phpstan and phpcs fixes

Author: skie

composer.json

@@ -35,9 +35,12 @@
         "firebase/php-jwt": "^6.2"
     },
     "require-dev": {
-        "cakephp/cakephp-codesniffer": "~4.4.0",
+        "cakephp/cakephp-codesniffer": "^4.5",
         "league/flysystem-vfs": "^1.0",
+        "phpstan/phpstan": "^1.8",
         "phpunit/phpunit": "^9.5",
+        "robthree/twofactorauth": "^1.6",
+        "web-auth/webauthn-lib": "^3.3.11",
         "vlucas/phpdotenv": "^3.3"
     },
     "autoload": {

phpstan.neon

@@ -2,8 +2,8 @@ includes:
     - phpstan-baseline.neon
 
 parameters:
-    level: 4
-    autoload_files:
+    level: 2
+    bootstrapFiles:
         - tests/bootstrap.php
     ignoreErrors:
 

src/Command/ServiceRoutesCommand.php

@@ -68,6 +68,7 @@ public function execute(Arguments $args, ConsoleIo $io): ?int
         $service = ServiceRegistry::getServiceLocator()->get($serviceName);
         if ($service === null) {
             $io->error(__('Service "{0}" not found', $serviceName));
+
             return Command::CODE_ERROR;
         }
 

src/Model/Entity/AuthStore.php

@@ -9,7 +9,7 @@
  * AuthStore Entity
  *
  * @property string $id
- * @property string|null $store
+ * @property array|null $store
  * @property \Cake\I18n\FrozenTime $created
  * @property \Cake\I18n\FrozenTime $modified
  */

src/Model/Entity/JwtRefreshToken.php

@@ -35,7 +35,7 @@ class JwtRefreshToken extends Entity
      * be mass assigned. For security purposes, it is advised to set '*' to false
      * (or remove it), and explicitly make individual fields accessible as needed.
      *
-     * @var array
+     * @var array<string, bool>
      */
     protected $_accessible = [
         '*' => true,
@@ -45,7 +45,7 @@ class JwtRefreshToken extends Entity
     /**
      * Fields that are excluded from JSON versions of the entity.
      *
-     * @var array
+     * @var array<string>
      */
     protected $_hidden = [
         'token',

src/Model/Table/AuthStoreTable.php

@@ -4,8 +4,6 @@
 namespace CakeDC\Api\Model\Table;
 
 use Cake\Database\Schema\TableSchemaInterface;
-use Cake\ORM\Query;
-use Cake\ORM\RulesChecker;
 use Cake\ORM\Table;
 use Cake\Validation\Validator;
 
@@ -25,7 +23,6 @@
  * @method \CakeDC\Api\Model\Entity\AuthStore[]|\Cake\Datasource\ResultSetInterface saveManyOrFail(iterable $entities, $options = [])
  * @method \CakeDC\Api\Model\Entity\AuthStore[]|\Cake\Datasource\ResultSetInterface|false deleteMany(iterable $entities, $options = [])
  * @method \CakeDC\Api\Model\Entity\AuthStore[]|\Cake\Datasource\ResultSetInterface deleteManyOrFail(iterable $entities, $options = [])
- *
  * @mixin \Cake\ORM\Behavior\TimestampBehavior
  */
 class AuthStoreTable extends Table
@@ -62,8 +59,6 @@ public function validationDefault(Validator $validator): Validator
         return $validator;
     }
 
-
-
     /**
      * Initialize schema
      *

src/Rbac/Rules/TwoFactorPassedScope.php

@@ -13,18 +13,15 @@
 namespace CakeDC\Api\Rbac\Rules;
 
 use Authentication\Authenticator\JwtAuthenticator;
-use CakeDC\Auth\Rbac\Rules\AbstractRule;
-use Cake\Utility\Hash;
 use Cake\Routing\Router;
-use OutOfBoundsException;
+use CakeDC\Auth\Rbac\Rules\AbstractRule;
 use Psr\Http\Message\ServerRequestInterface;
 
 /**
  * Owner rule class, used to match ownership permissions
  */
 class TwoFactorPassedScope extends AbstractRule
 {
-
     protected $_defaultConfig = [
     ];
 

src/Rbac/Rules/TwoFactorScope.php

@@ -13,18 +13,15 @@
 namespace CakeDC\Api\Rbac\Rules;
 
 use Authentication\Authenticator\JwtAuthenticator;
-use CakeDC\Auth\Rbac\Rules\AbstractRule;
-use Cake\Utility\Hash;
 use Cake\Routing\Router;
-use OutOfBoundsException;
+use CakeDC\Auth\Rbac\Rules\AbstractRule;
 use Psr\Http\Message\ServerRequestInterface;
 
 /**
  * Owner rule class, used to match ownership permissions
  */
 class TwoFactorScope extends AbstractRule
 {
-
     protected $_defaultConfig = [
     ];
 

src/Routing/ApiRouter.php

@@ -95,14 +95,14 @@ class ApiRouter extends Router
     /**
      * A hash of request context data.
      *
-     * @var array
+     * @var array<string, mixed>
      */
     protected static $_requestContext = [];
 
     /**
      * Named expressions
      *
-     * @var array
+     * @var array<string, string>
      */
     protected static $_namedExpressions = [
         'Action' => Router::ACTION,
@@ -132,14 +132,14 @@ class ApiRouter extends Router
      * The stack of URL filters to apply against routing URLs before passing the
      * parameters to the route collection.
      *
-     * @var array
+     * @var array<callable(): mixed>
      */
     protected static $_urlFilters = [];
 
     /**
      * Default extensions defined with Router::extensions()
      *
-     * @var array
+     * @var array<string>
      */
     protected static $_defaultExtensions = [];
 }

src/Service/Action/Auth/JwtSocialLoginAction.php

@@ -28,7 +28,7 @@ class JwtSocialLoginAction extends Action
      * Execute action.
      *
      * @return mixed
-     * @throws \CakeDC\Api\Service\Action\Exception
+     * @throws \Exception
      */
     public function execute()
     {
@@ -38,6 +38,6 @@ public function execute()
             return false;
         }
 
-        return $this->generateTokenResponse($user);
+        return $this->generateTokenResponse($user, 'login');
     }
 }

src/Service/Action/Auth/JwtTokenTrait.php

@@ -18,20 +18,23 @@
 use Cake\Routing\Router;
 use Cake\Utility\Hash;
 use CakeDC\Api\Service\Auth\TwoFactorAuthentication\OneTimePasswordAuthenticationCheckerFactory;
-use CakeDC\Api\Service\Auth\TwoFactorAuthentication\Webauthn2fAuthenticationCheckerFactory;
+use CakeDC\Api\Service\Auth\TwoFactorAuthentication\Webauthn2FAuthenticationCheckerFactory;
 use DateInterval;
 use DateTimeImmutable;
 use Lcobucci\JWT\Configuration;
 use Lcobucci\JWT\Signer\Hmac\Sha512;
 use Lcobucci\JWT\Signer\Key\InMemory;
 
+/**
+ * JwtTokenTrait
+ */
 trait JwtTokenTrait
 {
-
     /**
      * Generates token response.
      *
      * @param \Cake\Datasource\EntityInterface|array $user User info.
+     * @param string|null $type The type of token being generated.
      * @return array
      */
     public function generateTokenResponse($user, $type)
@@ -49,6 +52,13 @@ public function generateTokenResponse($user, $type)
         ]);
     }
 
+    /**
+     * Generates refresh token response.
+     *
+     * @param \Cake\Datasource\EntityInterface|array $user User info.
+     * @param array $payload Additional payload data.
+     * @return array
+     */
     public function generateRefreshTokenResponse($user, $payload)
     {
         $timestamp = new DateTimeImmutable();
@@ -65,6 +75,8 @@ public function generateRefreshTokenResponse($user, $payload)
      *
      * @param \Cake\Datasource\EntityInterface|array $user User info.
      * @param \DateTimeImmutable $timestamp Timestamp.
+     * @param string|null $type The type of token being generated.
+     * @param array|null $payload Additional payload data.
      * @return bool|string
      */
     public function generateAccessToken($user, $timestamp, $type, $payload = null)
@@ -92,6 +104,14 @@ public function generateAccessToken($user, $timestamp, $type, $payload = null)
         return $token->toString();
     }
 
+    /**
+     * Get the audience for the token.
+     *
+     * @param \Cake\Datasource\EntityInterface|array $user User info.
+     * @param string|null $type The type of token being generated.
+     * @param array|null $payload Additional payload data.
+     * @return string
+     */
     public function getAudience($user, $type, $payload)
     {
         if ($type === null && is_array($payload) && isset($payload['aud'])) {
@@ -106,11 +126,23 @@ public function getAudience($user, $type, $payload)
         return $audience;
     }
 
+    /**
+     * Check if 2FA is enabled for the user.
+     *
+     * @param \Cake\Datasource\EntityInterface|array $user User info.
+     * @return bool
+     */
     protected function is2FAEnabled($user)
     {
         return $this->isEnabledWebauthn2faAuthentication($user) || $this->isEnabledOneTimePasswordAuthentication($user);
     }
 
+    /**
+     * Check if Webauthn 2FA authentication is enabled for the user.
+     *
+     * @param \Cake\Datasource\EntityInterface|array $user User info.
+     * @return bool
+     */
     public function isEnabledWebauthn2faAuthentication($user)
     {
         $enabledTwoFactorVerify = Configure::read('Api.2fa.enabled');
@@ -122,6 +154,12 @@ public function isEnabledWebauthn2faAuthentication($user)
         return false;
     }
 
+    /**
+     * Check if One-Time Password authentication is enabled for the user.
+     *
+     * @param \Cake\Datasource\EntityInterface|array $user User info.
+     * @return bool
+     */
     public function isEnabledOneTimePasswordAuthentication($user)
     {
         $enabledTwoFactorVerify = Configure::read('Api.2fa.enabled');
@@ -133,6 +171,11 @@ public function isEnabledOneTimePasswordAuthentication($user)
         return false;
     }
 
+    /**
+     * Get the One-Time Password Authentication Checker.
+     *
+     * @return \CakeDC\Auth\Authentication\OneTimePasswordAuthenticationCheckerInterface
+     */
     protected function getOneTimePasswordAuthenticationChecker()
     {
         return (new OneTimePasswordAuthenticationCheckerFactory())->build();
@@ -153,6 +196,8 @@ protected function getWebauthn2fAuthenticationChecker()
      *
      * @param \Cake\Datasource\EntityInterface|array $user User info.
      * @param \DateTimeImmutable $timestamp Timestamp.
+     * @param string|null $type The type of token being generated.
+     * @param array|null $payload Additional payload data.
      * @return bool|string
      */
     public function generateRefreshToken($user, $timestamp, $type, $payload = null)
@@ -184,6 +229,7 @@ public function generateRefreshToken($user, $timestamp, $type, $payload = null)
         $model = $UsersTable->getAlias();
 
         $table = TableRegistry::getTableLocator()->get('CakeDC/Api.JwtRefreshTokens');
+        /** @var \CakeDC\Api\Model\Entity\JwtRefreshToken $entity */
         $entity = $table->find()->where([
             'model' => $model,
             'foreign_key' => $subject,

src/Service/Action/Auth/OtpVerifyAction.php

@@ -13,9 +13,9 @@
 
 namespace CakeDC\Api\Service\Action\Auth;
 
+use Cake\Core\Configure;
 use CakeDC\Api\Service\Action\Action;
 use CakeDC\Users\Controller\Traits\CustomUsersTableTrait;
-use Cake\Core\Configure;
 use RobThree\Auth\TwoFactorAuth;
 
 /**
@@ -32,6 +32,12 @@ abstract class OtpVerifyAction extends Action
      */
     public $tfa;
 
+    /**
+     * initialize
+     *
+     * @param array $config Configuration.
+     * @return void
+     */
     public function initialize(array $config): void
     {
         $this->tfa = new TwoFactorAuth(
@@ -78,5 +84,4 @@ public function getQRCodeImageAsDataUri($issuer, $secret)
     {
         return $this->tfa->getQRCodeImageAsDataUri($issuer, $secret);
     }
-
 }

src/Service/Action/Auth/OtpVerifyCheckAction.php

@@ -13,7 +13,6 @@
 
 namespace CakeDC\Api\Service\Action\Auth;
 
-use CakeDC\Api\Service\Action\Action;
 use CakeDC\Users\Controller\Traits\CustomUsersTableTrait;
 
 /**
@@ -57,5 +56,4 @@ public function execute()
 
         return $this->generateTokenResponse($user->toArray(), '2fa');
     }
-
 }

src/Service/Action/Auth/OtpVerifyGetAction.php

@@ -13,7 +13,6 @@
 
 namespace CakeDC\Api\Service\Action\Auth;
 
-use CakeDC\Api\Service\Action\Action;
 use CakeDC\Users\Controller\Traits\CustomUsersTableTrait;
 
 /**
@@ -54,6 +53,12 @@ public function execute()
         return $result;
     }
 
+    /**
+     * onVerifyGetSecret
+     *
+     * @param array $user User.
+     * @return string
+     */
     protected function onVerifyGetSecret($user)
     {
         if (isset($user['secret']) && $user['secret']) {

src/Service/Action/Auth/ResetPasswordRequestAction.php

@@ -83,7 +83,7 @@ public function execute()
                 'ensureActive' => Configure::read('Users.Registration.ensureActive'),
             ];
             if (!empty($baseUrl)) {
-                $options['linkGenerator'] = function($token) use ($baseUrl) {
+                $options['linkGenerator'] = function ($token) use ($baseUrl) {
                     return $baseUrl . '?token=' . $token;
                 };
             }

src/Service/Action/Auth/TwoFactorAuthAction.php

@@ -14,9 +14,8 @@
 namespace CakeDC\Api\Service\Action\Auth;
 
 use CakeDC\Api\Service\Action\Action;
-use CakeDC\Users\Controller\Traits\CustomUsersTableTrait;
-use Cake\Core\Configure;
 use CakeDC\Api\Webauthn\RegisterAdapter;
+use CakeDC\Users\Controller\Traits\CustomUsersTableTrait;
 
 /**
  * Class LoginAction
@@ -49,6 +48,5 @@ public function execute()
             'enabledWebauthn' => $this->isEnabledWebauthn2faAuthentication((array)$user),
             'enabledOtp' => $this->isEnabledOneTimePasswordAuthentication((array)$user),
         ];
-   }
-
+    }
 }