Merge pull request #939 from Slamdunk/no_empty

Remove empty Signer, empty Key, empty Signature, empty `string`s
lcobucci · Nov 8, 2022 · 0aa6537 · 0aa6537
2 parents e4b1bf9 + aaccee1
commit 0aa6537
Show file tree

Hide file tree

Showing 63 changed files with 489 additions and 383 deletions.
diff --git a/Makefile b/Makefile
@@ -12,7 +12,7 @@ vendor/composer/installed.json: composer.json composer.lock
 
 .PHONY: phpunit
 phpunit:
-	@php -d assert.exception=1 -d zend.assertions=1 vendor/bin/phpunit
+	@php -d assert.exception=1 -d zend.assertions=1 vendor/bin/phpunit $(PHPUNIT_FLAGS)
 
 .PHONY: infection
 infection:

diff --git a/composer.json b/composer.json
@@ -33,6 +33,7 @@
         "phpstan/phpstan-deprecation-rules": "^1.0",
         "phpstan/phpstan-phpunit": "^1.2",
         "phpstan/phpstan-strict-rules": "^1.4",
+        "phpunit/php-code-coverage": "9.2.17",
         "phpunit/phpunit": "^9.5"
     },
     "autoload": {

diff --git a/composer.lock b/composer.lock
diff --git a/docs/supported-algorithms.md b/docs/supported-algorithms.md
@@ -36,4 +36,10 @@ They're usually recommended for scenarios where creation is handled by a compone
 | `RS512` | RSASSA-PKCS1-v1_5 using SHA-512 | `\Lcobucci\JWT\Signer\Rsa\Sha512`   | `>= 2048 bits`  |
 | `EdDSA` | EdDSA signature algorithms      | `\Lcobucci\JWT\Signer\Eddsa`        | `>= 256 bits`   |
 
+## `none` algorithm
+
+The `none` algorithm as described by [JWT standard] is intentionally not implemented and not supported.
+The risk of misusing it is too high, and even where other means guarantee the token validity a symmetric algorithm
+shouldn't represent a computational bottleneck with modern hardware.
+
 [JWT standard]: https://www.iana.org/assignments/jose/jose.xhtml#web-signature-encryption-algorithms
diff --git a/phpstan.neon.dist b/phpstan.neon.dist
@@ -3,21 +3,3 @@ parameters:
     paths:
         - src
         - tests
-
-    ignoreErrors:
-        - """
-            #^Call to deprecated method fromEmptyData\\(\\) of class Lcobucci\\\\JWT\\\\Token\\\\Signature:
-            Deprecated since v4\\.3$#
-        """
-        - """
-            #^Call to deprecated method forUnsecuredSigner\\(\\) of class Lcobucci\\\\JWT\\\\Configuration:
-            Deprecated since v4\\.3$#
-        """
-        - """
-            #^Call to deprecated method empty\\(\\) of class Lcobucci\\\\JWT\\\\Signer\\\\Key\\\\InMemory:
-            Deprecated since v4\\.3$#
-        """
-        - """
-            #^.+ of deprecated class Lcobucci\\\\JWT\\\\Signer\\\\None:
-            Deprecated since v4\\.3$#
-        """
diff --git a/src/Builder.php b/src/Builder.php
@@ -15,6 +15,8 @@ interface Builder
 {
     /**
      * Appends new items to audience
+     *
+     * @param non-empty-string ...$audiences
      */
     public function permittedFor(string ...$audiences): Builder;
 
@@ -25,6 +27,8 @@ public function expiresAt(DateTimeImmutable $expiration): Builder;
 
     /**
      * Configures the token id
+     *
+     * @param non-empty-string $id
      */
     public function identifiedBy(string $id): Builder;
 
@@ -35,6 +39,8 @@ public function issuedAt(DateTimeImmutable $issuedAt): Builder;
 
     /**
      * Configures the issuer
+     *
+     * @param non-empty-string $issuer
      */
     public function issuedBy(string $issuer): Builder;
 
@@ -45,17 +51,23 @@ public function canOnlyBeUsedAfter(DateTimeImmutable $notBefore): Builder;
 
     /**
      * Configures the subject
+     *
+     * @param non-empty-string $subject
      */
     public function relatedTo(string $subject): Builder;
 
     /**
      * Configures a header item
+     *
+     * @param non-empty-string $name
      */
     public function withHeader(string $name, mixed $value): Builder;
 
     /**
      * Configures a claim item
      *
+     * @param non-empty-string $name
+     *
      * @throws RegisteredClaimGiven When trying to set a registered claim.
      */
     public function withClaim(string $name, mixed $value): Builder;

diff --git a/src/ClaimsFormatter.php b/src/ClaimsFormatter.php
@@ -6,9 +6,9 @@
 interface ClaimsFormatter
 {
     /**
-     * @param array<string, mixed> $claims
+     * @param array<non-empty-string, mixed> $claims
      *
-     * @return array<string, mixed>
+     * @return array<non-empty-string, mixed>
      */
     public function formatClaims(array $claims): array;
 }
diff --git a/src/Configuration.php b/src/Configuration.php
@@ -7,8 +7,6 @@
 use Lcobucci\JWT\Encoding\ChainedFormatter;
 use Lcobucci\JWT\Encoding\JoseEncoder;
 use Lcobucci\JWT\Signer\Key;
-use Lcobucci\JWT\Signer\Key\InMemory;
-use Lcobucci\JWT\Signer\None;
 use Lcobucci\JWT\Validation\Constraint;
 
 /**
@@ -74,22 +72,6 @@ public static function forSymmetricSigner(
         );
     }
 
-    /** @deprecated Deprecated since v4.3 */
-    public static function forUnsecuredSigner(
-        Encoder $encoder = new JoseEncoder(),
-        Decoder $decoder = new JoseEncoder(),
-    ): self {
-        $key = InMemory::empty();
-
-        return new self(
-            new None(),
-            $key,
-            $key,
-            $encoder,
-            $decoder,
-        );
-    }
-
     /** @param callable(ClaimsFormatter): Builder $builderFactory */
     public function setBuilderFactory(callable $builderFactory): void
     {

diff --git a/src/Decoder.php b/src/Decoder.php
@@ -10,6 +10,8 @@ interface Decoder
     /**
      * Decodes from JSON, validating the errors
      *
+     * @param non-empty-string $json
+     *
      * @throws CannotDecodeContent When something goes wrong while decoding.
      */
     public function jsonDecode(string $json): mixed;
@@ -19,6 +21,8 @@ public function jsonDecode(string $json): mixed;
      *
      * @link http://tools.ietf.org/html/rfc4648#section-5
      *
+     * @return ($data is non-empty-string ? non-empty-string : string)
+     *
      * @throws CannotDecodeContent When something goes wrong while decoding.
      */
     public function base64UrlDecode(string $data): string;

diff --git a/src/Encoder.php b/src/Encoder.php
@@ -10,6 +10,8 @@ interface Encoder
     /**
      * Encodes to JSON, validating the errors
      *
+     * @return non-empty-string
+     *
      * @throws CannotEncodeContent When something goes wrong while encoding.
      */
     public function jsonEncode(mixed $data): string;
@@ -18,6 +20,8 @@ public function jsonEncode(mixed $data): string;
      * Encodes to base64url
      *
      * @link http://tools.ietf.org/html/rfc4648#section-5
+     *
+     * @return ($data is non-empty-string ? non-empty-string : string)
      */
     public function base64UrlEncode(string $data): string;
 }
diff --git a/src/Encoding/JoseEncoder.php b/src/Encoding/JoseEncoder.php
@@ -8,6 +8,7 @@
 use Lcobucci\JWT\Encoder;
 use Lcobucci\JWT\SodiumBase64Polyfill;
 
+use function assert;
 use function json_decode;
 use function json_encode;
 
@@ -23,10 +24,14 @@ final class JoseEncoder implements Encoder, Decoder
     public function jsonEncode(mixed $data): string
     {
         try {
-            return json_encode($data, JSON_UNESCAPED_SLASHES | JSON_UNESCAPED_UNICODE | JSON_THROW_ON_ERROR);
+            $jsonEncoded = json_encode($data, JSON_UNESCAPED_SLASHES | JSON_UNESCAPED_UNICODE | JSON_THROW_ON_ERROR);
         } catch (JsonException $exception) {
             throw CannotEncodeContent::jsonIssues($exception);
         }
+
+        assert($jsonEncoded !== '');
+
+        return $jsonEncoded;
     }
 
     public function jsonDecode(string $json): mixed