Merge v9-wip upstream branch

.github/workflows/coding-standards.yml

@@ -0,0 +1,36 @@
+name: Coding Standards
+
+on:
+  pull_request:
+  push:
+
+jobs:
+  coding-standards:
+    name: Coding Standards
+
+    runs-on: ${{ matrix.operating-system }}
+
+    strategy:
+      matrix:
+        php-version:
+          - 8.3
+        operating-system:
+          - ubuntu-latest
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Install PHP
+        uses: shivammathur/setup-php@v2
+        with:
+          coverage: none
+          php-version: ${{ matrix.php-version }}
+          ini-values: memory_limit=-1
+          tools: composer:v2, cs2pr
+
+      - name: Install Dependencies
+        run: composer update --prefer-stable --prefer-dist --no-interaction --no-progress
+
+      - name: Run Codesniffer
+        run: vendor/bin/phpcs

.github/workflows/static-analysis.yml

@@ -0,0 +1,37 @@
+name: Static Analysis
+
+on:
+  push:
+  pull_request:
+
+jobs:
+  static-analysis:
+    name: Static Analysis
+
+    runs-on: ${{ matrix.operating-system }}
+
+    strategy:
+      matrix:
+        php-version: [8.1, 8.2, 8.3]
+        composer-stability: [prefer-lowest, prefer-stable]
+        operating-system:
+          - ubuntu-latest
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Install PHP
+        uses: shivammathur/setup-php@v2
+        with:
+          coverage: none
+          php-version: ${{ matrix.php-version }}
+          ini-values: memory_limit=-1
+          tools: composer:v2, cs2pr
+
+      - name: Install Dependencies
+        run: composer update --${{ matrix.composer-stability }} --prefer-dist --no-interaction --no-progress
+
+      - name: Run Static Analysis
+        run: vendor/bin/phpstan analyse
+

.github/workflows/tests.yml

@@ -11,16 +11,9 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        php: [8.1, 8.2]
+        php: [8.1, 8.2, 8.3]
         os: [ubuntu-22.04]
         stability: [prefer-lowest, prefer-stable]
-        include:
-          - os: ubuntu-20.04
-            php: 8.0
-            stability: prefer-lowest
-          - os: ubuntu-20.04
-            php: 8.0
-            stability: prefer-stable
 
     runs-on: ${{ matrix.os }}
 
@@ -48,7 +41,7 @@ jobs:
           composer global require scrutinizer/ocular
 
       - name: Execute tests
-        run: vendor/bin/phpunit --verbose --coverage-clover=coverage.clover
+        run: vendor/bin/phpunit --coverage-clover=coverage.clover
 
       - name: Code coverage
         if: ${{ github.ref == 'refs/heads/master' && github.repository == 'thephpleague/oauth2-server' }}

CHANGELOG.md

@@ -18,6 +18,7 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 ### Changed
 - Authorization Request objects are now created through the factory method, `createAuthorizationRequest()` (PR #1111)
 - Changed parameters for `finalizeScopes()` to allow a reference to an auth code ID (PR #1112)
+- AccessTokenEntityInterface now requires the implementation of `toString()` instead of the magic method `__toString()` (PR #XXXX)
 
 ### Removed
 - Removed message property from OAuthException HTTP response. Now just use error_description as per the OAuth 2 spec (PR #1375)

composer.json

@@ -4,29 +4,29 @@
     "homepage": "https://oauth2.thephpleague.com/",
     "license": "MIT",
     "require": {
-        "php": "^8.0",
+        "php": "~8.1.0 || ~8.2.0 || ~8.3.0",
         "ext-openssl": "*",
-        "league/event": "^2.2",
-        "league/uri": "^6.7 || ^7.0",
-        "lcobucci/jwt": "^4.3 || ^5.0",
-        "psr/http-message": "^1.0.1 || ^2.0",
-        "defuse/php-encryption": "^2.3.1",
+        "league/event": "^3.0",
+        "league/uri": "^7.0",
+        "lcobucci/jwt": "^5.0",
+        "psr/http-message": "^2.0",
+        "defuse/php-encryption": "^2.4",
         "ext-json": "*",
+        "lcobucci/clock": "^2.3 || ^3.0"
         "psr/http-server-middleware": "^1.0",
-        "lcobucci/clock": "^2.2 || ^3.0"
     },
     "require-dev": {
-        "phpunit/phpunit": "^9.6.11",
-        "laminas/laminas-diactoros": "^3.0.0",
-        "phpstan/phpstan": "^1.10.26",
-        "phpstan/phpstan-phpunit": "^1.3.14",
+        "phpunit/phpunit": "^9.6.15",
+        "laminas/laminas-diactoros": "^3.3.0",
+        "phpstan/phpstan": "^1.10.55",
+        "phpstan/phpstan-phpunit": "^1.3.15",
         "roave/security-advisories": "dev-master",
-        "phpstan/extension-installer": "^1.3",
-        "phpstan/phpstan-deprecation-rules": "^1.1",
-        "phpstan/phpstan-strict-rules": "^1.5",
-        "slevomat/coding-standard": "^8.13",
-        "php-parallel-lint/php-parallel-lint": "^1.3",
-        "squizlabs/php_codesniffer": "^3.7"
+        "phpstan/extension-installer": "^1.3.1",
+        "phpstan/phpstan-deprecation-rules": "^1.1.4",
+        "phpstan/phpstan-strict-rules": "^1.5.2",
+        "slevomat/coding-standard": "^8.14.1",
+        "php-parallel-lint/php-parallel-lint": "^1.3.2",
+        "squizlabs/php_codesniffer": "^3.8"
     },
     "repositories": [
         {

phpcs.xml.dist

@@ -20,7 +20,6 @@
     <config name="installed_paths" value="../../slevomat/coding-standard" />
     <rule ref="SlevomatCodingStandard.TypeHints.DeclareStrictTypes">
         <properties>
-            <property name="newlinesCountBetweenOpenTagAndDeclare" type="int" value="2" />
             <property name="spacesCountAroundEqualsSign" type="int" value="0" />
         </properties>
     </rule>

phpstan.neon.dist

@@ -7,4 +7,3 @@ parameters:
         -
           message: '#Call to an undefined method League\\OAuth2\\Server\\ResponseTypes\\ResponseTypeInterface::getAccessToken\(\)\.#'
           path: tests/Grant/ClientCredentialsGrantTest.php 
-        - '#Return type \(League\\Event\\EmitterInterface\|null\) of method LeagueTests\\Stubs\\GrantType::getEmitter\(\) should be covariant with return type \(League\\Event\\EmitterInterface\) of method League\\Event\\EmitterAwareInterface::getEmitter\(\)#'

src/AuthorizationServer.php

@@ -14,8 +14,8 @@
 
 use DateInterval;
 use Defuse\Crypto\Key;
-use League\Event\EmitterAwareInterface;
-use League\Event\EmitterAwareTrait;
+use League\OAuth2\Server\EventEmitting\EmitterAwareInterface;
+use League\OAuth2\Server\EventEmitting\EmitterAwarePolyfill;
 use League\OAuth2\Server\Exception\OAuthServerException;
 use League\OAuth2\Server\Grant\GrantTypeInterface;
 use League\OAuth2\Server\Repositories\AccessTokenRepositoryInterface;
@@ -31,7 +31,7 @@
 
 class AuthorizationServer implements EmitterAwareInterface
 {
-    use EmitterAwareTrait;
+    use EmitterAwarePolyfill;
 
     /**
      * @var GrantTypeInterface[]

src/AuthorizationValidators/BearerTokenValidator.php

@@ -97,6 +97,10 @@ public function validateAuthorization(ServerRequestInterface $request): ServerRe
         $header = $request->getHeader('authorization');
         $jwt = trim((string) preg_replace('/^\s*Bearer\s/', '', $header[0]));
 
+        if ($jwt === '') {
+            throw OAuthServerException::accessDenied('Missing "Bearer" token');
+        }
+
         try {
             // Attempt to parse the JWT
             $token = $this->jwtConfiguration->parser()->parse($jwt);
@@ -126,20 +130,8 @@ public function validateAuthorization(ServerRequestInterface $request): ServerRe
         // Return the request with additional attributes
         return $request
             ->withAttribute('oauth_access_token_id', $claims->get('jti'))
-            ->withAttribute('oauth_client_id', $this->convertSingleRecordAudToString($claims->get('aud')))
+            ->withAttribute('oauth_client_id', $claims->get('aud')[0])
             ->withAttribute('oauth_user_id', $claims->get('sub'))
             ->withAttribute('oauth_scopes', $claims->get('scopes'));
     }
-
-    /**
-     * Convert single record arrays into strings to ensure backwards compatibility between v4 and v3.x of lcobucci/jwt
-     *
-     * TODO: Investigate as I don't think we need this any more
-     *
-     * @return array<string>|string
-     */
-    private function convertSingleRecordAudToString(mixed $aud): array|string
-    {
-        return is_array($aud) && count($aud) === 1 ? $aud[0] : $aud;
-    }
 }

src/Entities/AccessTokenEntityInterface.php

@@ -24,5 +24,5 @@ public function setPrivateKey(CryptKeyInterface $privateKey): void;
     /**
      * Generate a string representation of the access token.
      */
-    public function __toString(): string;
+    public function toString(): string;
 }

src/Entities/ClientEntityInterface.php

@@ -16,6 +16,8 @@ interface ClientEntityInterface
 {
     /**
      * Get the client's identifier.
+     *
+     * @return non-empty-string
      */
     public function getIdentifier(): string;
 

src/Entities/TokenInterface.php

@@ -24,7 +24,9 @@ public function getExpiryDateTime(): DateTimeImmutable;
 
     public function setExpiryDateTime(DateTimeImmutable $dateTime): void;
 
-    public function setUserIdentifier(string|int|null $identifier): void;
+     *
+     * @param non-empty-string $identifier
+    public function setUserIdentifier(string $identifier): void;
 
     public function getUserIdentifier(): string|int|null;
 

src/Entities/Traits/AccessTokenTrait.php

@@ -67,17 +67,15 @@ private function convertToJWT(): Token
             ->issuedAt(new DateTimeImmutable())
             ->canOnlyBeUsedAfter(new DateTimeImmutable())
             ->expiresAt($this->getExpiryDateTime())
-            ->relatedTo((string) $this->getUserIdentifier())
+            ->relatedTo($this->getUserIdentifier())
             ->withClaim('scopes', $this->getScopes())
             ->getToken($this->jwtConfiguration->signer(), $this->jwtConfiguration->signingKey());
     }
 
     /**
      * Generate a string representation from the access token
-     *
-     * TODO: Want to remove this function.
      */
-    public function __toString(): string
+    public function toString(): string
     {
         return $this->convertToJWT()->toString();
     }
@@ -86,12 +84,18 @@ abstract public function getClient(): ClientEntityInterface;
 
     abstract public function getExpiryDateTime(): DateTimeImmutable;
 
-    abstract public function getUserIdentifier(): string|int|null;
+    /**
+     * @return non-empty-string
+     */
+    abstract public function getUserIdentifier(): string;
 
     /**
      * @return ScopeEntityInterface[]
      */
     abstract public function getScopes(): array;
 
+    /**
+     * @return non-empty-string
+     */
     abstract public function getIdentifier(): string;
 }

src/Entities/Traits/EntityTrait.php

@@ -14,8 +14,14 @@
 
 trait EntityTrait
 {
+    /**
+     * @var non-empty-string
+     */
     protected string $identifier;
 
+    /**
+     * @return non-empty-string
+     */
     public function getIdentifier(): string
     {
         return $this->identifier;

src/Entities/Traits/TokenEntityTrait.php

@@ -27,7 +27,10 @@ trait TokenEntityTrait
 
     protected DateTimeImmutable $expiryDateTime;
 
-    protected string|int|null $userIdentifier = null;
+    /**
+     * @var non-empty-string
+     */
+    protected string $userIdentifier;
 
     protected ClientEntityInterface $client;
 
@@ -67,16 +70,19 @@ public function setExpiryDateTime(DateTimeImmutable $dateTime): void
 
     /**
      * Set the identifier of the user associated with the token.
+     * @param non-empty-string $identifier The identifier of the user
      */
-    public function setUserIdentifier(string|int|null $identifier): void
+    public function setUserIdentifier(string $identifier): void
     {
         $this->userIdentifier = $identifier;
     }
 
     /**
      * Get the token user's identifier.
+     *
+     * @return non-empty-string
      */
-    public function getUserIdentifier(): string|int|null
+    public function getUserIdentifier(): string
     {
         return $this->userIdentifier;
     }

src/EventEmitting/AbstractEvent.php

@@ -0,0 +1,44 @@
+<?php
+
+declare(strict_types=1);
+
+namespace League\OAuth2\Server\EventEmitting;
+
+use League\Event\HasEventName;
+use Psr\EventDispatcher\StoppableEventInterface;
+
+class AbstractEvent implements StoppableEventInterface, HasEventName
+{
+    private bool $propagationStopped = false;
+
+    public function __construct(private string $name)
+    {
+    }
+
+    public function eventName(): string
+    {
+        return $this->name;
+    }
+
+    /**
+     * Backwards compatibility method
+     *
+     * @deprecated use eventName instead
+     */
+    public function getName(): string
+    {
+        return $this->name;
+    }
+
+    public function isPropagationStopped(): bool
+    {
+        return $this->propagationStopped;
+    }
+
+    public function stopPropagation(): self
+    {
+        $this->propagationStopped = true;
+
+        return $this;
+    }
+}

src/EventEmitting/EmitterAwareInterface.php

@@ -0,0 +1,12 @@
+<?php
+
+declare(strict_types=1);
+
+namespace League\OAuth2\Server\EventEmitting;
+
+interface EmitterAwareInterface
+{
+    public function getEmitter(): EventEmitter;
+
+    public function setEmitter(EventEmitter $emitter): self;
+}