6.0

.github/workflows/phpunit.yml

@@ -18,15 +18,44 @@ jobs:
     strategy:
       matrix:
         php-version:
+          - "8.5"
           - "8.4"
           - "8.3"
-          - "8.2"
-          - "8.1"
 
     steps:
       - uses: actions/checkout@v5
       - run: composer install
-      - run: ./vendor/bin/phpunit
+      - run: composer test
+
+  Psalm:
+    name: Psalm Static Analyzer
+    runs-on: ubuntu-latest
+    permissions:
+      # for github/codeql-action/upload-sarif to upload SARIF results
+      security-events: write
+    container:
+      image: byjg/php:8.4-cli
+      options: --user root --privileged
+
+    steps:
+      - name: Git checkout
+        uses: actions/checkout@v4
+
+      - name: Composer
+        run: composer install
+
+      - name: Psalm
+        # Note: Ignoring error code 2, which just signals that some
+        # flaws were found, not that Psalm itself failed to run.
+        run: ./vendor/bin/psalm
+          --show-info=true
+          --report=psalm-results.sarif || [ $? = 2 ]
+
+      - name: Upload Analysis results to GitHub
+        uses: github/codeql-action/upload-sarif@v4
+        if: github.ref == 'refs/heads/master'
+        with:
+          sarif_file: psalm-results.sarif
 
   Documentation:
     if: github.ref == 'refs/heads/master'

README.md

@@ -1,13 +1,13 @@
-# JwtSession
+# JWT Session Handler
 
-[![Build Status](https://github.com/byjg/jwt-session/actions/workflows/phpunit.yml/badge.svg?branch=master)](https://github.com/byjg/jwt-session/actions/workflows/phpunit.yml) 
-[![Opensource ByJG](https://img.shields.io/badge/opensource-byjg-success.svg)](http://opensource.byjg.com) 
-[![GitHub source](https://img.shields.io/badge/Github-source-informational?logo=github)](https://github.com/byjg/jwt-session/) 
-[![GitHub license](https://img.shields.io/github/license/byjg/jwt-session.svg)](https://opensource.byjg.com/opensource/licensing.html) 
+[![Sponsor](https://img.shields.io/badge/Sponsor-%23ea4aaa?logo=githubsponsors&logoColor=white&labelColor=0d1117)](https://github.com/sponsors/byjg)
+[![Build Status](https://github.com/byjg/jwt-session/actions/workflows/phpunit.yml/badge.svg?branch=master)](https://github.com/byjg/jwt-session/actions/workflows/phpunit.yml)
+[![Opensource ByJG](https://img.shields.io/badge/opensource-byjg-success.svg)](http://opensource.byjg.com)
+[![GitHub source](https://img.shields.io/badge/Github-source-informational?logo=github)](https://github.com/byjg/jwt-session/)
+[![GitHub license](https://img.shields.io/github/license/byjg/jwt-session.svg)](https://opensource.byjg.com/opensource/licensing.html)
 [![GitHub release](https://img.shields.io/github/release/byjg/jwt-session.svg)](https://github.com/byjg/jwt-session/releases/)
 
-JwtSession is a PHP session replacement. Instead of use FileSystem, just use JWT TOKEN. 
-The implementation following the SessionHandlerInterface.
+A PHP session replacement that stores session data in JWT tokens instead of the filesystem. This implementation follows the SessionHandlerInterface standard, enabling stateless sessions without the need for dedicated session servers like Redis or Memcached. Perfect for distributed applications and microservices architectures.
 
 # How to use:
 

composer.json

@@ -1,6 +1,6 @@
 {
   "name": "byjg/jwt-session",
-  "description": "JwtSession is a PHP session replacement. Instead of use FileSystem, just use JWT TOKEN. The implementation following the SessionHandlerInterface.",
+  "description": "A PHP session replacement that stores session data in JWT tokens instead of the filesystem. This implementation follows the SessionHandlerInterface standard, enabling stateless sessions without the need for dedicated session servers like Redis or Memcached. Perfect for distributed applications and microservices architectures.",
   "autoload": {
     "psr-4": {
       "ByJG\\Session\\": "src/"
@@ -9,16 +9,16 @@
   "minimum-stability": "dev",
   "prefer-stable": true,
   "require": {
-    "php": ">=8.1 <8.5",
+    "php": ">=8.3 <8.6",
     "byjg/jwt-wrapper": "^6.0"
   },
   "require-dev": {
-    "phpunit/phpunit": "^10|^11",
-    "vimeo/psalm": "^5.9|^6.12"
+    "phpunit/phpunit": "^10.5|^11.5",
+    "vimeo/psalm": "^5.9|^6.13"
   },
   "scripts": {
     "test": "vendor/bin/phpunit",
-    "psalm": "vendor/bin/psalm"
+    "psalm": "vendor/bin/psalm --threads=1"
   },
   "license": "MIT"
 }

psalm.xml

@@ -1,6 +1,6 @@
 <?xml version="1.0"?>
 <psalm
-    errorLevel="4"
+    errorLevel="3"
     resolveFromConfigFile="true"
     findUnusedBaselineEntry="true"
     findUnusedCode="false"

src/JwtSession.php

@@ -7,9 +7,9 @@
 use Exception;
 use SessionHandlerInterface;
 
 class JwtSession implements SessionHandlerInterface
 {
-    const COOKIE_PREFIX = "AUTH_BEARER_";
+    const string COOKIE_PREFIX = "AUTH_BEARER_";
 
     /**
      * @var SessionConfig
@@ -22,7 +22,7 @@
      * @param $sessionConfig
      * @throws JwtSessionException
      */
     public function __construct($sessionConfig)
     {
         ini_set("session.use_cookies", 0);
 
@@ -152,9 +152,13 @@
     {
         try {
             if (isset($_COOKIE[self::COOKIE_PREFIX . $this->sessionConfig->getSessionContext()])) {
+                $key = $this->sessionConfig->getKey();
+                if ($key === null) {
+                    return '';
+                }
                 $jwt = new JwtWrapper(
                     $this->sessionConfig->getServerName(),
-                    $this->sessionConfig->getKey()
+                    $key
                 );
                 $data = $jwt->extractData($_COOKIE[self::COOKIE_PREFIX . $this->sessionConfig->getSessionContext()]);
 
@@ -192,9 +196,13 @@
     #[\Override]
     public function write(string $id, string $data): bool
     {
+        $key = $this->sessionConfig->getKey();
+        if ($key === null) {
+            return false;
+        }
         $jwt = new JwtWrapper(
             $this->sessionConfig->getServerName(),
-            $this->sessionConfig->getKey()
+            $key
         );
         $session_data = $jwt->createJwtData(['data' => $data], $this->sessionConfig->getTimeoutMinutes() * 60, 0, null);
         $token = $jwt->generateToken($session_data);
@@ -217,7 +225,7 @@
         return true;
     }
 
     public function serializeSessionData($array): string
     {
         $result = '';
         foreach ($array as $key => $value) {
@@ -232,13 +240,16 @@
      * @return array
      * @throws JwtSessionException
      */
     public function unSerializeSessionData($session_data): array
     {
         $return_data = array();
         $offset = 0;
         while ($offset < strlen($session_data)) {
             if (!str_contains(substr($session_data, $offset), "|")) throw new JwtSessionException("invalid data, remaining: " . substr($session_data, $offset));
             $pos = strpos($session_data, "|", $offset);
+            if ($pos === false) {
+                throw new JwtSessionException("invalid data, pipe not found");
+            }
             $num = $pos - $offset;
             $varname = substr($session_data, $offset, $num);
             $offset += $num + 1;

tests/JwtSessionTest.php

@@ -22,7 +22,7 @@ class JwtSessionTest extends TestCase
      */
     protected SessionConfig $sessionConfig;
 
-    const SESSION_ID = "sessionid";
+    const string SESSION_ID = "sessionid";
 
     /**
      * @throws JwtSessionException