Dynamic analysis for Auth calls

phpcs.xml

@@ -25,11 +25,11 @@
     <file>src/</file>
     <file>tests</file>
     <exclude-pattern>cache/</exclude-pattern>
-    <exclude-pattern>tests/Application/</exclude-pattern>
     <exclude-pattern>tests/_run/</exclude-pattern>
     <exclude-pattern>tests/Acceptance/_output</exclude-pattern>
     <exclude-pattern>tests/Acceptance/_run</exclude-pattern>
     <exclude-pattern>tests/Acceptance/_support</exclude-pattern>
     <exclude-pattern>tests/Acceptance/Support/</exclude-pattern><!-- This code mostly copy-paste from https://github.com/psalm/codeception-psalm-module and thus may have different coding-style rules -->
+    <exclude-pattern>tests/Application/</exclude-pattern>
     <exclude-pattern>tests/Unit/Handlers/Eloquent/Schema/migrations</exclude-pattern>
 </ruleset>

src/Handlers/Auth/AuthConfigHelper.php

@@ -0,0 +1,47 @@
+<?php
+
+declare(strict_types=1);
+
+namespace Psalm\LaravelPlugin\Handlers\Auth;
+
+use Psalm\LaravelPlugin\Providers\ConfigRepositoryProvider;
+
+use function is_string;
+
+final class AuthConfigHelper
+{
+    /**
+     * @psalm-suppress MoreSpecificReturnType
+     * @return class-string<\Illuminate\Contracts\Auth\Authenticatable&\Illuminate\Database\Eloquent\Model>|null
+     */
+    public static function getAuthModel(string $guard): ?string
+    {
+        $config = ConfigRepositoryProvider::get();
+
+        if ($guard === 'default') {
+            /** @psalm-suppress MixedAssignment */
+            $guard = $config->get('auth.defaults.guard');
+            if (! is_string($guard)) {
+                return null;
+            }
+        }
+
+        $provider = $config->get("auth.guards.$guard.provider");
+        if (! is_string($provider) || $provider === '') {
+            return null;
+        }
+
+        if ($config->get("auth.providers.$provider.driver") !== 'eloquent') {
+            return null;
+        }
+
+        /** @psalm-suppress MixedAssignment */
+        $model_fqcn = $config->get("auth.providers.$provider.model");
+        if (is_string($model_fqcn)) {
+            /** @psalm-suppress LessSpecificReturnStatement */
+            return $model_fqcn;
+        }
+
+        return null;
+    }
+}

src/Handlers/Auth/AuthHandler.php

@@ -0,0 +1,75 @@
+<?php
+
+declare(strict_types=1);
+
+namespace Psalm\LaravelPlugin\Handlers\Auth;
+
+use Psalm\Plugin\EventHandler\Event\MethodReturnTypeProviderEvent;
+use Psalm\Plugin\EventHandler\MethodReturnTypeProviderInterface;
+use Psalm\Type;
+
+use function in_array;
+
+/**
+ * Handles cases (methods that return Authenticatable instance) [when called, "default" guard is used]:
+ * @see \Illuminate\Support\Facades\Auth::user() returns Authenticatable|null
+ * @see \Illuminate\Support\Facades\Auth::loginUsingId() returns Authenticatable|false
+ * @see \Illuminate\Support\Facades\Auth::onceUsingId() returns Authenticatable|false
+ * @see \Illuminate\Support\Facades\Auth::logoutOtherDevices() returns Authenticatable|null
+ * @see \Illuminate\Support\Facades\Auth::getLastAttempted() returns Authenticatable
+ * @see \Illuminate\Support\Facades\Auth::getUser() returns Authenticatable|null
+ * @see \Illuminate\Support\Facades\Auth::authenticate() returns Authenticatable
+ *
+ * There are also Methods that return Guard instance (handed in {@see \Psalm\LaravelPlugin\Handlers\Auth\GuardHandler}):
+ * @see \Illuminate\Support\Facades\Auth::createSessionDriver()
+ * @see \Illuminate\Support\Facades\Auth::createTokenDriver()
+ * @see \Illuminate\Support\Facades\Auth::setRememberDuration()
+ * @see \Illuminate\Support\Facades\Auth::setRequest()
+ * @see \Illuminate\Support\Facades\Auth::forgetUser()
+ */
+final class AuthHandler implements MethodReturnTypeProviderInterface
+{
+    /** @inheritDoc */
+    public static function getClassLikeNames(): array
+    {
+        return [\Illuminate\Support\Facades\Auth::class];
+    }
+
+    /** @inheritDoc */
+    public static function getMethodReturnType(MethodReturnTypeProviderEvent $event): ?Type\Union
+    {
+        $method_name_lowercase = $event->getMethodNameLowercase();
+
+        if (
+            ! in_array($method_name_lowercase, [
+            'user',
+            'loginusingid',
+            'onceusingid',
+            'logoutotherdevices',
+            'getlastattempted',
+            'getuser',
+            'authenticate',
+            ], true)
+        ) {
+            return null;
+        }
+
+        $user_model_type = GuardHandler::getReturnTypeForGuard('default');
+        if (! $user_model_type instanceof Type\Atomic\TNamedObject) {
+            return null;
+        }
+
+        return match ($method_name_lowercase) {
+            'user', 'logoutotherdevices', 'getuser' => new Type\Union([
+                $user_model_type,
+                new Type\Atomic\TNull(),
+            ]),
+            'loginusingid', 'onceusingid' => new Type\Union([
+                $user_model_type,
+                new Type\Atomic\TFalse(),
+            ]),
+            'getlastattempted', 'authenticate' => new Type\Union([$user_model_type]),
+            default => null,
+        };
+    }
+}

src/Handlers/Auth/GuardHandler.php

@@ -0,0 +1,114 @@
+<?php
+
+declare(strict_types=1);
+
+namespace Psalm\LaravelPlugin\Handlers\Auth;
+
+use PhpParser\Node\Arg;
+use PhpParser\Node\Expr\MethodCall;
+use PhpParser\Node\Identifier;
+use PhpParser\Node\Scalar\String_;
+use Psalm\Plugin\EventHandler\Event\MethodReturnTypeProviderEvent;
+use Psalm\Plugin\EventHandler\MethodReturnTypeProviderInterface;
+use Psalm\Type;
+
+use function is_string;
+use function in_array;
+
+/**
+ * Handles cases:
+ * @see \Illuminate\Contracts\Auth\Guard::user() returns Authenticatable|null
+ * @see \Illuminate\Contracts\Auth\StatefulGuard::loginUsingId returns Authenticatable|false
+ * @see \Illuminate\Contracts\Auth\StatefulGuard::onceUsingId returns Authenticatable|false
+ */
+final class GuardHandler implements MethodReturnTypeProviderInterface
+{
+    /** @inheritDoc */
+    public static function getClassLikeNames(): array
+    {
+        return [\Illuminate\Contracts\Auth\Guard::class];
+    }
+
+    /** @inheritDoc */
+    public static function getMethodReturnType(MethodReturnTypeProviderEvent $event): ?Type\Union
+    {
+        $method_name_lowercase = $event->getMethodNameLowercase();
+
+        if (! in_array($method_name_lowercase, ['user', 'loginusingid', 'onceusingid'], true)) {
+            return null;
+        }
+
+        $statement = $event->getStmt();
+        if (! $statement instanceof MethodCall) {
+            return null;
+        }
+
+        $guard_name = self::findGuardNameInCallChain($statement);
+        if (! is_string($guard_name)) {
+            return null;
+        }
+
+        $user_model_type = self::getReturnTypeForGuard($guard_name);
+        if (! $user_model_type instanceof Type\Atomic\TNamedObject) {
+            return null;
+        }
+
+        return match ($method_name_lowercase) {
+            'user' => new Type\Union([
+                $user_model_type,
+                new Type\Atomic\TNull(),
+            ]),
+            'loginusingid', 'onceusingid' => new Type\Union([
+                $user_model_type,
+                new Type\Atomic\TFalse(),
+            ]),
+            default => null,
+        };
+    }
+
+    /**
+     * @psalm-param lowercase-string $method_name_lowercase
+     */
+    public static function getReturnTypeForGuard(string $guard): ?Type\Atomic\TNamedObject
+    {
+        $user_model_fqcn = AuthConfigHelper::getAuthModel($guard);
+        if (!is_string($user_model_fqcn)) {
+            return null;
+        }
+
+        return new Type\Atomic\TNamedObject($user_model_fqcn);
+    }
+
+    private static function findGuardNameInCallChain(MethodCall $methodCall): ?string
+    {
+        $guard_method_call = null;
+
+        $previous_call = $methodCall->var;
+        while ($previous_call instanceof MethodCall) {
+            if (($previous_call->name instanceof Identifier) && $previous_call->name->name === 'guard') {
+                $guard_method_call = $previous_call;
+                continue;
+            }
+
+            $previous_call = $previous_call->var;
+        }
+        unset($previous_call);
+
+        if (! $guard_method_call instanceof MethodCall) {
+            return null;
+        }
+
+        $guard_method_call_args = $guard_method_call->args;
+        if ($guard_method_call_args === []) {
+            return 'default';
+        }
+
+        $first_guard_method_arg = $guard_method_call_args[0];
+        if ($first_guard_method_arg instanceof Arg && $first_guard_method_arg->value instanceof String_) {
+            return $first_guard_method_arg->value->value;
+        }
+
+        // @todo how about null as arg or empty args?
+        return null;
+    }
+}

src/Handlers/Auth/RequestHandler.php

@@ -0,0 +1,68 @@
+<?php
+
+declare(strict_types=1);
+
+namespace Psalm\LaravelPlugin\Handlers\Auth;
+
+use PhpParser\Node\Expr\MethodCall;
+use PhpParser\Node\Expr\StaticCall;
+use PhpParser\Node\Scalar\String_;
+use Psalm\Plugin\EventHandler\Event\MethodReturnTypeProviderEvent;
+use Psalm\Plugin\EventHandler\MethodReturnTypeProviderInterface;
+use Psalm\Type;
+
+use function is_string;
+
+/**
+ * Handles cases:
+ * @see \Illuminate\Http\Request::user()
+ * @see \Illuminate\Http\Request::user('guard-name')
+ */
+final class RequestHandler implements MethodReturnTypeProviderInterface
+{
+    /** @inheritDoc */
+    public static function getClassLikeNames(): array
+    {
+        return [\Illuminate\Http\Request::class];
+    }
+
+    /** @inheritDoc */
+    public static function getMethodReturnType(MethodReturnTypeProviderEvent $event): ?Type\Union
+    {
+        if ($event->getMethodNameLowercase() !== 'user') {
+            return null;
+        }
+
+        $guard_name = self::getGuardName($event->getStmt());
+        if (! is_string($guard_name)) {
+            return null;
+        }
+
+        $user_model_type = GuardHandler::getReturnTypeForGuard($guard_name);
+        if (! $user_model_type instanceof Type\Atomic\TNamedObject) {
+            return null;
+        }
+
+        return new Type\Union([
+            $user_model_type,
+            new Type\Atomic\TNull(),
+        ]);
+    }
+
+    private static function getGuardName(MethodCall|StaticCall $stmt): ?string
+    {
+        $call_args = $stmt->getArgs();
+        if ($call_args === []) {
+            return 'default';
+        }
+
+        $first_arg_type = $call_args[0]->value;
+
+        if ($first_arg_type instanceof String_) {
+            return $first_arg_type->value;
+        }
+
+        // @todo support const, probably vars that contains string, probably enum value
+        return null;
+    }
+}

src/Plugin.php

@@ -5,6 +5,9 @@
 use Illuminate\Foundation\Application;
 use Psalm\LaravelPlugin\Handlers\Application\ContainerHandler;
 use Psalm\LaravelPlugin\Handlers\Application\OffsetHandler;
+use Psalm\LaravelPlugin\Handlers\Auth\AuthHandler;
+use Psalm\LaravelPlugin\Handlers\Auth\GuardHandler;
+use Psalm\LaravelPlugin\Handlers\Auth\RequestHandler;
 use Psalm\LaravelPlugin\Handlers\Eloquent\ModelMethodHandler;
 use Psalm\LaravelPlugin\Handlers\Eloquent\ModelPropertyAccessorHandler;
 use Psalm\LaravelPlugin\Handlers\Eloquent\ModelRelationshipPropertyHandler;
@@ -90,6 +93,13 @@ private function registerHandlers(RegistrationInterface $registration): void
         require_once 'Handlers/Application/OffsetHandler.php';
         $registration->registerHooksFromClass(OffsetHandler::class);
 
+        require_once 'Handlers/Auth/AuthHandler.php';
+        $registration->registerHooksFromClass(AuthHandler::class);
+        require_once 'Handlers/Auth/GuardHandler.php';
+        $registration->registerHooksFromClass(GuardHandler::class);
+        require_once 'Handlers/Auth/RequestHandler.php';
+        $registration->registerHooksFromClass(RequestHandler::class);
+
         require_once 'Handlers/Eloquent/ModelRelationshipPropertyHandler.php';
         $registration->registerHooksFromClass(ModelRelationshipPropertyHandler::class);
         require_once 'Handlers/Eloquent/ModelPropertyAccessorHandler.php';

src/Providers/ConfigRepositoryProvider.php

@@ -0,0 +1,17 @@
+<?php
+
+declare(strict_types=1);
+
+namespace Psalm\LaravelPlugin\Providers;
+
+use Illuminate\Contracts\Config\Repository;
+
+final class ConfigRepositoryProvider
+{
+    /** @psalm-suppress MixedInferredReturnType */
+    public static function get(): Repository
+    {
+        /** @psalm-suppress MixedReturnStatement */
+        return ApplicationProvider::getApp()->get(Repository::class);
+    }
+}

tests/Acceptance/Support/Module.php

@@ -135,12 +135,10 @@ public function _before(TestInterface $test): void
      */
     public function runPsalmOn(string $filename, array $options = []): void
     {
-        $suppressProgress = $this->packageSatisfiesVersionConstraint('vimeo/psalm', '>=3.4.0');
-
         $options = array_map('escapeshellarg', $options);
         $cmd = $this->getPsalmPath()
             . ' --output-format=json '
-            . ($suppressProgress ? ' --no-progress ' : ' ')
+            . ' --no-progress'
             . join(' ', $options) . ' '
             . ($filename ? escapeshellarg($filename) : '')
             . ' 2>&1';
@@ -156,7 +154,7 @@ public function runPsalmOn(string $filename, array $options = []): void
     }
 
     /**
-     * @param string[] $options
+     * @param list<string> $options
      */
     public function runPsalmIn(string $dir, array $options = []): void
     {

tests/Application/app/Models/Admin.php

@@ -0,0 +1,9 @@
+<?php declare(strict_types=1);
+
+namespace App\Models;
+
+use Illuminate\Foundation\Auth\User as Authenticatable;
+
+class Admin extends Authenticatable
+{
+}