✨ switch phan for phpstan (see chillerlan/php-qrcode#277)

.gitattributes

@@ -1,17 +1,20 @@
-/.build            export-ignore
-/.github           export-ignore
-/.phan             export-ignore
-/.phpdoc           export-ignore
-/docs              export-ignore
-/examples          export-ignore
-/tests             export-ignore
-/.editorconfig     export-ignore
-/.gitattributes    export-ignore
-/.gitignore        export-ignore
-/.readthedocs.yml  export-ignore
-/phpcs.xml.dist    export-ignore
-/phpdoc.xml.dist   export-ignore
-/phpmd.xml.dist    export-ignore
-/phpunit.xml.dist  export-ignore
+/.build                 export-ignore
+/.github                export-ignore
+/.idea                  export-ignore
+/.phan                  export-ignore
+/.phpdoc                export-ignore
+/docs                   export-ignore
+/examples               export-ignore
+/tests                  export-ignore
+/.editorconfig          export-ignore
+/.gitattributes         export-ignore
+/.gitignore             export-ignore
+/.readthedocs.yml       export-ignore
+/phpcs.xml.dist         export-ignore
+/phpdoc.xml.dist        export-ignore
+/phpmd.xml.dist         export-ignore
+/phpunit.xml.dist       export-ignore
+/phpstan.dist.neon      export-ignore
+/phpstan-baseline.neon  export-ignore
 
 *.php diff=php

.github/workflows/ci.yml

@@ -41,7 +41,7 @@ jobs:
         uses: shivammathur/setup-php@v2
         with:
           php-version: ${{ matrix.php-version }}
-          extensions: ast, ${{ env.PHP_EXTENSIONS }}
+          extensions: ${{ env.PHP_EXTENSIONS }}
           ini-values: ${{ env.PHP_INI_VALUES }}
           coverage: none
 
@@ -51,8 +51,8 @@ jobs:
       - name: "Install dependencies with composer"
         uses: ramsey/composer-install@v3
 
-      - name: "Run phan"
-        run: php vendor/bin/phan --target-php-version=${{ matrix.php-version }}
+      - name: "Run PHPStan"
+        run: php vendor/bin/phpstan
 
 
   tests:

.gitignore

@@ -6,4 +6,5 @@ phpcs.xml
 phpdoc.xml
 phpmd.xml
 phpunit.xml
+phpstan.neon
 *.phpunit.result.cache

composer.json

@@ -32,17 +32,18 @@
 	"prefer-stable": true,
 	"require": {
 		"php": "^8.2",
-		"chillerlan/php-settings-container": "^3.2",
+		"chillerlan/php-settings-container": "^3.2.1",
 		"paragonie/constant_time_encoding": "^3.0"
 	},
 	"require-dev": {
 		"ext-curl": "*",
 		"ext-json": "*",
 		"ext-sodium": "*",
-		"phan/phan": "^5.4",
 		"phpmd/phpmd": "^2.15",
+		"phpstan/phpstan": "^1.11",
+		"phpstan/phpstan-deprecation-rules": "^1.2",
 		"phpunit/phpunit": "^11.2",
-		"squizlabs/php_codesniffer": "^3.9"
+		"squizlabs/php_codesniffer": "^3.10"
 	},
 	"suggest": {
 		"chillerlan/php-qrcode": "Create QR Codes for use with an authenticator app."
@@ -58,9 +59,9 @@
 		}
 	},
 	"scripts": {
-		"phan": "@php vendor/bin/phan --allow-polyfill-parser",
 		"phpcs": "@php vendor/bin/phpcs",
-		"phpunit": "@php vendor/bin/phpunit"
+		"phpunit": "@php vendor/bin/phpunit",
+		"phpstan": "@php vendor/bin/phpstan"
 	},
 	"config": {
 		"lock": false,

phpstan-baseline.neon

@@ -0,0 +1,31 @@
+parameters:
+	ignoreErrors:
+		-
+			message: "#^Cannot access offset 'server_time' on mixed\\.$#"
+			count: 1
+			path: src/Authenticators/SteamGuard.php
+
+		-
+			message: "#^Cannot cast mixed to int\\.$#"
+			count: 1
+			path: src/Authenticators/SteamGuard.php
+
+		-   # $response is always string here because CURLOPT_RETURNTRANSFER is set to true
+			message: "#^Parameter \\#1 \\$json of function json_decode expects string, string\\|true given\\.$#"
+			count: 1
+			path: src/Authenticators/SteamGuard.php
+
+		-   # the value given to getHMAC() is always int - this is most likely a false positive
+			message: "#^Parameter \\#1 \\$counter of method chillerlan\\\\Authenticator\\\\Authenticators\\\\HOTP\\:\\:getHMAC\\(\\) expects int, float\\|int given\\.$#"
+			count: 1
+			path: src/Authenticators/TOTP.php
+
+		-   # 32-bit system check
+			message: "#^Call to function is_int\\(\\) with 59\\|1111111109\\|1111111111\\|1234567890\\|2000000000\\|20000000000 will always evaluate to true\\.$#"
+			count: 1
+			path: tests/Authenticators/SteamGuardTest.php
+
+		-   # 32-bit system check
+			message: "#^Call to function is_int\\(\\) with 59\\|1111111109\\|1111111111\\|1234567890\\|2000000000\\|20000000000 will always evaluate to true\\.$#"
+			count: 1
+			path: tests/Authenticators/TOTPTest.php

phpstan.dist.neon

@@ -0,0 +1,17 @@
+# https://phpstan.org/config-reference
+
+parameters:
+	level: 9
+	tmpDir: .build/phpstan-cache
+	paths:
+		- examples
+		- src
+		- tests
+
+	treatPhpDocTypesAsCertain: false
+
+includes:
+	- phpstan-baseline.neon
+	- vendor/phpstan/phpstan/conf/bleedingEdge.neon
+	- vendor/phpstan/phpstan-deprecation-rules/rules.neon
+	- vendor/chillerlan/php-settings-container/rules-magic-access.neon

phpunit.xml.dist

@@ -2,28 +2,24 @@
 <phpunit xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
          xsi:noNamespaceSchemaLocation="vendor/phpunit/phpunit/phpunit.xsd"
          bootstrap="vendor/autoload.php"
-         cacheResultFile=".build/phpunit.result.cache"
+         cacheDirectory=".build/phpunit-cache"
          colors="true"
          beStrictAboutOutputDuringTests="true"
 >
 	<testsuites>
 		<testsuite name="php-authenticator test suite">
-			<directory suffix=".php">./tests/</directory>
-			<exclude>tests/Authenticators/AuthenticatorInterfaceTestAbstract.php</exclude>
+			<directory>tests</directory>
 		</testsuite>
 	</testsuites>
+	<source>
+		<include>
+			<directory>src</directory>
+		</include>
+	</source>
 	<coverage>
 		<report>
 			<clover outputFile=".build/coverage/clover.xml"/>
 			<xml outputDirectory=".build/coverage/coverage-xml"/>
 		</report>
 	</coverage>
-	<logging>
-		<junit outputFile=".build/logs/junit.xml"/>
-	</logging>
-	<source>
-		<include>
-			<directory>./src</directory>
-		</include>
-	</source>
 </phpunit>

src/AuthenticatorOptionsTrait.php

@@ -17,6 +17,17 @@
 use function strtolower;
 use function strtoupper;
 
+/**
+ * @property int    $digits
+ * @property int    $period
+ * @property int    $secret_length
+ * @property string $algorithm
+ * @property string $mode
+ * @property int    $adjacent
+ * @property int    $time_offset
+ * @property bool   $useLocalTime
+ * @property bool   $forceTimeRefresh
+ */
 trait AuthenticatorOptionsTrait{
 
 	/**

src/Authenticators/HOTP.php

@@ -55,7 +55,12 @@ public function getHMAC(int $counter):string{
 	 */
 	public function getCode(#[SensitiveParameter] string $hmac):int{
 		$data = unpack('C*', $hmac);
-		$b    = ($data[strlen($hmac)] & 0xF);
+
+		if($data === false){
+			throw new RuntimeException('error while unpacking HMAC'); // @codeCoverageIgnore
+		}
+
+		$b = ($data[strlen($hmac)] & 0xF);
 		// phpcs:ignore
 		return (($data[$b + 1] & 0x7F) << 24) | ($data[$b + 2] << 16) | ($data[$b + 3] << 8) | $data[$b + 4];
 	}

src/Authenticators/SteamGuard.php

@@ -23,6 +23,7 @@
 use function curl_setopt_array;
 use function floor;
 use function intdiv;
+use function is_array;
 use function json_decode;
 use function sprintf;
 use function time;
@@ -129,21 +130,26 @@ public function getServerTime():int{
 
 		$ch = curl_init($this::steamTimeURL);
 
+		// it's almost impossible to run into this, but hey, phpstan happy
+		if($ch === false){
+			throw new RuntimeException('curl_init error'); // @codeCoverageIgnore
+		}
+
 		curl_setopt_array($ch, $options);
 
 		$response = curl_exec($ch);
 		$info     = curl_getinfo($ch);
 
 		curl_close($ch);
 
-		if($info['http_code'] !== 200){
+		if($info['http_code'] !== 200 || $response === false){
 			// I'm not going to investigate the error further as this shouldn't happen usually
 			throw new RuntimeException(sprintf('Steam API request error: HTTP/%s', $info['http_code'])); // @codeCoverageIgnore
 		}
 
 		$json = json_decode($response, true);
 
-		if(empty($json) || !isset($json['response']['server_time'])){
+		if(!is_array($json) || !isset($json['response']['server_time'])){
 			throw new RuntimeException('Unable to decode Steam API response'); // @codeCoverageIgnore
 		}
 

tests/AuthenticatorTest.php

@@ -84,7 +84,7 @@ public function testGetUri():void{
 		);
 	}
 
-	public function testGetUriEmptyLabelException(){
+	public function testGetUriEmptyLabelException():void{
 		$this->expectException(InvalidArgumentException::class);
 		$this->expectExceptionMessage('$label and $issuer cannot be empty');
 

tests/Common/Base32Test.php

@@ -18,6 +18,9 @@
 
 class Base32Test extends TestCase{
 
+	/**
+	 * @phpstan-return array<int, array<int, string>>
+	 */
 	public static function base32DataProvider():array{
 		return [
 			['a'                   , 'ME'                              ],
@@ -37,12 +40,12 @@ public function testEncode(string $str, string $base32):void{
 	}
 
 	#[DataProvider('base32DataProvider')]
-	public function testDecode(string $str, string $base32){
+	public function testDecode(string $str, string $base32):void{
 		$this::assertSame($str, Base32::decode($base32));
 	}
 
 	#[DataProvider('base32DataProvider')]
-	public function testCheckCharset(string $str, string $base32){
+	public function testCheckCharset(string $str, string $base32):void{
 		$this->expectNotToPerformAssertions();
 
 		Base32::checkCharacterSet($base32);

tests/Common/Base64Test.php

@@ -23,6 +23,9 @@
  */
 class Base64Test extends TestCase{
 
+	/**
+	 * @phpstan-return array<int, array<int, string>>
+	 */
 	public static function base64DataProvider():array{
 		return [
 			['a'                   , 'YQ=='                        ],
@@ -45,7 +48,7 @@ public function testEncode(string $str, string $base64):void{
 	}
 
 	#[DataProvider('base64DataProvider')]
-	public function testDecode(string $str, string $base64){
+	public function testDecode(string $str, string $base64):void{
 		$decoded = Base64::decode($base64);
 
 		$this::assertSame($str, $decoded);
@@ -54,7 +57,7 @@ public function testDecode(string $str, string $base64){
 	}
 
 	#[DataProvider('base64DataProvider')]
-	public function testCheckCharset(string $str, string $base64){
+	public function testCheckCharset(string $str, string $base64):void{
 		$this->expectNotToPerformAssertions();
 
 		Base64::checkCharacterSet($base64);

tests/Common/HexTest.php

@@ -23,6 +23,9 @@
  */
 class HexTest extends TestCase{
 
+	/**
+	 * @phpstan-return array<int, array<int, string>>
+	 */
 	public static function hexDataProvider():array{
 		return [
 			['a'                   , '61'                                      ],