api</namespace>
 	<administration>

src/packages/plg_system_mokowaas/Extension/MokoWaaS.php

@@ -31,6 +31,7 @@ namespace Moko\Plugin\System\MokoWaaS\Extension;
 
 defined('_JEXEC') or die;
 
+use Joomla\CMS\Extension\BootableExtensionInterface;
 use Joomla\CMS\Factory;
 use Joomla\CMS\Log\Log;
 use Joomla\CMS\Plugin\CMSPlugin;
@@ -38,6 +39,7 @@ use Joomla\CMS\Router\Route;
 use Joomla\CMS\Language\Language;
 use Joomla\CMS\Uri\Uri;
 use Joomla\CMS\User\UserHelper;
+use Psr\Container\ContainerInterface;
 
 /**
  * MokoWaaS Brand System Plugin
@@ -47,7 +49,7 @@ use Joomla\CMS\User\UserHelper;
  *
  * @since  01.04.00
  */
-class MokoWaaS extends CMSPlugin
+class MokoWaaS extends CMSPlugin implements BootableExtensionInterface
 {
 	/**
 	 * Obfuscated Grafana URL (XOR + base64).
@@ -114,6 +116,37 @@ class MokoWaaS extends CMSPlugin
 	 */
 	protected $app;
 
+	/**
+	 * Boot the extension — runs BEFORE Joomla creates the session.
+	 *
+	 * Extends the Joomla session lifetime for trusted IPs so the
+	 * session handler does not destroy the session before
+	 * onAfterInitialise can run.
+	 *
+	 * @param   ContainerInterface  $container  The DI container.
+	 *
+	 * @return  void
+	 *
+	 * @since   02.11.00
+	 */
+	public function boot(ContainerInterface $container): void
+	{
+		$timeout = (int) $this->params->get('admin_session_timeout', 0);
+
+		if ($timeout <= 0)
+		{
+			return;
+		}
+
+		if ($this->ipIsTrusted())
+		{
+			// Set both PHP and Joomla session lifetimes before the
+			// session handler runs its expiry check.
+			ini_set('session.gc_maxlifetime', 315360000);
+			Factory::getConfig()->set('lifetime', 525600);
+		}
+	}
+
 	/**
 	 * Event triggered after the framework has loaded and the application initialise method has been called.
 	 *
@@ -3343,11 +3376,9 @@ class MokoWaaS extends CMSPlugin
 			return;
 		}
 
-		// Don't timeout trusted IPs — extend their session instead
+		// Trusted IPs — session lifetime already extended in boot()
 		if ($this->ipIsTrusted())
 		{
-			ini_set('session.gc_maxlifetime', 315360000);
-
 			return;
 		}
 
@@ -3398,7 +3429,9 @@ class MokoWaaS extends CMSPlugin
 			return false;
 		}
 
-		$ip     = $this->app->input->server->getString('REMOTE_ADDR', '');
+		$ip     = $this->app
+			? $this->app->input->server->getString('REMOTE_ADDR', '')
+			: ($_SERVER['REMOTE_ADDR'] ?? '');
 		$ipLong = ip2long($ip);
 
 		if ($ipLong === false)

src/packages/plg_system_mokowaas/mokowaas.xml

@@ -30,7 +30,7 @@
 	<license>GNU General Public License version 3 or later; see LICENSE.md</license>
 	<authorEmail>hello@mokoconsulting.tech</authorEmail>
 	<authorUrl>https://mokoconsulting.tech</authorUrl>
-	<version>02.11.01</version>
+	<version>02.11.02</version>
 	<description>This plugin rebrands the Joomla system interface with MokoWaaS identity. It applies language overrides and ensures consistent branding across the platform.</description>
 	<namespace path=".">Moko\Plugin\System\MokoWaaS</namespace>
 	<scriptfile>script.php</scriptfile>

src/packages/plg_webservices_mokowaas/mokowaas.xml

@@ -7,7 +7,7 @@
 	<license>GPL-3.0-or-later</license>
 	<authorEmail>hello@mokoconsulting.tech</authorEmail>
 	<authorUrl>https://mokoconsulting.tech</authorUrl>
-	<version>02.11.01</version>
+	<version>02.11.02</version>
 	<description>Joomla Web Services API routes for MokoWaaS site management — health checks, cache, updates, backups, and site info.</description>
 	<namespace path="src">Moko\Plugin\WebServices\MokoWaaS</namespace>
 	<files>

src/pkg_mokowaas.xml

@@ -2,7 +2,7 @@
 <extension type="package" method="upgrade">
 	<name>MokoWaaS</name>
 	<packagename>mokowaas</packagename>
-	<version>02.11.01</version>
+	<version>02.11.02</version>
 	<creationDate>2026-05-23</creationDate>
 	<author>Moko Consulting</author>
 	<authorEmail>hello@mokoconsulting.tech</authorEmail>