thephpleague · Sephster · May 13, 2024 · Apr 9, 2024 · Apr 14, 2024 · Apr 14, 2024
diff --git a/examples/src/Entities/UserEntity.php b/examples/src/Entities/UserEntity.php
@@ -19,8 +19,8 @@ class UserEntity implements UserEntityInterface
     /**
      * Return the user's identifier.
      */
-    public function getIdentifier(): mixed
+    public function getIdentifier(): string
     {
-        return 1;
+        return '1';
     }
 }
diff --git a/phpcs.xml.dist b/phpcs.xml.dist
@@ -14,6 +14,8 @@
     <file>tests</file>
     <file>examples</file>
 
+    <exclude-pattern>examples/vendor/*</exclude-pattern>
+
     <rule ref="PSR12">
         <exclude name="Generic.Files.LineLength.TooLong" />
     </rule>

diff --git a/src/Entities/RefreshTokenEntityInterface.php b/src/Entities/RefreshTokenEntityInterface.php
@@ -18,13 +18,17 @@ interface RefreshTokenEntityInterface
 {
     /**
      * Get the token's identifier.
+     *
+     * @return non-empty-string
      */
     public function getIdentifier(): string;
 
     /**
      * Set the token's identifier.
+     *
+     * @param non-empty-string $identifier
      */
-    public function setIdentifier(mixed $identifier): void;
+    public function setIdentifier(string $identifier): void;
 
     /**
      * Get the token's expiry date time.

diff --git a/src/Entities/ScopeEntityInterface.php b/src/Entities/ScopeEntityInterface.php
@@ -18,6 +18,8 @@ interface ScopeEntityInterface extends JsonSerializable
 {
     /**
      * Get the scope's identifier.
+     *
+     * @return non-empty-string
      */
     public function getIdentifier(): string;
 }
diff --git a/src/Entities/TokenInterface.php b/src/Entities/TokenInterface.php
@@ -18,13 +18,17 @@ interface TokenInterface
 {
     /**
      * Get the token's identifier.
+     *
+     * @return non-empty-string
      */
     public function getIdentifier(): string;
 
     /**
      * Set the token's identifier.
+     *
+     * @param non-empty-string $identifier
      */
-    public function setIdentifier(mixed $identifier): void;
+    public function setIdentifier(string $identifier): void;
 
     /**
      * Get the token's expiry date time.
@@ -45,8 +49,10 @@ public function setUserIdentifier(string $identifier): void;
 
     /**
      * Get the token user's identifier.
+     *
+     * @return non-empty-string|null
      */
-    public function getUserIdentifier(): string|int|null;
+    public function getUserIdentifier(): string|null;
 
     /**
      * Get the client that the token was issued to.

diff --git a/src/Entities/Traits/DeviceCodeTrait.php b/src/Entities/Traits/DeviceCodeTrait.php
@@ -59,6 +59,9 @@ abstract public function getExpiryDateTime(): DateTimeImmutable;
      */
     abstract public function getScopes(): array;
 
+    /**
+     * @return non-empty-string
+     */
     abstract public function getIdentifier(): string;
 
     public function getLastPolledAt(): ?DateTimeImmutable

diff --git a/src/Entities/Traits/EntityTrait.php b/src/Entities/Traits/EntityTrait.php
@@ -27,7 +27,10 @@ public function getIdentifier(): string
         return $this->identifier;
     }
 
-    public function setIdentifier(mixed $identifier): void
+    /**
+     * @param non-empty-string $identifier
+     */
+    public function setIdentifier(string $identifier): void
     {
         $this->identifier = $identifier;
     }

diff --git a/src/Entities/UserEntityInterface.php b/src/Entities/UserEntityInterface.php
@@ -16,6 +16,8 @@ interface UserEntityInterface
 {
     /**
      * Return the user's identifier.
+     *
+     * @return non-empty-string
      */
-    public function getIdentifier(): mixed;
+    public function getIdentifier(): string;
 }
diff --git a/src/Exception/OAuthServerException.php b/src/Exception/OAuthServerException.php
@@ -114,16 +114,16 @@ public static function invalidClient(ServerRequestInterface $serverRequest): sta
     /**
      * Invalid scope error
      */
-    public static function invalidScope(string $scope, string|null $redirectUri = null): static
+    public static function invalidScope(string $scopeId, string|null $redirectUri = null): static
     {
         $errorMessage = 'The requested scope is invalid, unknown, or malformed';
 
-        if ($scope === '') {
+        if ($scopeId === '') {
             $hint = 'Specify a scope in the request or set a default scope';
         } else {
             $hint = sprintf(
                 'Check the `%s` scope',
-                htmlspecialchars($scope, ENT_QUOTES, 'UTF-8', false)
+                htmlspecialchars($scopeId, ENT_QUOTES, 'UTF-8', false)
             );
         }
 

diff --git a/src/Grant/AbstractGrant.php b/src/Grant/AbstractGrant.php
@@ -208,7 +208,7 @@ protected function getClientCredentials(ServerRequestInterface $request): array
 
         $clientId = $this->getRequestParameter('client_id', $request, $basicAuthUser);
 
-        if (is_null($clientId)) {
+        if (is_null($clientId) || !is_string($clientId)) {
             throw OAuthServerException::invalidRequest('client_id');
         }
 
@@ -218,6 +218,7 @@ protected function getClientCredentials(ServerRequestInterface $request): array
             throw OAuthServerException::invalidRequest('client_secret');
         }
 
+        /* @phpstan-ignore-next-line */
         return [$clientId, $clientSecret];
     }
 
@@ -286,8 +287,10 @@ private function convertScopesQueryStringToArray(string $scopes): array
 
     /**
      * Retrieve request parameter.
+     *
+     * @return string[]|string|null
      */
-    protected function getRequestParameter(string $parameter, ServerRequestInterface $request, mixed $default = null): mixed
+    protected function getRequestParameter(string $parameter, ServerRequestInterface $request, string $default = null): array|string|null
     {
         $requestParameters = (array) $request->getParsedBody();
 
@@ -330,23 +333,23 @@ protected function getBasicAuthCredentials(ServerRequestInterface $request): arr
     /**
      * Retrieve query string parameter.
      */
-    protected function getQueryStringParameter(string $parameter, ServerRequestInterface $request, mixed $default = null): ?string
+    protected function getQueryStringParameter(string $parameter, ServerRequestInterface $request, ?string $default = null): ?string
     {
         return isset($request->getQueryParams()[$parameter]) ? $request->getQueryParams()[$parameter] : $default;
     }
 
     /**
      * Retrieve cookie parameter.
      */
-    protected function getCookieParameter(string $parameter, ServerRequestInterface $request, mixed $default = null): ?string
+    protected function getCookieParameter(string $parameter, ServerRequestInterface $request, ?string $default = null): ?string
     {
         return isset($request->getCookieParams()[$parameter]) ? $request->getCookieParams()[$parameter] : $default;
     }
 
     /**
      * Retrieve server parameter.
      */
-    protected function getServerParameter(string $parameter, ServerRequestInterface $request, mixed $default = null): ?string
+    protected function getServerParameter(string $parameter, ServerRequestInterface $request, ?string $default = null): ?string
     {
         return isset($request->getServerParams()[$parameter]) ? $request->getServerParams()[$parameter] : $default;
     }
@@ -362,7 +365,7 @@ protected function getServerParameter(string $parameter, ServerRequestInterface
     protected function issueAccessToken(
         DateInterval $accessTokenTTL,
         ClientEntityInterface $client,
-        string|int|null $userIdentifier,
+        string|null $userIdentifier,
         array $scopes = []
     ): AccessTokenEntityInterface {
         $maxGenerationAttempts = self::MAX_RANDOM_TOKEN_GENERATION_ATTEMPTS;
@@ -473,6 +476,8 @@ protected function issueRefreshToken(AccessTokenEntityInterface $accessToken): ?
     /**
      * Generate a new unique identifier.
      *
+     * @return non-empty-string
+     *
      * @throws OAuthServerException
      */
     protected function generateUniqueIdentifier(int $length = 40): string

diff --git a/src/Grant/AuthCodeGrant.php b/src/Grant/AuthCodeGrant.php
@@ -138,6 +138,10 @@ public function respondToAccessTokenRequest(
             );
         }
 
+        if ($codeVerifier !== null && !is_string($codeVerifier)) {
+            throw OAuthServerException::invalidRequest('code_verifier');
+        }
+
         if (isset($authCodePayload->code_challenge)) {
             $this->validateCodeChallenge($authCodePayload, $codeVerifier);
         }

diff --git a/src/Grant/DeviceCodeGrant.php b/src/Grant/DeviceCodeGrant.php
@@ -80,7 +80,7 @@ public function respondToDeviceAuthorizationRequest(ServerRequestInterface $requ
             $this->getServerParameter('PHP_AUTH_USER', $request)
         );
 
-        if ($clientId === null) {
+        if ($clientId === null || !is_string($clientId)) {
             throw OAuthServerException::invalidRequest('client_id');
         }
 
@@ -153,10 +153,10 @@ public function respondToAccessTokenRequest(
         }
 
         // Finalize the requested scopes
-        $finalizedScopes = $this->scopeRepository->finalizeScopes($scopes, $this->getIdentifier(), $client, (string) $deviceCodeEntity->getUserIdentifier());
+        $finalizedScopes = $this->scopeRepository->finalizeScopes($scopes, $this->getIdentifier(), $client, $deviceCodeEntity->getUserIdentifier());
 
         // Issue and persist new access token
-        $accessToken = $this->issueAccessToken($accessTokenTTL, $client, (string) $deviceCodeEntity->getUserIdentifier(), $finalizedScopes);
+        $accessToken = $this->issueAccessToken($accessTokenTTL, $client, $deviceCodeEntity->getUserIdentifier(), $finalizedScopes);
         $this->getEmitter()->emit(new RequestEvent(RequestEvent::ACCESS_TOKEN_ISSUED, $request));
         $responseType->setAccessToken($accessToken);
 
@@ -180,7 +180,7 @@ protected function validateDeviceCode(ServerRequestInterface $request, ClientEnt
     {
         $deviceCode = $this->getRequestParameter('device_code', $request);
 
-        if (is_null($deviceCode)) {
+        if (is_null($deviceCode) || !is_string($deviceCode)) {
             throw OAuthServerException::invalidRequest('device_code');
         }
 

diff --git a/src/Grant/RefreshTokenGrant.php b/src/Grant/RefreshTokenGrant.php
@@ -53,6 +53,7 @@ public function respondToAccessTokenRequest(
         // Validate request
         $client = $this->validateClient($request);
         $oldRefreshToken = $this->validateOldRefreshToken($request, $client->getIdentifier());
+
         $scopes = $this->validateScopes(
             $this->getRequestParameter(
                 'scope',
@@ -103,6 +104,7 @@ public function respondToAccessTokenRequest(
     protected function validateOldRefreshToken(ServerRequestInterface $request, string $clientId): array
     {
         $encryptedRefreshToken = $this->getRequestParameter('refresh_token', $request);
+
         if (!is_string($encryptedRefreshToken)) {
             throw OAuthServerException::invalidRequest('refresh_token');
         }

diff --git a/src/Repositories/AccessTokenRepositoryInterface.php b/src/Repositories/AccessTokenRepositoryInterface.php
@@ -30,7 +30,7 @@ interface AccessTokenRepositoryInterface extends RepositoryInterface
     public function getNewToken(
         ClientEntityInterface $clientEntity,
         array $scopes,
-        mixed $userIdentifier = null
+        string|null $userIdentifier = null
     ): AccessTokenEntityInterface;
 
     /**

diff --git a/src/Repositories/ScopeRepositoryInterface.php b/src/Repositories/ScopeRepositoryInterface.php
@@ -39,7 +39,7 @@ public function finalizeScopes(
         array $scopes,
         string $grantType,
         ClientEntityInterface $clientEntity,
-        string|int|null $userIdentifier = null,
+        string|null $userIdentifier = null,
         ?string $authCodeId = null
     ): array;
 }
diff --git a/tests/Grant/AbstractGrantTest.php b/tests/Grant/AbstractGrantTest.php
@@ -96,38 +96,6 @@ public function testHttpBasicNoColon(): void
         self::assertSame([null, null], $basicAuthMethod->invoke($grantMock, $serverRequest));
     }
 
-    public function testGetClientCredentialsClientSecretNotAString(): void
-    {
-        $clientRepositoryMock = $this->getMockBuilder(ClientRepositoryInterface::class)->getMock();
-
-        /** @var AbstractGrant $grantMock */
-        $grantMock = $this->getMockForAbstractClass(AbstractGrant::class);
-        $grantMock->setClientRepository($clientRepositoryMock);
-
-        $abstractGrantReflection = new ReflectionClass($grantMock);
-
-        $serverRequest = new ServerRequest(
-            [],
-            [],
-            null,
-            'POST',
-            'php://input',
-            [],
-            [],
-            [],
-            [
-                'client_id'     => 'client_id',
-                'client_secret' => ['not', 'a', 'string'],
-            ]
-        );
-        $getClientCredentialsMethod = $abstractGrantReflection->getMethod('getClientCredentials');
-        $getClientCredentialsMethod->setAccessible(true);
-
-        $this->expectException(OAuthServerException::class);
-
-        $getClientCredentialsMethod->invoke($grantMock, $serverRequest, true, true);
-    }
-
     public function testValidateClientPublic(): void
     {
         $client = new ClientEntity();
@@ -432,7 +400,7 @@ public function testIssueAccessToken(): void
             $grantMock,
             new DateInterval('PT1H'),
             new ClientEntity(),
-            123,
+            '123',
             [new ScopeEntity()]
         );