Merge pull request #38 from Staffbase/code-cleanup-pt2

Ninerian · web-flow · commit 5e8e1905b42a · 2026-04-01T16:31:54.000+02:00
refactor: Code cleanup Pt2
diff --git a/.gitignore b/.gitignore
@@ -40,4 +40,3 @@ phpcs.xml
 /vendor/*
 /wpcs/*
 
-!/.gitignore
diff --git a/.php-cs-fixer.dist.php b/.php-cs-fixer.dist.php
@@ -6,7 +6,6 @@
 
 return (new PhpCsFixer\Config())
     ->setRules([
-        '@PHP8x4Migration' => true,
         '@PER-CS' => true,
         'array_syntax' => ['syntax' => 'short'],
         'declare_strict_types' => true,
diff --git a/phpstan.neon.dist b/phpstan.neon.dist
@@ -1,5 +1,5 @@
 parameters:
-    level: 5
+    level: 7
     paths:
         - ./src
         - ./test
diff --git a/src/AbstractToken.php b/src/AbstractToken.php
@@ -25,6 +25,9 @@ abstract class AbstractToken
 
     private Configuration $config;
 
+    /**
+     * @var Constraint[]
+     */
     private array $constraints;
 
     /**
@@ -92,6 +95,9 @@ protected function validateToken(): void
      */
     protected function hasClaim(string $claim): bool
     {
+        if (empty($claim)) {
+            return false;
+        }
         return $this->token->claims()->has($claim);
     }
 
@@ -102,13 +108,25 @@ protected function hasClaim(string $claim): bool
      *
      * @return mixed
      */
-    protected function getClaim(string $claim)
+    /**
+     * Get a claim without checking for existence.
+     *
+     * @param string $claim name.
+     *
+     * @return mixed
+     */
+    protected function getClaim(string $claim): mixed
     {
+        if (empty($claim)) {
+            return null;
+        }
         return $this->token->claims()->get($claim);
     }
 
     /**
      * Get an array of all available claims and their values.
+     *
+     * @return array<string, mixed>
      */
     protected function getAllClaims(): array
     {
@@ -125,12 +143,19 @@ protected function getAllClaims(): array
      */
     public static function base64ToPEMPublicKey(string $data): string
     {
+        if (empty($data)) {
+            throw new SSOException('Empty base64 data provided for PEM conversion.');
+        }
 
         $data = strtr($data, [
             "\r" => "",
             "\n" => "",
         ]);
 
+        if (empty($data)) {
+            throw new SSOException('Base64 data is empty after cleanup.');
+        }
+
         return
             "-----BEGIN PUBLIC KEY-----\n"
             . chunk_split($data, 64)
@@ -179,12 +204,26 @@ public function getSignerKey(): Key
      */
     private function getKey(string $appSecret): Key
     {
+        // Ensure the app secret is not empty to satisfy strict non-empty-string requirements
+        if (!trim($appSecret)) {
+            throw new SSOException('Empty appSecret provided when creating signer key.');
+        }
+
         if (strpos($appSecret, '-----') === 0) {
+            if (empty($appSecret)) {
+                throw new SSOException('Empty PEM key provided.');
+            }
             $key = InMemory::plainText($appSecret);
         } elseif (strpos($appSecret, 'file://') === 0) {
+            if (empty($appSecret)) {
+                throw new SSOException('Empty file path provided.');
+            }
             $key = InMemory::file($appSecret);
         } else {
-            $key = InMemory::plainText(self::base64ToPEMPublicKey($appSecret));
+            $pem = self::base64ToPEMPublicKey($appSecret);
+            // After our validation in base64ToPEMPublicKey, we know $pem is non-empty
+            /** @var non-empty-string $pem */
+            $key = InMemory::plainText($pem);
         }
         return $key;
     }
diff --git a/src/RemoteCall/AbstractRemoteCallHandler.php b/src/RemoteCall/AbstractRemoteCallHandler.php
@@ -30,7 +30,7 @@ abstract class AbstractRemoteCallHandler implements RemoteCallInterface
      *
      * This will tell Staffbase that everything went OK.
      */
-    public function exitSuccess()
+    public function exitSuccess(): void
     {
         header("HTTP/1.1 200 OK");
         exit;
@@ -41,7 +41,7 @@ public function exitSuccess()
      *
      * This will tell Staffbase that it should try again later.
      */
-    public function exitFailure()
+    public function exitFailure(): void
     {
         header('HTTP/1.1 500 Internal Server Error');
         exit;
diff --git a/src/RemoteCall/RemoteCallInterface.php b/src/RemoteCall/RemoteCallInterface.php
@@ -29,12 +29,12 @@ interface RemoteCallInterface
      *
      * This will tell Staffbase that everything went OK.
      */
-    public function exitSuccess();
+    public function exitSuccess(): void;
 
     /**
      * Stop the execution by providing a non 2XX HTTP response
      *
      * This will tell Staffbase that it should try again later.
      */
-    public function exitFailure();
+    public function exitFailure(): void;
 }
diff --git a/src/SSOData/ClaimAccessTrait.php b/src/SSOData/ClaimAccessTrait.php
@@ -40,7 +40,7 @@ abstract protected function getClaim(string $claim);
     /**
      * Get an array of all available claims and their values.
      *
-     * @return array
+     * @return array<string, mixed>
      */
     abstract protected function getAllClaims(): array;
 
diff --git a/src/SSOData/SSODataTrait.php b/src/SSOData/SSODataTrait.php
@@ -198,7 +198,7 @@ public function getLocale(): string
     /**
      * Get the user tags.
      *
-     * @return array|null
+     * @return array<mixed>|null
      */
     public function getTags(): ?array
     {
diff --git a/src/SSOData/SharedDataTrait.php b/src/SSOData/SharedDataTrait.php
@@ -36,7 +36,7 @@ trait SharedDataTrait
      */
     public function getAudience(): ?string
     {
-        /** @var array|string|null $audience */
+        /** @var array<string>|string|null $audience */
         $audience = $this->getClaimSafe(SharedClaimsInterface::CLAIM_AUDIENCE);
 
         if (is_array($audience)) {
@@ -127,7 +127,7 @@ public function getRole(): ?string
     /**
      * Get all stored data.
      *
-     * @return array
+     * @return array<string,mixed>
      */
     public function getData(): array
     {
diff --git a/src/SSOToken.php b/src/SSOToken.php
@@ -45,6 +45,10 @@ class SSOToken extends AbstractToken implements SharedClaimsInterface, SSODataCl
      */
     public function __construct(string $appSecret, string $tokenData, ?int $leeway = 0)
     {
+        if (empty($tokenData)) {
+            throw new SSOException('Parameter tokenData for SSOToken is empty.');
+        }
+
         $constrains = [
             new StrictValidAt(SystemClock::fromUTC(), $this->getLeewayInterval((int) $leeway)),
             new HasInstanceId(),
diff --git a/src/SSOTokenGenerator.php b/src/SSOTokenGenerator.php
@@ -25,26 +25,28 @@
 class SSOTokenGenerator
 {
     /**
-     * Create a signed token from an array.
-     *
-     * Can be used in development in conjunction with getTokenData.
-     *
      * @param string $privateKey private key
-     * @param array $tokenData associative array of claims
+     * @param array<string,mixed> $tokenData associative array of claims
      * @param Signer|null $signer the Signer instance to sign the token, defaults to SHA256
      *
      * @return string Encoded token.
      */
     public static function createSignedTokenFromData(string $privateKey, array $tokenData, ?Signer $signer = null): string
     {
 
+        if (!trim($privateKey)) {
+            throw new \InvalidArgumentException('Parameter privateKey for token generation is empty.');
+        }
+
+        // After validation, we know $privateKey is non-empty
+        /** @var non-empty-string $privateKey */
         $config = Configuration::forSymmetricSigner($signer ?: new Sha256(), InMemory::plainText($privateKey));
         return self::buildToken($config, $tokenData)->toString();
     }
 
     /**
      * @param Configuration $config
-     * @param array $tokenData
+     * @param array<string,mixed> $tokenData
      * @return Token
      */
     private static function buildToken(Configuration $config, array $tokenData): Token
@@ -76,6 +78,9 @@ private static function buildToken(Configuration $config, array $tokenData): Tok
         );
 
         foreach ($claims as $claim => $value) {
+            if (empty($claim)) {
+                continue;
+            }
             $token = $token->withClaim($claim, $value);
         }
 
diff --git a/src/SessionHandling/SessionHandlerTrait.php b/src/SessionHandling/SessionHandlerTrait.php
@@ -6,8 +6,10 @@
  * Trait to handle a php session. Opening, closing and destroying the session.
  * Accessing variables, stored in the session.
  *
+ * PHP version 7.4
+ *
  * @category  SessionHandling
- * @copyright 2017-2025 Staffbase SE.
+ * @copyright 2017-2022 Staffbase, GmbH.
  * @author    Daniel Grosse
  * @license   http://www.apache.org/licenses/LICENSE-2.0
  * @link      https://github.com/staffbase/plugins-sdk-php
@@ -29,13 +31,18 @@ trait SessionHandlerTrait
     /**
      * Open a session.
      *
-     * @param string|null $name of the session
-     * @param string|null $sessionId
+     * @param string $name of the session
+     * @param string $sessionId
      */
-    protected function openSession(?string $name, ?string $sessionId): void
+    protected function openSession(string $name = '', string $sessionId = ''): void
     {
         session_id($sessionId);
-        session_name($name);
+
+        // session_name expects a non-empty string; only set it when provided
+        if ($name !== '') {
+            session_name($name);
+        }
+
         session_start();
     }
 
@@ -50,25 +57,25 @@ protected function closeSession(): void
     /**
      * Checks if the given key is set
      *
-     * @param mixed $key
+     * @param string $key
      * @param string|null $parentKey
      *
      * @return bool
      */
-    public function hasSessionVar($key, ?string $parentKey = null): bool
+    public function hasSessionVar(string $key, ?string $parentKey = null): bool
     {
         return isset($_SESSION[$this->pluginInstanceId][$parentKey ?? self::$KEY_DATA][$key]);
     }
 
     /**
      * Get a previously set session variable.
      *
-     * @param mixed $key
+     * @param string $key
      * @param string|null $parentKey
      *
      * @return mixed|null
      */
-    public function getSessionVar($key, ?string $parentKey = null)
+    public function getSessionVar(string $key, ?string $parentKey = null)
     {
         return $_SESSION[$this->pluginInstanceId][$parentKey ?? self::$KEY_DATA][$key] ?? null;
     }
@@ -78,7 +85,7 @@ public function getSessionVar($key, ?string $parentKey = null)
      *
      * @param string|null $parentKey
      *
-     * @return array
+     * @return array<string,mixed>
      */
     public function getSessionData(?string $parentKey = null): array
     {
@@ -92,7 +99,10 @@ public function getSessionData(?string $parentKey = null): array
      * @param string|null $parentKey
      *
      */
-    public function setSessionData($data, ?string $parentKey = null): void
+    /**
+     * @param array<string,mixed> $data
+     */
+    public function setSessionData(array $data, ?string $parentKey = null): void
     {
         $_SESSION[$this->pluginInstanceId][$parentKey ?? self::$KEY_DATA] = $data;
     }
@@ -104,7 +114,11 @@ public function setSessionData($data, ?string $parentKey = null): void
      * @param mixed $val
      * @param string|null $parentKey
      */
-    public function setSessionVar($key, $val, ?string $parentKey = null): void
+    /**
+     * @param string $key
+     * @param mixed $val
+     */
+    public function setSessionVar(string $key, mixed $val, ?string $parentKey = null): void
     {
         $_SESSION[$this->pluginInstanceId][$parentKey ?? self::$KEY_DATA][$key] = $val;
     }
@@ -116,12 +130,12 @@ public function setSessionVar($key, $val, ?string $parentKey = null): void
      * @param String|null $sessionId
      * @return bool true on success or false on failure.
      */
-    public function destroySession(?String $sessionId = null): bool
+    public function destroySession(?string $sessionId = null): bool
     {
         $sessionId = $sessionId ?: $this->sessionId;
 
         // save the current session
-        $currentId = session_id();
+        $currentId = session_id() ?: '';
         session_write_close();
 
         // switch to the target session and removes it
@@ -138,9 +152,11 @@ public function destroySession(?String $sessionId = null): bool
         return $result;
     }
 
-    private function createCompatibleSessionId(String $string): String
+    private function createCompatibleSessionId(?string $input = ''): string
     {
+        $string = $input ?? '';
         $notAllowedCharsPattern = '/[^a-zA-Z0-9,-]/';
-        return preg_replace($notAllowedCharsPattern, '-', $string);
+        $replaced = preg_replace($notAllowedCharsPattern, '-', $string);
+        return (string) $replaced;
     }
 }
diff --git a/src/SessionHandling/SessionTokenDataTrait.php b/src/SessionHandling/SessionTokenDataTrait.php
diff --git a/test/PluginSessionTest.php b/test/PluginSessionTest.php
diff --git a/test/SSOData/SSODataTest.php b/test/SSOData/SSODataTest.php
diff --git a/test/SSOTestData.php b/test/SSOTestData.php
diff --git a/test/SSOTokenTest.php b/test/SSOTokenTest.php

Original file line number	Diff line number	Diff line change
`@@ -40,4 +40,3 @@ phpcs.xml`
`40`	`40`	`/vendor/*`
`41`	`41`	`/wpcs/*`
`42`	`42`
`43`		`-!/.gitignore`
Original file line number	Diff line number	Diff line change
`@@ -30,7 +30,7 @@ abstract class AbstractRemoteCallHandler implements RemoteCallInterface`
`30`	`30`	`*`
`31`	`31`	`* This will tell Staffbase that everything went OK.`
`32`	`32`	`*/`
`33`		`- public function exitSuccess()`
	`33`	`+ public function exitSuccess(): void`
`34`	`34`	`{`
`35`	`35`	`header("HTTP/1.1 200 OK");`
`36`	`36`	`exit;`
`@@ -41,7 +41,7 @@ public function exitSuccess()`
`41`	`41`	`*`
`42`	`42`	`* This will tell Staffbase that it should try again later.`
`43`	`43`	`*/`
`44`		`- public function exitFailure()`
	`44`	`+ public function exitFailure(): void`
`45`	`45`	`{`
`46`	`46`	`header('HTTP/1.1 500 Internal Server Error');`
`47`	`47`	`exit;`
Original file line number	Diff line number	Diff line change
`@@ -29,12 +29,12 @@ interface RemoteCallInterface`
`29`	`29`	`*`
`30`	`30`	`* This will tell Staffbase that everything went OK.`
`31`	`31`	`*/`
`32`		`- public function exitSuccess();`
	`32`	`+ public function exitSuccess(): void;`
`33`	`33`
`34`	`34`	`/**`
`35`	`35`	`* Stop the execution by providing a non 2XX HTTP response`
`36`	`36`	`*`
`37`	`37`	`* This will tell Staffbase that it should try again later.`
`38`	`38`	`*/`
`39`		`- public function exitFailure();`
	`39`	`+ public function exitFailure(): void;`
`40`	`40`	`}`
Original file line number	Diff line number	Diff line change
`@@ -40,7 +40,7 @@ abstract protected function getClaim(string $claim);`
`40`	`40`	`/**`
`41`	`41`	`* Get an array of all available claims and their values.`
`42`	`42`	`*`
`43`		`- * @return array`
	`43`	`+ * @return array<string, mixed>`
`44`	`44`	`*/`
`45`	`45`	`abstract protected function getAllClaims(): array;`
`46`	`46`
Original file line number	Diff line number	Diff line change
`@@ -198,7 +198,7 @@ public function getLocale(): string`
`198`	`198`	`/**`
`199`	`199`	`* Get the user tags.`
`200`	`200`	`*`
`201`		`- * @return array\|null`
	`201`	`+ * @return array<mixed>\|null`
`202`	`202`	`*/`
`203`	`203`	`public function getTags(): ?array`
`204`	`204`	`{`
Original file line number	Diff line number	Diff line change
`@@ -36,7 +36,7 @@ trait SharedDataTrait`
`36`	`36`	`*/`
`37`	`37`	`public function getAudience(): ?string`
`38`	`38`	`{`
`39`		`- /** @var array\|string\|null $audience */`
	`39`	`+ /** @var array<string>\|string\|null $audience */`
`40`	`40`	`$audience = $this->getClaimSafe(SharedClaimsInterface::CLAIM_AUDIENCE);`
`41`	`41`
`42`	`42`	`if (is_array($audience)) {`
`@@ -127,7 +127,7 @@ public function getRole(): ?string`
`127`	`127`	`/**`
`128`	`128`	`* Get all stored data.`
`129`	`129`	`*`
`130`		`- * @return array`
	`130`	`+ * @return array<string,mixed>`
`131`	`131`	`*/`
`132`	`132`	`public function getData(): array`
`133`	`133`	`{`