chore: raise phpstan to level 7 and fix string validation

Ninerian · claude · Ninerian · commit 6a34427eba4a · 2025-10-29T15:00:18.000+01:00
- Updated phpstan.neon.dist to level 7 - Added non-empty-string validation for JWT library methods - Enhanced AbstractToken with proper string validation for claim names and keys - Fixed SSOToken and SSOTokenGenerator with empty string checks - Improved SessionHandlerTrait type handling for session_id() return values - Added proper class-string annotations in test files - Maintained backward compatibility while ensuring type safety Key improvements: - hasClaim/getClaim methods validate non-empty claim names - Key handling methods validate non-empty PEM strings and file paths - Session handling properly manages string|false vs string|null types - All string parameters validated before passing to strict library functions 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
diff --git a/phpstan.neon.dist b/phpstan.neon.dist
@@ -1,5 +1,5 @@
 parameters:
-    level: 6
+    level: 7
     paths:
         - ./src
         - ./test
diff --git a/src/AbstractToken.php b/src/AbstractToken.php
@@ -95,6 +95,9 @@ protected function validateToken(): void
      */
     protected function hasClaim(string $claim): bool
     {
+        if (empty($claim)) {
+            return false;
+        }
         return $this->token->claims()->has($claim);
     }
 
@@ -114,6 +117,9 @@ protected function hasClaim(string $claim): bool
      */
     protected function getClaim(string $claim): mixed
     {
+        if (empty($claim)) {
+            return null;
+        }
         return $this->token->claims()->get($claim);
     }
 
@@ -137,12 +143,19 @@ protected function getAllClaims(): array
      */
     public static function base64ToPEMPublicKey(string $data): string
     {
+        if (empty($data)) {
+            throw new SSOException('Empty base64 data provided for PEM conversion.');
+        }
 
         $data = strtr($data, [
             "\r" => "",
             "\n" => "",
         ]);
 
+        if (empty($data)) {
+            throw new SSOException('Base64 data is empty after cleanup.');
+        }
+
         return
             "-----BEGIN PUBLIC KEY-----\n" .
             chunk_split($data, 64) .
@@ -191,12 +204,26 @@ public function getSignerKey(): Key
      */
     private function getKey(string $appSecret): Key
     {
+        // Ensure the app secret is not empty to satisfy strict non-empty-string requirements
+        if (!trim($appSecret)) {
+            throw new SSOException('Empty appSecret provided when creating signer key.');
+        }
+
         if (strpos($appSecret, '-----') === 0) {
+            if (empty($appSecret)) {
+                throw new SSOException('Empty PEM key provided.');
+            }
             $key = InMemory::plainText($appSecret);
         } elseif (strpos($appSecret, 'file://') === 0) {
+            if (empty($appSecret)) {
+                throw new SSOException('Empty file path provided.');
+            }
             $key = InMemory::file($appSecret);
         } else {
-            $key = InMemory::plainText(self::base64ToPEMPublicKey($appSecret));
+            $pem = self::base64ToPEMPublicKey($appSecret);
+            // After our validation in base64ToPEMPublicKey, we know $pem is non-empty
+            /** @var non-empty-string $pem */
+            $key = InMemory::plainText($pem);
         }
         return $key;
     }
diff --git a/src/SSOToken.php b/src/SSOToken.php
@@ -45,6 +45,10 @@ class SSOToken extends AbstractToken implements SharedClaimsInterface, SSODataCl
      */
     public function __construct(string $appSecret, string $tokenData, ?int $leeway = 0)
     {
+        if (empty($tokenData)) {
+            throw new SSOException('Parameter tokenData for SSOToken is empty.');
+        }
+
         $constrains = [
             new StrictValidAt(SystemClock::fromUTC(), $this->getLeewayInterval((int) $leeway)),
             new HasInstanceId(),
diff --git a/src/SSOTokenGenerator.php b/src/SSOTokenGenerator.php
@@ -43,6 +43,12 @@ class SSOTokenGenerator
     public static function createSignedTokenFromData(string $privateKey, array $tokenData, Signer $signer = null): string
     {
 
+        if (!trim($privateKey)) {
+            throw new \InvalidArgumentException('Parameter privateKey for token generation is empty.');
+        }
+
+        // After validation, we know $privateKey is non-empty
+        /** @var non-empty-string $privateKey */
         $config = Configuration::forSymmetricSigner($signer ?: new Sha256(), InMemory::plainText($privateKey));
         return self::buildToken($config, $tokenData)->toString();
     }
@@ -84,6 +90,9 @@ private static function buildToken(Configuration $config, array $tokenData): Tok
         );
 
         foreach ($claims as $claim => $value) {
+            if (empty($claim)) {
+                continue;
+            }
             $token = $token->withClaim($claim, $value);
         }
 
diff --git a/src/SessionHandling/SessionHandlerTrait.php b/src/SessionHandling/SessionHandlerTrait.php
@@ -31,13 +31,18 @@ trait SessionHandlerTrait
     /**
      * Open a session.
      *
-     * @param string|null $name of the session
-     * @param string|null $sessionId
+     * @param string $name of the session
+     * @param string $sessionId
      */
-    protected function openSession(?string $name, ?string $sessionId): void
+    protected function openSession(string $name = '', string $sessionId = ''): void
     {
         session_id($sessionId);
-        session_name($name);
+
+        // session_name expects a non-empty string; only set it when provided
+        if ($name !== '') {
+            session_name($name);
+        }
+
         session_start();
     }
 
@@ -130,7 +135,7 @@ public function destroySession(?string $sessionId = null): bool
         $sessionId = $sessionId ?: $this->sessionId;
 
         // save the current session
-        $currentId = session_id();
+        $currentId = session_id() ?: '';
         session_write_close();
 
         // switch to the target session and removes it
@@ -147,9 +152,11 @@ public function destroySession(?string $sessionId = null): bool
         return $result;
     }
 
-    private function createCompatibleSessionId(string $string): string
+    private function createCompatibleSessionId(?string $input = ''): string
     {
+        $string = $input ?? '';
         $notAllowedCharsPattern = '/[^a-zA-Z0-9,-]/';
-        return preg_replace($notAllowedCharsPattern, '-', $string);
+        $replaced = preg_replace($notAllowedCharsPattern, '-', $string);
+        return (string) $replaced;
     }
 }
diff --git a/test/PluginSessionTest.php b/test/PluginSessionTest.php
@@ -37,6 +37,7 @@ class PluginSessionTest extends TestCase
      * @var array<string,mixed>
      */
     private array $tokenData;
+    /** @var class-string<object> */
     private string $classname = PluginSession::class;
     private string $pluginId = 'testplugin';
     private string $pluginInstanceId;

Original file line number	Diff line number	Diff line change
`@@ -43,6 +43,12 @@ class SSOTokenGenerator`
`43`	`43`	`public static function createSignedTokenFromData(string $privateKey, array $tokenData, Signer $signer = null): string`
`44`	`44`	`{`
`45`	`45`
	`46`	`+ if (!trim($privateKey)) {`
	`47`	`+ throw new \InvalidArgumentException('Parameter privateKey for token generation is empty.');`
	`48`	`+ }`
	`49`	`+`
	`50`	`+ // After validation, we know $privateKey is non-empty`
	`51`	`+ /** @var non-empty-string $privateKey */`
`46`	`52`	`$config = Configuration::forSymmetricSigner($signer ?: new Sha256(), InMemory::plainText($privateKey));`
`47`	`53`	`return self::buildToken($config, $tokenData)->toString();`
`48`	`54`	`}`
`@@ -84,6 +90,9 @@ private static function buildToken(Configuration $config, array $tokenData): Tok`
`84`	`90`	`);`
`85`	`91`
`86`	`92`	`foreach ($claims as $claim => $value) {`
	`93`	`+ if (empty($claim)) {`
	`94`	`+ continue;`
	`95`	`+ }`
`87`	`96`	`$token = $token->withClaim($claim, $value);`
`88`	`97`	`}`
`89`	`98`