Merge remote-tracking branch 'origin/master' into add-rector

yiisoft · Oct 18, 2023 · d5e26f1 · d5e26f1
2 parents fb616e6 + 14d60e9
commit d5e26f1
Show file tree

Hide file tree

Showing 9 changed files with 168 additions and 75 deletions.
diff --git a/.github/CODE_OF_CONDUCT.md b/.github/CODE_OF_CONDUCT.md
@@ -2,66 +2,101 @@
 
 ## Our Pledge
 
-As contributors and maintainers of this project, and in order to keep Yii community open and welcoming, we ask to respect all community members.
+As contributors and maintainers of this project, and in order to keep Yii community open and welcoming, we ask to
+respect all community members.
 
 ## Our Standards
 
-Examples of behavior that contributes to creating a positive environment include:
+Examples of behavior that contributes to a positive environment for our community include:
 
-* Using welcoming and inclusive language
-* Being respectful of differing viewpoints and experiences
-* Gracefully accepting constructive criticism
-* Focusing on what is best for the community
-* Showing empathy towards other community members
+* Demonstrating empathy and kindness toward other people
+* Being respectful of differing opinions, viewpoints, and experiences
+* Giving and gracefully accepting constructive feedback
+* Accepting responsibility and apologizing to those affected by our mistakes, and learning from the experience
+* Focusing on what is best not just for us as individuals, but for the overall community
 
 Examples of unacceptable behavior by participants include:
 
-* The use of sexualized language or imagery and unwelcome sexual attention or
-  advances
-* Personal attacks
-* Trolling or insulting/derogatory comments, and personal or political attacks
+* The use of sexualized language or imagery, and sexual attention or advances of any kind
+* Trolling, insulting or derogatory comments, and personal or political attacks
 * Public or private harassment
-* Publishing other's private information, such as physical or electronic
-  addresses, without explicit permission
-* Other conduct which could reasonably be considered inappropriate in
-  a professional setting
+* Publishing others' private information, such as a physical or email address, without their explicit permission
+* Other conduct which could reasonably be considered inappropriate in a professional setting
 
-## Our Responsibilities
+## Enforcement Responsibilities
 
-Project maintainers are responsible for clarifying the standards of acceptable
-behavior and are expected to take appropriate and fair corrective action in response
-to any instances of unacceptable behavior.
+Core team members are responsible for clarifying and enforcing our standards of acceptable behavior and will take 
+appropriate and fair corrective action in response to any behavior that they deem inappropriate, threatening, offensive,
+or harmful.
 
-Project maintainers have the right and responsibility to remove, edit, or reject comments,
-commits, code, wiki edits, issues, and other contributions that are not aligned to this
-Code of Conduct, or to ban temporarily or permanently any contributor for other behaviors
-that they deem inappropriate, threatening, offensive, or harmful.
+Core team members have the right and responsibility to remove, edit, or reject comments, commits, code, wiki edits,
+issues, and other contributions that are not aligned to this Code of Conduct, and will communicate reasons for 
+moderation decisions when appropriate.
 
 ## Scope
 
-This Code of Conduct applies both within project spaces and in public spaces when
-an individual is representing the project or its community. Examples of representing
-a project or community include posting via an official social media account,
-within project GitHub, official forum or acting as an appointed representative at
-an online or offline event.
+This Code of Conduct applies within all community spaces, and also applies when an individual is officially representing
+the community in public spaces. Examples of representing a project or community include using an official e-mail
+address, posting via an official social media account, within project GitHub, official forum or acting as an appointed
+representative at an online or offline event.
 
 ## Enforcement
 
-Instances of abusive, harassing, or otherwise unacceptable behavior may be reported
-by contacting core team members. All complaints will be reviewed and investigated
-and will result in a response that is deemed necessary and appropriate to the circumstances.
-The project team is obligated to maintain confidentiality with regard to the reporter of
-an incident. Further details of specific enforcement policies may be posted separately.
+Instances of abusive, harassing, or otherwise unacceptable behavior may be reported by contacting core team members. All
+complaints will be reviewed and investigated promptly and fairly.
 
-Project maintainers who do not follow or enforce the Code of Conduct in good faith
-may face temporary or permanent repercussions as determined by other members of
-the project's leadership.
+All core team members are obligated to respect the privacy and security of the reporter of any incident.
+
+## Enforcement Guidelines
+
+Core team members will follow these Community Impact Guidelines in determining the consequences for any action they
+deem in violation of this Code of Conduct:
+
+### 1. Correction
+
+**Community Impact**: Use of inappropriate language or other behavior deemed unprofessional or unwelcome in 
+the community.
+
+**Consequence**: A private, written warning from core team members, providing clarity around the nature of the violation
+and an explanation of why the behavior was inappropriate. A public apology may be requested.
+
+### 2. Warning
+
+**Community Impact**: A violation through a single incident or series of actions.
+
+**Consequence**: A warning with consequences for continued behavior. No interaction with the people involved, including
+unsolicited interaction with those enforcing the Code of Conduct, for a specified period of time. This includes avoiding
+interactions in community spaces as well as external channels like social media. Violating these terms may lead to 
+a temporary or permanent ban.
+
+### 3. Temporary Ban
+
+**Community Impact**: A serious violation of community standards, including sustained inappropriate behavior.
+
+**Consequence**: A temporary ban from any sort of interaction or public communication with the community for a specified
+period of time. No public or private interaction with the people involved, including unsolicited interaction with those
+enforcing the Code of Conduct, is allowed during this period. Violating these terms may lead to a permanent ban.
+
+### 4. Permanent Ban
+
+**Community Impact**: Demonstrating a pattern of violation of community standards, including sustained inappropriate
+behavior, harassment of an individual, or aggression toward or disparagement of classes of individuals.
+
+**Consequence**: A permanent ban from any sort of public interaction within the community.
 
 ## Attribution
 
-This Code of Conduct is adapted from the [Contributor Covenant][homepage],
-version 1.4.0, available at
-[http://contributor-covenant.org/version/1/4/][version]
+This Code of Conduct is adapted from the [Contributor Covenant][homepage], version 2.1, available at
+[https://www.contributor-covenant.org/version/2/1/code_of_conduct.html][v2.1].
+
+Community Impact Guidelines were inspired by [Mozilla's code of conduct enforcement ladder][Mozilla CoC].
+
+For answers to common questions about this code of conduct, see the FAQ at
+[https://www.contributor-covenant.org/faq][FAQ]. Translations are available at
+[https://www.contributor-covenant.org/translations][translations].
 
-[homepage]: http://contributor-covenant.org
-[version]: http://contributor-covenant.org/version/1/4/
+[homepage]: https://www.contributor-covenant.org
+[v2.1]: https://www.contributor-covenant.org/version/2/1/code_of_conduct.html
+[Mozilla CoC]: https://github.com/mozilla/diversity
+[FAQ]: https://www.contributor-covenant.org/faq
+[translations]: https://www.contributor-covenant.org/translations
diff --git a/.github/workflows/bc.yml b/.github/workflows/bc.yml
@@ -1,15 +1,14 @@
 on:
-  pull_request:
-  push:
+  - pull_request
+  - push
 
 name: backwards compatibility
+
 jobs:
-    roave_bc_check:
-        name: Roave BC Check
-        runs-on: ubuntu-latest
-        steps:
-            - uses: actions/checkout@master
-            - name: fetch tags
-              run: git fetch --depth=1 origin +refs/tags/*:refs/tags/*
-            - name: Roave BC Check
-              uses: docker://nyholm/roave-bc-check-ga
+  roave_bc_check:
+    uses: yiisoft/actions/.github/workflows/bc.yml@master
+    with:
+      os: >-
+        ['ubuntu-latest']
+      php: >-
+        ['8.0']
diff --git a/.styleci.yml b/.styleci.yml
@@ -1,20 +1,12 @@
 preset: psr12
 risky: true
 
-version: 8
+version: 8.1
 
 finder:
   exclude:
     - docs
     - vendor
-    - resources
-    - views
-    - public
-    - templates
-  not-name:
-    - UnionCar.php
-    - TimerUnionTypes.php
-    - schema1.php
 
 enabled:
   - alpha_ordered_traits
@@ -64,7 +56,6 @@ enabled:
   - phpdoc_order
   - phpdoc_property
   - phpdoc_scalar
-  - phpdoc_separation
   - phpdoc_singular_inheritdoc
   - phpdoc_trim
   - phpdoc_trim_consecutive_blank_line_separation
@@ -86,3 +77,9 @@ enabled:
   - trailing_comma_in_multiline_array
   - unalign_double_arrow
   - unalign_equals
+  - empty_loop_body_braces
+  - integer_literal_case
+  - union_type_without_spaces
+
+disabled:
+  - function_declaration
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,29 +1,34 @@
 # Yii CSRF Protection Library Change Log
 
-## 1.2.1 under development
+## 2.0.1 under development
 
 - no changes in this release.
 
+## 2.0.0 February 14, 2023
+
+- Chg #43: Adapt configuration group names to Yii conventions (@vjik)
+- Enh #44: Add support of `yiisoft/session` version `^2.0` (@vjik)
+
 ## 1.2.0 November 22, 2021
 
-- Chg #31: Update `yiisoft/http` dependency (devanych)
-- Enh #30: Add a custom failure handler feature to `CsrfMiddleware` (solventt, devanych)
+- Chg #31: Update `yiisoft/http` dependency (@devanych)
+- Enh #30: Add a custom failure handler feature to `CsrfMiddleware` (@solventt, @devanych)
 
 ## 1.1.0 October 21, 2021
 
-- New #29: Add methods `CsrfMiddleware::getParameterName()` and `CsrfMiddleware::getHeaderName()` (vjik)
+- New #29: Add methods `CsrfMiddleware::getParameterName()` and `CsrfMiddleware::getHeaderName()` (@vjik)
 
 ## 1.0.3 August 30, 2021
 
-- Chg #28: Use definitions from `yiisoft/definitions` in configuration (vjik)
+- Chg #28: Use definitions from `yiisoft/definitions` in configuration (@vjik)
 
 ## 1.0.2 April 13, 2021
 
-- Chg: Adjust config for yiisoft/factory changes (vjik, samdark)
+- Chg: Adjust config for `yiisoft/factory` changes (@vjik, @samdark)
 
 ## 1.0.1 March 23, 2021
 
-- Chg: Adjust config for new config plugin (samdark)
+- Chg: Adjust config for new config plugin (@samdark)
 
 ## 1.0.0 February 23, 2021
 

diff --git a/README.md b/README.md
@@ -20,7 +20,7 @@ The package provides [PSR-15](https://www.php-fig.org/psr/psr-15/) middleware fo
 - It supports two algorithms out of the box:
     - Synchronizer CSRF token with customizable token generation and storage. By default, it uses random data and session.
     - HMAC based token with customizable identity generation. Uses session by default.
-- It has ability to apply masking to CSRF token string to make [BREACH attack](http://breachattack.com/) impossible.
+- It has ability to apply masking to CSRF token string to make [BREACH attack](https://breachattack.com/) impossible.
 
 ## Requirements
 
@@ -147,7 +147,7 @@ To learn more about HMAC based token pattern
 ### Masked CSRF token
 
 `MaskedCsrfToken` is a decorator for `CsrfTokenInterface` that applies masking to a token string.
-It makes [BREACH attack](http://breachattack.com/) impossible, so it is safe to use token in HTML to be later passed to
+It makes [BREACH attack](https://breachattack.com/) impossible, so it is safe to use token in HTML to be later passed to
 the next request either as a hidden form field or via JavaScript async request.
 
 It is recommended to always use this decorator.

diff --git a/composer.json b/composer.json
@@ -30,15 +30,16 @@
         "psr/http-server-middleware": "^1.0",
         "yiisoft/http": "^1.2",
         "yiisoft/security": "^1.0",
-        "yiisoft/session": "^1.0"
+        "yiisoft/session": "^1.0|^2.0"
     },
     "require-dev": {
         "nyholm/psr7": "^1.3",
         "phpunit/phpunit": "^9.5",
         "rector/rector": "^0.14.3",
         "roave/infection-static-analysis-plugin": "^1.16",
         "spatie/phpunit-watcher": "^1.23",
-        "vimeo/psalm": "^4.18"
+        "vimeo/psalm": "^4.30|^5.6",
+        "yiisoft/di": "^1.1"
     },
     "autoload": {
         "psr-4": {
@@ -56,7 +57,7 @@
         },
         "config-plugin": {
             "params": "params.php",
-            "web": "web.php"
+            "di-web": "di-web.php"
         }
     },
     "config": {

diff --git a/config/web.php → config/di-web.php b/config/web.php → config/di-web.php
diff --git a/psalm.xml b/psalm.xml
@@ -1,7 +1,8 @@
 <?xml version="1.0"?>
 <psalm
     errorLevel="1"
-    resolveFromConfigFile="true"
+    findUnusedBaselineEntry="true"
+    findUnusedCode="false"
     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
     xmlns="https://getpsalm.org/schema/config"
     xsi:schemaLocation="https://getpsalm.org/schema/config vendor/vimeo/psalm/config.xsd"

diff --git a/tests/ConfigTest.php b/tests/ConfigTest.php
@@ -0,0 +1,55 @@
+<?php
+
+declare(strict_types=1);
+
+namespace Yiisoft\Csrf\Tests;
+
+use PHPUnit\Framework\TestCase;
+use Yiisoft\Csrf\CsrfTokenInterface;
+use Yiisoft\Csrf\Hmac\HmacCsrfToken;
+use Yiisoft\Csrf\MaskedCsrfToken;
+use Yiisoft\Csrf\Synchronizer\SynchronizerCsrfToken;
+use Yiisoft\Di\Container;
+use Yiisoft\Di\ContainerConfig;
+use Yiisoft\Session\NullSession;
+use Yiisoft\Session\SessionInterface;
+
+final class ConfigTest extends TestCase
+{
+    public function testBase(): void
+    {
+        $container = $this->createContainer();
+
+        $csrfToken = $container->get(CsrfTokenInterface::class);
+        $synchronizerCsrfToken = $container->get(SynchronizerCsrfToken::class);
+        $hmacCsrfToken = $container->get(HmacCsrfToken::class);
+
+        $this->assertInstanceOf(MaskedCsrfToken::class, $csrfToken);
+        $this->assertInstanceOf(SynchronizerCsrfToken::class, $synchronizerCsrfToken);
+        $this->assertInstanceOf(HmacCsrfToken::class, $hmacCsrfToken);
+    }
+
+    private function createContainer(?array $params = null): Container
+    {
+        return new Container(
+            ContainerConfig::create()->withDefinitions(
+                $this->getDiConfig($params)
+                +
+                [SessionInterface::class => NullSession::class]
+            )
+        );
+    }
+
+    private function getDiConfig(?array $params = null): array
+    {
+        if ($params === null) {
+            $params = $this->getParams();
+        }
+        return require dirname(__DIR__) . '/config/di-web.php';
+    }
+
+    private function getParams(): array
+    {
+        return require dirname(__DIR__) . '/config/params.php';
+    }
+}