Merge remote-tracking branch 'origin/master' into add-composer-requir…

…e-checker
yiisoft · Oct 19, 2023 · b8eabba · b8eabba
2 parents 529e110 + 74e8652
commit b8eabba
Show file tree

Hide file tree

Showing 12 changed files with 221 additions and 77 deletions.
diff --git a/.github/CODE_OF_CONDUCT.md b/.github/CODE_OF_CONDUCT.md
@@ -2,66 +2,101 @@
 
 ## Our Pledge
 
-As contributors and maintainers of this project, and in order to keep Yii community open and welcoming, we ask to respect all community members.
+As contributors and maintainers of this project, and in order to keep Yii community open and welcoming, we ask to
+respect all community members.
 
 ## Our Standards
 
-Examples of behavior that contributes to creating a positive environment include:
+Examples of behavior that contributes to a positive environment for our community include:
 
-* Using welcoming and inclusive language
-* Being respectful of differing viewpoints and experiences
-* Gracefully accepting constructive criticism
-* Focusing on what is best for the community
-* Showing empathy towards other community members
+* Demonstrating empathy and kindness toward other people
+* Being respectful of differing opinions, viewpoints, and experiences
+* Giving and gracefully accepting constructive feedback
+* Accepting responsibility and apologizing to those affected by our mistakes, and learning from the experience
+* Focusing on what is best not just for us as individuals, but for the overall community
 
 Examples of unacceptable behavior by participants include:
 
-* The use of sexualized language or imagery and unwelcome sexual attention or
-  advances
-* Personal attacks
-* Trolling or insulting/derogatory comments, and personal or political attacks
+* The use of sexualized language or imagery, and sexual attention or advances of any kind
+* Trolling, insulting or derogatory comments, and personal or political attacks
 * Public or private harassment
-* Publishing other's private information, such as physical or electronic
-  addresses, without explicit permission
-* Other conduct which could reasonably be considered inappropriate in
-  a professional setting
+* Publishing others' private information, such as a physical or email address, without their explicit permission
+* Other conduct which could reasonably be considered inappropriate in a professional setting
 
-## Our Responsibilities
+## Enforcement Responsibilities
 
-Project maintainers are responsible for clarifying the standards of acceptable
-behavior and are expected to take appropriate and fair corrective action in response
-to any instances of unacceptable behavior.
+Core team members are responsible for clarifying and enforcing our standards of acceptable behavior and will take 
+appropriate and fair corrective action in response to any behavior that they deem inappropriate, threatening, offensive,
+or harmful.
 
-Project maintainers have the right and responsibility to remove, edit, or reject comments,
-commits, code, wiki edits, issues, and other contributions that are not aligned to this
-Code of Conduct, or to ban temporarily or permanently any contributor for other behaviors
-that they deem inappropriate, threatening, offensive, or harmful.
+Core team members have the right and responsibility to remove, edit, or reject comments, commits, code, wiki edits,
+issues, and other contributions that are not aligned to this Code of Conduct, and will communicate reasons for 
+moderation decisions when appropriate.
 
 ## Scope
 
-This Code of Conduct applies both within project spaces and in public spaces when
-an individual is representing the project or its community. Examples of representing
-a project or community include posting via an official social media account,
-within project GitHub, official forum or acting as an appointed representative at
-an online or offline event.
+This Code of Conduct applies within all community spaces, and also applies when an individual is officially representing
+the community in public spaces. Examples of representing a project or community include using an official e-mail
+address, posting via an official social media account, within project GitHub, official forum or acting as an appointed
+representative at an online or offline event.
 
 ## Enforcement
 
-Instances of abusive, harassing, or otherwise unacceptable behavior may be reported
-by contacting core team members. All complaints will be reviewed and investigated
-and will result in a response that is deemed necessary and appropriate to the circumstances.
-The project team is obligated to maintain confidentiality with regard to the reporter of
-an incident. Further details of specific enforcement policies may be posted separately.
+Instances of abusive, harassing, or otherwise unacceptable behavior may be reported by contacting core team members. All
+complaints will be reviewed and investigated promptly and fairly.
 
-Project maintainers who do not follow or enforce the Code of Conduct in good faith
-may face temporary or permanent repercussions as determined by other members of
-the project's leadership.
+All core team members are obligated to respect the privacy and security of the reporter of any incident.
+
+## Enforcement Guidelines
+
+Core team members will follow these Community Impact Guidelines in determining the consequences for any action they
+deem in violation of this Code of Conduct:
+
+### 1. Correction
+
+**Community Impact**: Use of inappropriate language or other behavior deemed unprofessional or unwelcome in 
+the community.
+
+**Consequence**: A private, written warning from core team members, providing clarity around the nature of the violation
+and an explanation of why the behavior was inappropriate. A public apology may be requested.
+
+### 2. Warning
+
+**Community Impact**: A violation through a single incident or series of actions.
+
+**Consequence**: A warning with consequences for continued behavior. No interaction with the people involved, including
+unsolicited interaction with those enforcing the Code of Conduct, for a specified period of time. This includes avoiding
+interactions in community spaces as well as external channels like social media. Violating these terms may lead to 
+a temporary or permanent ban.
+
+### 3. Temporary Ban
+
+**Community Impact**: A serious violation of community standards, including sustained inappropriate behavior.
+
+**Consequence**: A temporary ban from any sort of interaction or public communication with the community for a specified
+period of time. No public or private interaction with the people involved, including unsolicited interaction with those
+enforcing the Code of Conduct, is allowed during this period. Violating these terms may lead to a permanent ban.
+
+### 4. Permanent Ban
+
+**Community Impact**: Demonstrating a pattern of violation of community standards, including sustained inappropriate
+behavior, harassment of an individual, or aggression toward or disparagement of classes of individuals.
+
+**Consequence**: A permanent ban from any sort of public interaction within the community.
 
 ## Attribution
 
-This Code of Conduct is adapted from the [Contributor Covenant][homepage],
-version 1.4.0, available at
-[http://contributor-covenant.org/version/1/4/][version]
+This Code of Conduct is adapted from the [Contributor Covenant][homepage], version 2.1, available at
+[https://www.contributor-covenant.org/version/2/1/code_of_conduct.html][v2.1].
+
+Community Impact Guidelines were inspired by [Mozilla's code of conduct enforcement ladder][Mozilla CoC].
+
+For answers to common questions about this code of conduct, see the FAQ at
+[https://www.contributor-covenant.org/faq][FAQ]. Translations are available at
+[https://www.contributor-covenant.org/translations][translations].
 
-[homepage]: http://contributor-covenant.org
-[version]: http://contributor-covenant.org/version/1/4/
+[homepage]: https://www.contributor-covenant.org
+[v2.1]: https://www.contributor-covenant.org/version/2/1/code_of_conduct.html
+[Mozilla CoC]: https://github.com/mozilla/diversity
+[FAQ]: https://www.contributor-covenant.org/faq
+[translations]: https://www.contributor-covenant.org/translations
diff --git a/.github/workflows/bc.yml b/.github/workflows/bc.yml
@@ -1,15 +1,14 @@
 on:
-  pull_request:
-  push:
+  - pull_request
+  - push
 
 name: backwards compatibility
+
 jobs:
-    roave_bc_check:
-        name: Roave BC Check
-        runs-on: ubuntu-latest
-        steps:
-            - uses: actions/checkout@master
-            - name: fetch tags
-              run: git fetch --depth=1 origin +refs/tags/*:refs/tags/*
-            - name: Roave BC Check
-              uses: docker://nyholm/roave-bc-check-ga
+  roave_bc_check:
+    uses: yiisoft/actions/.github/workflows/bc.yml@master
+    with:
+      os: >-
+        ['ubuntu-latest']
+      php: >-
+        ['8.0']
diff --git a/.github/workflows/rector.yml b/.github/workflows/rector.yml
@@ -0,0 +1,23 @@
+on:
+  pull_request:
+    paths-ignore:
+      - 'docs/**'
+      - 'README.md'
+      - 'CHANGELOG.md'
+      - '.gitignore'
+      - '.gitattributes'
+      - 'infection.json.dist'
+      - 'psalm.xml'
+
+name: rector
+
+jobs:
+  rector:
+    uses: yiisoft/actions/.github/workflows/rector.yml@master
+    secrets:
+      token: ${{ secrets.YIISOFT_GITHUB_TOKEN }}
+    with:
+      os: >-
+        ['ubuntu-latest']
+      php: >-
+        ['8.2']
diff --git a/.styleci.yml b/.styleci.yml
@@ -1,20 +1,12 @@
 preset: psr12
 risky: true
 
-version: 8
+version: 8.1
 
 finder:
   exclude:
     - docs
     - vendor
-    - resources
-    - views
-    - public
-    - templates
-  not-name:
-    - UnionCar.php
-    - TimerUnionTypes.php
-    - schema1.php
 
 enabled:
   - alpha_ordered_traits
@@ -64,7 +56,6 @@ enabled:
   - phpdoc_order
   - phpdoc_property
   - phpdoc_scalar
-  - phpdoc_separation
   - phpdoc_singular_inheritdoc
   - phpdoc_trim
   - phpdoc_trim_consecutive_blank_line_separation
@@ -86,3 +77,9 @@ enabled:
   - trailing_comma_in_multiline_array
   - unalign_double_arrow
   - unalign_equals
+  - empty_loop_body_braces
+  - integer_literal_case
+  - union_type_without_spaces
+
+disabled:
+  - function_declaration
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,29 +1,34 @@
 # Yii CSRF Protection Library Change Log
 
-## 1.2.1 under development
+## 2.0.1 under development
 
 - Enh: Add composer require checker into CI
 
+## 2.0.0 February 14, 2023
+
+- Chg #43: Adapt configuration group names to Yii conventions (@vjik)
+- Enh #44: Add support of `yiisoft/session` version `^2.0` (@vjik)
+
 ## 1.2.0 November 22, 2021
 
-- Chg #31: Update `yiisoft/http` dependency (devanych)
-- Enh #30: Add a custom failure handler feature to `CsrfMiddleware` (solventt, devanych)
+- Chg #31: Update `yiisoft/http` dependency (@devanych)
+- Enh #30: Add a custom failure handler feature to `CsrfMiddleware` (@solventt, @devanych)
 
 ## 1.1.0 October 21, 2021
 
-- New #29: Add methods `CsrfMiddleware::getParameterName()` and `CsrfMiddleware::getHeaderName()` (vjik)
+- New #29: Add methods `CsrfMiddleware::getParameterName()` and `CsrfMiddleware::getHeaderName()` (@vjik)
 
 ## 1.0.3 August 30, 2021
 
-- Chg #28: Use definitions from `yiisoft/definitions` in configuration (vjik)
+- Chg #28: Use definitions from `yiisoft/definitions` in configuration (@vjik)
 
 ## 1.0.2 April 13, 2021
 
-- Chg: Adjust config for yiisoft/factory changes (vjik, samdark)
+- Chg: Adjust config for `yiisoft/factory` changes (@vjik, @samdark)
 
 ## 1.0.1 March 23, 2021
 
-- Chg: Adjust config for new config plugin (samdark)
+- Chg: Adjust config for new config plugin (@samdark)
 
 ## 1.0.0 February 23, 2021
 

diff --git a/README.md b/README.md
@@ -20,7 +20,7 @@ The package provides [PSR-15](https://www.php-fig.org/psr/psr-15/) middleware fo
 - It supports two algorithms out of the box:
     - Synchronizer CSRF token with customizable token generation and storage. By default, it uses random data and session.
     - HMAC based token with customizable identity generation. Uses session by default.
-- It has ability to apply masking to CSRF token string to make [BREACH attack](http://breachattack.com/) impossible.
+- It has ability to apply masking to CSRF token string to make [BREACH attack](https://breachattack.com/) impossible.
 
 ## Requirements
 
@@ -147,7 +147,7 @@ To learn more about HMAC based token pattern
 ### Masked CSRF token
 
 `MaskedCsrfToken` is a decorator for `CsrfTokenInterface` that applies masking to a token string.
-It makes [BREACH attack](http://breachattack.com/) impossible, so it is safe to use token in HTML to be later passed to
+It makes [BREACH attack](https://breachattack.com/) impossible, so it is safe to use token in HTML to be later passed to
 the next request either as a hidden form field or via JavaScript async request.
 
 It is recommended to always use this decorator.

diff --git a/composer.json b/composer.json
@@ -30,15 +30,17 @@
         "psr/http-server-middleware": "^1.0",
         "yiisoft/http": "^1.2",
         "yiisoft/security": "^1.0",
-        "yiisoft/session": "^1.0"
+        "yiisoft/session": "^1.0|^2.0"
     },
     "require-dev": {
         "maglnet/composer-require-checker": "^4.2",
         "nyholm/psr7": "^1.3",
         "phpunit/phpunit": "^9.5",
+        "rector/rector": "^0.18.5",
         "roave/infection-static-analysis-plugin": "^1.16",
         "spatie/phpunit-watcher": "^1.23",
-        "vimeo/psalm": "^4.18"
+        "vimeo/psalm": "^4.30|^5.6",
+        "yiisoft/di": "^1.1"
     },
     "autoload": {
         "psr-4": {
@@ -56,7 +58,7 @@
         },
         "config-plugin": {
             "params": "params.php",
-            "web": "web.php"
+            "di-web": "di-web.php"
         }
     },
     "config": {

diff --git a/config/web.php → config/di-web.php b/config/web.php → config/di-web.php
diff --git a/psalm.xml b/psalm.xml
@@ -1,7 +1,8 @@
 <?xml version="1.0"?>
 <psalm
     errorLevel="1"
-    resolveFromConfigFile="true"
+    findUnusedBaselineEntry="true"
+    findUnusedCode="false"
     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
     xmlns="https://getpsalm.org/schema/config"
     xsi:schemaLocation="https://getpsalm.org/schema/config vendor/vimeo/psalm/config.xsd"

diff --git a/rector.php b/rector.php
@@ -0,0 +1,29 @@
+<?php
+
+declare(strict_types=1);
+
+use Rector\CodeQuality\Rector\Class_\InlineConstructorDefaultToPropertyRector;
+use Rector\Config\RectorConfig;
+use Rector\Php73\Rector\FuncCall\JsonThrowOnErrorRector;
+use Rector\Php74\Rector\Closure\ClosureToArrowFunctionRector;
+use Rector\Set\ValueObject\LevelSetList;
+
+return static function (RectorConfig $rectorConfig): void {
+    $rectorConfig->paths([
+        __DIR__ . '/src',
+        __DIR__ . '/tests',
+    ]);
+
+    // register a single rule
+    $rectorConfig->rule(InlineConstructorDefaultToPropertyRector::class);
+
+    // define sets of rules
+    $rectorConfig->sets([
+        LevelSetList::UP_TO_PHP_74,
+    ]);
+
+    $rectorConfig->skip([
+        ClosureToArrowFunctionRector::class,
+        JsonThrowOnErrorRector::class,
+    ]);
+};
diff --git a/src/Synchronizer/Storage/CsrfTokenStorageInterface.php b/src/Synchronizer/Storage/CsrfTokenStorageInterface.php
@@ -16,8 +16,6 @@ public function get(): ?string;
 
     /**
      * Write CSRF token into a storage.
-     *
-     * @param string $token
      */
     public function set(string $token): void;