Refresh PHPStan baseline, more session provider hardening

Author: mbabker

phpstan-baseline.neon

@@ -1,11 +1,5 @@
 parameters:
 	ignoreErrors:
-		-
-			message: '#^Parameter \#1 \$data of function unserialize expects string, mixed given\.$#'
-			identifier: argument.type
-			count: 1
-			path: src/Authentication/Provider/SessionAuthenticationProvider.php
-
 		-
 			message: '#^Cannot cast mixed to string\.$#'
 			identifier: cast.string
@@ -144,12 +138,6 @@ parameters:
 			count: 1
 			path: src/DependencyInjection/Compiler/PingDBALConnectionsCompilerPass.php
 
-		-
-			message: '#^Method BabDev\\WebSocketBundle\\DependencyInjection\\Factory\\Authentication\\AuthenticationProviderFactory\:\:addConfiguration\(\) has parameter \$builder with generic class Symfony\\Component\\Config\\Definition\\Builder\\NodeDefinition but does not specify its types\: TParent$#'
-			identifier: missingType.generics
-			count: 1
-			path: src/DependencyInjection/Factory/Authentication/AuthenticationProviderFactory.php
-
 		-
 			message: '#^Call to an undefined method Symfony\\Component\\Config\\Definition\\Builder\\NodeDefinition\:\:children\(\)\.$#'
 			identifier: method.notFound
@@ -198,12 +186,6 @@ parameters:
 			count: 1
 			path: src/DependencyInjection/Factory/Authentication/SessionAuthenticationProviderFactory.php
 
-		-
-			message: '#^Method BabDev\\WebSocketBundle\\DependencyInjection\\Factory\\Authentication\\SessionAuthenticationProviderFactory\:\:addConfiguration\(\) has parameter \$builder with generic class Symfony\\Component\\Config\\Definition\\Builder\\NodeDefinition but does not specify its types\: TParent$#'
-			identifier: missingType.generics
-			count: 1
-			path: src/DependencyInjection/Factory/Authentication/SessionAuthenticationProviderFactory.php
-
 		-
 			message: '#^Parameter \#1 \$class of function class_exists expects string, mixed given\.$#'
 			identifier: argument.type
@@ -235,7 +217,7 @@ parameters:
 			path: src/Routing/Loader/AttributeLoader.php
 
 		-
-			message: '#^Cannot use array destructuring on \(list\<\(BabDev\\WebSocket\\Server\\WAMP\\WAMPConnection&PHPUnit\\Framework\\MockObject\\MockObject\)\|string\>\)\|null\.$#'
+			message: '#^Cannot use array destructuring on \(list\<\(BabDev\\WebSocket\\Server\\WAMP\\WAMPConnection&PHPUnit\\Framework\\MockObject\\Stub\)\|string\>\)\|null\.$#'
 			identifier: offsetAccess.nonArray
 			count: 5
 			path: tests/Authentication/StorageBackedConnectionRepositoryTest.php

src/Authentication/Provider/SessionAuthenticationProvider.php

@@ -83,6 +83,15 @@ private function getToken(Connection $connection): TokenInterface
 
         foreach ($this->firewalls as $firewall) {
             if (false !== $serializedToken = $session->get($sessionKey = '_security_'.$firewall, false)) {
+                if (!is_string($serializedToken)) {
+                    $this->logger?->debug('Session has a non-string serialized token.', [
+                        'key' => $sessionKey,
+                        'type' => get_debug_type($serializedToken),
+                    ]);
+
+                    break;
+                }
+
                 $token = $this->safelyUnserialize($serializedToken, $sessionKey);
 
                 $this->logger?->debug('Read existing security token from the session.', [

tests/Authentication/Provider/SessionAuthenticationProviderTest.php

@@ -161,6 +161,37 @@ public function testANullTokenUsedWhenANonSecurityTokenIsExtractedFromTheSession
         self::assertInstanceOf(NullToken::class, $this->provider->authenticate($connection));
     }
 
+    public function testANullTokenUsedWhenANonStringIsExtractedFromTheSession(): void
+    {
+        /** @var MockObject&SessionInterface $session */
+        $session = $this->createMock(SessionInterface::class);
+        $session->expects(self::once())
+            ->method('get')
+            ->with('_security_main')
+            ->willReturn(new \stdClass());
+
+        $attributeStore = new ArrayAttributeStore();
+        $attributeStore->set('session', $session);
+        $attributeStore->set('resource_id', 'resource');
+
+        /** @var MockObject&Connection $connection */
+        $connection = $this->createMock(Connection::class);
+        $connection->method('getAttributeStore')
+            ->willReturn($attributeStore);
+
+        $storageIdentifier = '42';
+
+        $this->tokenStorage->expects(self::once())
+            ->method('generateStorageId')
+            ->willReturn($storageIdentifier);
+
+        $this->tokenStorage->expects(self::once())
+            ->method('addToken')
+            ->with($storageIdentifier, self::isInstanceOf(TokenInterface::class));
+
+        self::assertInstanceOf(NullToken::class, $this->provider->authenticate($connection));
+    }
+
     public function testANullTokenUsedWhenUnserializingTheTokenRaisesAnError(): void
     {
         /** @var MockObject&SessionInterface $session */

tests/Authentication/StorageBackedConnectionRepositoryTest.php

@@ -177,13 +177,13 @@ public function testFetchingAllConnectionsByDefaultOnlyReturnsAuthenticatedUsers
         $storageId1 = 42;
         $storageId2 = 84;
 
-        /** @var Stub&TokenInterface $authenticatedToken */
+        /** @var MockObject&TokenInterface $authenticatedToken */
         $authenticatedToken = $this->createMock(TokenInterface::class);
         $authenticatedToken->expects(self::once())
             ->method('getUser')
             ->willReturn(self::createStub(UserInterface::class));
 
-        /** @var Stub&TokenInterface $guestToken */
+        /** @var MockObject&TokenInterface $guestToken */
         $guestToken = $this->createMock(TokenInterface::class);
         $guestToken->expects(self::once())
             ->method('getUser')