Merge remote-tracking branch 'upstream/master' into pass-user-id-to-finalize-scopes

Author: Sephster

.github/workflows/static-analysis.yml

@@ -12,7 +12,7 @@ jobs:
 
     strategy:
       matrix:
-        php-version: [8.1, 8.2, 8.3, 8.4]
+        php-version: [8.1, 8.2, 8.3, 8.4, 8.5]
         composer-stability: [prefer-lowest, prefer-stable]
         operating-system:
           - ubuntu-latest

.github/workflows/tests.yml

@@ -11,7 +11,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        php: [8.1, 8.2, 8.3, 8.4]
+        php: [8.1, 8.2, 8.3, 8.4, 8.5]
         os: [ubuntu-latest, windows-latest]
         stability: [prefer-lowest, prefer-stable]
 
@@ -44,6 +44,6 @@ jobs:
         run: vendor/bin/phpunit --coverage-clover=coverage.clover
 
       - name: Code coverage
-        if: ${{ github.ref == 'refs/heads/master' && github.repository == 'thephpleague/oauth2-server' }}
+        if: ${{ github.ref == 'refs/heads/master' && github.repository == 'thephpleague/oauth2-server' && startsWith(matrix.os, 'ubuntu') }}
         run:
           ~/.composer/vendor/bin/ocular code-coverage:upload --format=php-clover coverage.clover

.styleci.yml

@@ -9,7 +9,6 @@ enabled:
   - include
   - method_separation
   - native_function_casing
-  - no_blank_lines_between_uses
   - no_duplicate_semicolons
   - no_multiline_whitespace_before_semicolons
   - no_php4_constructor

CHANGELOG.md

@@ -36,6 +36,7 @@ The latest version of this package supports the following versions of PHP:
 * PHP 8.2
 * PHP 8.3
 * PHP 8.4
+* PHP 8.5
 
 The `openssl` and `json` extensions are also required.
 

README.md

@@ -4,7 +4,7 @@
     "homepage": "https://oauth2.thephpleague.com/",
     "license": "MIT",
     "require": {
-        "php": "~8.1.0 || ~8.2.0 || ~8.3.0 || ~8.4.0",
+        "php": "~8.1.0 || ~8.2.0 || ~8.3.0 || ~8.4.0  || ~8.5.0",
         "ext-openssl": "*",
         "league/event": "^3.0",
         "league/uri": "^7.0",
@@ -16,14 +16,14 @@
         "psr/http-server-middleware": "^1.0"
     },
     "require-dev": {
-        "phpunit/phpunit": "^9.6.21",
+        "phpunit/phpunit": "^10.5|^11.5|^12.0",
         "laminas/laminas-diactoros": "^3.5",
-        "phpstan/phpstan": "^1.12",
-        "phpstan/phpstan-phpunit": "^1.3.15",
+        "phpstan/phpstan": "^1.12|^2.0",
+        "phpstan/phpstan-phpunit": "^1.3.15|^2.0",
         "roave/security-advisories": "dev-master",
         "phpstan/extension-installer": "^1.3.1",
-        "phpstan/phpstan-deprecation-rules": "^1.1.4",
-        "phpstan/phpstan-strict-rules": "^1.5.2",
+        "phpstan/phpstan-deprecation-rules": "^1.1.4|^2.0",
+        "phpstan/phpstan-strict-rules": "^1.5.2|^2.0",
         "slevomat/coding-standard": "^8.14.1",
         "php-parallel-lint/php-parallel-lint": "^1.3.2",
         "squizlabs/php_codesniffer": "^3.8"
@@ -46,7 +46,6 @@
         "authentication",
         "resource",
         "api",
-        "auth",
         "protect",
         "secure"
     ],

composer.json

@@ -2,4 +2,8 @@ parameters:
     level: 8
     paths:
         - src
-        - tests
+        - tests
+    ignoreErrors:
+        - 
+            message: '#Deprecated since v5.5, please use {@see self::withValidationConstraints\(\)} instead#'
+            reportUnmatched: false

phpstan.neon.dist

@@ -1,18 +1,19 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <phpunit xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-         xsi:noNamespaceSchemaLocation="https://schema.phpunit.de/9.3/phpunit.xsd"
+         xsi:noNamespaceSchemaLocation="vendor/phpunit/phpunit/phpunit.xsd"
+         bootstrap="vendor/autoload.php"
          colors="true"
+         failOnRisky="true"
+         failOnWarning="true"
          stopOnError="true"
          stopOnFailure="true"
-         stopOnIncomplete="false"
-         stopOnSkipped="false"
-         bootstrap="tests/Bootstrap.php"
 >
-  <coverage includeUncoveredFiles="true">
+  <source>
     <include>
-      <directory suffix=".php">src</directory>
+      <directory>src</directory>
     </include>
-  </coverage>
+  </source>
+
   <testsuites>
     <testsuite name="Tests">
       <directory>./tests/</directory>

phpunit.xml.dist

@@ -27,6 +27,7 @@
 use League\OAuth2\Server\ResponseTypes\ResponseTypeInterface;
 use Psr\Http\Message\ResponseInterface;
 use Psr\Http\Message\ServerRequestInterface;
+use SensitiveParameter;
 
 class AuthorizationServer implements EmitterAwareInterface
 {
@@ -61,7 +62,9 @@ public function __construct(
         private ClientRepositoryInterface $clientRepository,
         private AccessTokenRepositoryInterface $accessTokenRepository,
         private ScopeRepositoryInterface $scopeRepository,
+        #[SensitiveParameter]
         CryptKeyInterface|string $privateKey,
+        #[SensitiveParameter]
         Key|string $encryptionKey,
         ResponseTypeInterface|null $responseType = null
     ) {

src/AuthorizationServer.php

@@ -74,6 +74,7 @@ private function initJwtConfiguration(): void
             throw new RuntimeException('Public key is empty');
         }
 
+        // TODO: next major release: replace deprecated method and remove phpstan ignored error
         $this->jwtConfiguration->setValidationConstraints(
             new LooseValidAt($clock, $this->jwtValidAtDateLeeway),
             new SignedWith(
@@ -93,7 +94,7 @@ public function validateAuthorization(ServerRequestInterface $request): ServerRe
         }
 
         $header = $request->getHeader('authorization');
-        $jwt = trim((string) preg_replace('/^\s*Bearer\s/', '', $header[0]));
+        $jwt = trim((string) preg_replace('/^\s*Bearer\s/i', '', $header[0]));
 
         if ($jwt === '') {
             throw OAuthServerException::accessDenied('Missing "Bearer" token');