Merge master into this branch

.gitattributes

@@ -12,4 +12,4 @@
 /CHANGELOG.md export-ignore
 /CONTRIBUTING.md export-ignore
 /README.md export-ignore
-
+/CODE_OF_CONDUCT.md export-ignore

.github/workflows/backwards-compatibility.yml

@@ -14,7 +14,8 @@ jobs:
         uses: "actions/checkout@v2"
         with:
           fetch-depth: 0
-
+      - name: Fix git safe.directory in container
+        run: mkdir -p /home/runner/work/_temp/_github_home && printf "[safe]\n\tdirectory = /github/workspace" > /home/runner/work/_temp/_github_home/.gitconfig
       - name: "Backwards Compatibility Check"
         uses: docker://nyholm/roave-bc-check-ga
         with:

.github/workflows/tests.yml

@@ -8,19 +8,29 @@ on:
 
 jobs:
   tests:
-    runs-on: ubuntu-latest
-
     strategy:
       fail-fast: false
       matrix:
-        php: [7.2, 7.3, 7.4, 8.0]
+        php: [8.1, 8.2]
+        os: [ubuntu-22.04]
         stability: [prefer-lowest, prefer-stable]
+        include:
+          - os: ubuntu-20.04
+            php: 8.0
+            stability: prefer-lowest
+          - os: ubuntu-20.04
+            php: 8.0
+            stability: prefer-stable
+
+    runs-on: ${{ matrix.os }}
 
     name: PHP ${{ matrix.php }} - ${{ matrix.stability }}
 
     steps:
       - name: Checkout code
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
+        with: 
+          fetch-depth: 0
 
       - name: Setup PHP
         uses: shivammathur/setup-php@v2
@@ -30,13 +40,17 @@ jobs:
           coverage: pcov
 
       - name: Install dependencies
-        run: composer update --${{ matrix.stability }} --prefer-dist --no-interaction --no-progress
+        run:
+          composer update --${{ matrix.stability }} --prefer-dist --no-interaction --no-progress
+
+      - name: Install Scrutinizer/Ocular
+        run:
+          composer global require scrutinizer/ocular
 
       - name: Execute tests
         run: vendor/bin/phpunit --verbose --coverage-clover=coverage.clover
 
       - name: Code coverage
-        if: ${{ github.ref == 'refs/heads/master' && matrix.php != 8.0 && github.repository == 'thephpleague/oauth2-server' }}
-        run: |
-          wget https://scrutinizer-ci.com/ocular.phar
-          php ocular.phar code-coverage:upload --format=php-clover coverage.clover
+        if: ${{ github.ref == 'refs/heads/master' && github.repository == 'thephpleague/oauth2-server' }}
+        run:
+          ~/.composer/vendor/bin/ocular code-coverage:upload --format=php-clover coverage.clover

CHANGELOG.md

@@ -17,6 +17,56 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 - Authorization Request objects are now created through the factory method, `createAuthorizationRequest()` (PR #1111)
 - Changed parameters for `finalizeScopes()` to allow a reference to an auth code ID (PR #1112)
 
+## [8.5.4] - released 2023-08-25
+### Added
+- Support for league/uri ^7.0 (PR #1367)
+
+## [8.5.3] - released 2023-07-06
+### Security
+- If a key string is provided to the CryptKey constructor with an invalid 
+passphrase, the LogicException message generated will expose the given key. 
+The key is no longer leaked via this exception (PR #1353)
+
+## [8.5.2] - released 2023-06-16
+### Changed
+- Bumped the versions for laminas/diactoros and psr/http-message to support 
+PSR-7 v2.0 (PR #1339)
+
+## [8.5.1] - released 2023-04-04
+### Fixed
+- Fixed PHP version constraints and lcobucci/clock version constraint to support PHP 8.1 (PR #1336)
+
+## [8.5.0] - released 2023-04-03
+### Added
+- Support for PHP 8.1 and 8.2 (PR #1333)
+
+### Removed
+- Support PHP 7.2, 7.3, and 7.4 (PR #1333)
+
+## [8.4.1] - released 2023-03-22
+### Fixed
+- Fix deprecation notices for PHP 8.x (PR #1329)
+
+## [8.4.0] - released 2023-02-15
+### Added
+- You can now set a leeway for time drift between servers when validating a JWT (PR #1304)
+
+### Security
+- Access token requests that contain a code_verifier but are not bound to a code_challenge will be rejected to prevent
+a PKCE downgrade attack (PR #1326)
+
+## [8.3.6] - released 2022-11-14
+### Fixed
+- Use LooseValidAt instead of StrictValidAt so that users aren't forced to use claims such as NBF in their JWT tokens (PR #1312)
+
+## [8.3.5] - released 2022-05-12
+### Fixed
+- Use InMemory::plainText('empty', 'empty') instead of InMemory::plainText('') to avoid [new empty string exception](https://github.com/lcobucci/jwt/pull/833) thrown by lcobucci/jwt (PR #1282)
+
+## [8.3.4] - released 2022-04-07
+### Fixed
+- Server previously rejected valid uris with custom schemes. Now use league/uri for parsing to accept all valid uris (PR #1274)
+
 ## [8.3.3] - released 2021-10-11
 ### Security
 - Removed the use of `LocalFileReference()` in lcobucci/jwt. Function deprecated as per [GHSA-7322-jrq4-x5hf](https://github.com/lcobucci/jwt/security/advisories/GHSA-7322-jrq4-x5hf) (PR #1249)
@@ -566,7 +616,17 @@ Version 5 is a complete code rewrite.
 
 - First major release
 
-[Unreleased]: https://github.com/thephpleague/oauth2-server/compare/8.3.3...HEAD
+[Unreleased]: https://github.com/thephpleague/oauth2-server/compare/8.5.4...HEAD
+[8.5.4]: https://github.com/thephpleague/oauth2-server/compare/8.5.3...8.5.4
+[8.5.3]: https://github.com/thephpleague/oauth2-server/compare/8.5.2...8.5.3
+[8.5.2]: https://github.com/thephpleague/oauth2-server/compare/8.5.1...8.5.2
+[8.5.1]: https://github.com/thephpleague/oauth2-server/compare/8.5.0...8.5.1
+[8.5.0]: https://github.com/thephpleague/oauth2-server/compare/8.4.1...8.5.0
+[8.4.1]: https://github.com/thephpleague/oauth2-server/compare/8.4.0...8.4.1
+[8.4.0]: https://github.com/thephpleague/oauth2-server/compare/8.3.6...8.4.0
+[8.3.6]: https://github.com/thephpleague/oauth2-server/compare/8.3.5...8.3.6
+[8.3.5]: https://github.com/thephpleague/oauth2-server/compare/8.3.4...8.3.5
+[8.3.4]: https://github.com/thephpleague/oauth2-server/compare/8.3.3...8.3.4
 [8.3.3]: https://github.com/thephpleague/oauth2-server/compare/8.3.2...8.3.3
 [8.3.2]: https://github.com/thephpleague/oauth2-server/compare/8.3.1...8.3.2
 [8.3.1]: https://github.com/thephpleague/oauth2-server/compare/8.3.0...8.3.1

README.md

@@ -30,10 +30,9 @@ This library was created by Alex Bilbie. Find him on Twitter at [@alexbilbie](ht
 
 The latest version of this package supports the following versions of PHP:
 
-* PHP 7.2
-* PHP 7.3
-* PHP 7.4
 * PHP 8.0
+* PHP 8.1
+* PHP 8.2
 
 The `openssl` and `json` extensions are also required.
 

composer.json

@@ -4,17 +4,18 @@
     "homepage": "https://oauth2.thephpleague.com/",
     "license": "MIT",
     "require": {
-        "php": "^7.2 || ^8.0",
+        "php": "^8.0",
         "ext-openssl": "*",
         "league/event": "^2.2",
-        "lcobucci/jwt": "^3.4.6 || ^4.0.4",
-        "psr/http-message": "^1.0.1",
-        "defuse/php-encryption": "^2.2.1",
-        "ext-json": "*"
+        "league/uri": "^6.7 || ^7.0",
+        "lcobucci/jwt": "^4.3 || ^5.0",
+        "psr/http-message": "^1.0.1 || ^2.0",
+        "defuse/php-encryption": "^2.3",
+        "lcobucci/clock": "^2.2 || ^3.0"
     },
     "require-dev": {
-        "phpunit/phpunit": "^8.5.13",
-        "laminas/laminas-diactoros": "^2.4.1",
+        "phpunit/phpunit": "^9.6.6",
+        "laminas/laminas-diactoros": "^3.0.0",
         "phpstan/phpstan": "^0.12.57",
         "phpstan/phpstan-phpunit": "^0.12.16",
         "roave/security-advisories": "dev-master"