Static analysis using larastan (#36)

* Setup larastan

* Add unsage static usage to ignored larastan errors

* Add known/safe PHPStan errors

* Split up EmitsAuthenticationEvents

* Larastan: Typehint Eloquent Builder for 'unknowns'

* GH Actions: Remove continue-on-error from Larastan

---------

Co-authored-by: Claudio Dekker <[email protected]>

Author: Jubeki

.github/workflows/larastan.yml

@@ -0,0 +1,32 @@
+name: Larastan Static Analysis
+
+on:
+  push:
+    branches:
+      - master
+      - '*.x'
+  pull_request:
+
+jobs:
+  larastan:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v3
+
+      - name: Setup PHP
+        uses: shivammathur/setup-php@v2
+        with:
+          php-version: 8.1
+          tools: composer:v2
+
+      - name: Install dependencies
+        uses: nick-fields/retry@v2
+        with:
+          timeout_minutes: 5
+          max_attempts: 5
+          command: composer update --prefer-stable --prefer-dist --no-interaction --no-progress
+
+      - name: Run Larastan
+        run: vendor/bin/phpstan

composer.json

@@ -21,7 +21,8 @@
         "orchestra/testbench": "^6.5|^7.0",
         "phpunit/phpunit": "^8.4|^9.5.8",
         "roave/security-advisories": "dev-latest",
-        "symplify/monorepo-builder": "11.2.2.72"
+        "symplify/monorepo-builder": "11.2.2.72",
+        "nunomaduro/larastan": "^2.0"
     },
     "autoload": {
         "psr-4": {

packages/core/src/Events/Mixins/EmitsAuthenticatedEvent.php

@@ -0,0 +1,19 @@
+<?php
+
+namespace ClaudioDekker\LaravelAuth\Events\Mixins;
+
+use ClaudioDekker\LaravelAuth\Events\Authenticated;
+use Illuminate\Contracts\Auth\Authenticatable;
+use Illuminate\Http\Request;
+use Illuminate\Support\Facades\Event;
+
+trait EmitsAuthenticatedEvent
+{
+    /**
+     * Emits an event indicating that the user was fully authenticated.
+     */
+    protected function emitAuthenticatedEvent(Request $request, Authenticatable $user): void
+    {
+        Event::dispatch(new Authenticated($request, $user));
+    }
+}

packages/core/src/Events/Mixins/EmitsLockoutEvent.php

@@ -0,0 +1,18 @@
+<?php
+
+namespace ClaudioDekker\LaravelAuth\Events\Mixins;
+
+use Illuminate\Auth\Events\Lockout;
+use Illuminate\Http\Request;
+use Illuminate\Support\Facades\Event;
+
+trait EmitsLockoutEvent
+{
+    /**
+     * Emits an event indicating that the user has been locked out for a while.
+     */
+    protected function emitLockoutEvent(Request $request): void
+    {
+        Event::dispatch(new Lockout($request));
+    }
+}

packages/core/src/Http/Concerns/Challenges/PasswordChallenge.php

@@ -2,14 +2,12 @@
 
 namespace ClaudioDekker\LaravelAuth\Http\Concerns\Challenges;
 
-use ClaudioDekker\LaravelAuth\Http\Concerns\EmitsAuthenticationEvents;
 use ClaudioDekker\LaravelAuth\Http\Concerns\InteractsWithRateLimiting;
 use Illuminate\Http\Request;
 use Illuminate\Support\Facades\Auth;
 
 trait PasswordChallenge
 {
-    use EmitsAuthenticationEvents;
     use InteractsWithRateLimiting;
 
     /**

packages/core/src/Http/Concerns/Challenges/PublicKeyChallenge.php

@@ -3,9 +3,7 @@
 namespace ClaudioDekker\LaravelAuth\Http\Concerns\Challenges;
 
 use ClaudioDekker\LaravelAuth\CredentialType;
-use ClaudioDekker\LaravelAuth\Http\Concerns\EmitsAuthenticationEvents;
 use ClaudioDekker\LaravelAuth\Http\Concerns\InteractsWithRateLimiting;
-use ClaudioDekker\LaravelAuth\Http\Traits\EmailBased;
 use ClaudioDekker\LaravelAuth\LaravelAuth;
 use ClaudioDekker\LaravelAuth\Methods\WebAuthn\Contracts\WebAuthnContract as WebAuthn;
 use ClaudioDekker\LaravelAuth\Methods\WebAuthn\Exceptions\InvalidPublicKeyCredentialException;
@@ -22,8 +20,6 @@
 
 trait PublicKeyChallenge
 {
-    use EmailBased;
-    use EmitsAuthenticationEvents;
     use InteractsWithRateLimiting;
 
     /**

packages/core/src/Http/Concerns/Challenges/TotpChallenge.php

@@ -3,7 +3,6 @@
 namespace ClaudioDekker\LaravelAuth\Http\Concerns\Challenges;
 
 use ClaudioDekker\LaravelAuth\CredentialType;
-use ClaudioDekker\LaravelAuth\Http\Concerns\EmitsAuthenticationEvents;
 use ClaudioDekker\LaravelAuth\Http\Concerns\InteractsWithRateLimiting;
 use ClaudioDekker\LaravelAuth\LaravelAuth;
 use ClaudioDekker\LaravelAuth\Methods\Totp\Contracts\TotpContract as Totp;
@@ -14,7 +13,6 @@
 
 trait TotpChallenge
 {
-    use EmitsAuthenticationEvents;
     use InteractsWithRateLimiting;
 
     /**

packages/core/src/Http/Concerns/EmitsAuthenticationEvents.php

@@ -4,6 +4,7 @@
 
 use App\Models\User;
 use ClaudioDekker\LaravelAuth\CredentialType;
+use ClaudioDekker\LaravelAuth\Events\Mixins\EmitsLockoutEvent;
 use ClaudioDekker\LaravelAuth\Http\Concerns\InteractsWithRateLimiting;
 use ClaudioDekker\LaravelAuth\LaravelAuth;
 use ClaudioDekker\LaravelAuth\Methods\WebAuthn\Contracts\WebAuthnContract as WebAuthn;
@@ -19,6 +20,7 @@
 
 trait PasskeyBasedAuthentication
 {
+    use EmitsLockoutEvent;
     use InteractsWithRateLimiting;
 
     /**
@@ -167,7 +169,10 @@ protected function validatePasskey(Request $request, PublicKeyCredentialRequestO
      */
     protected function resolveUserFromPasskey(Request $request, CredentialAttributes $credential): Authenticatable
     {
-        return User::query()
+        /** @var \Illuminate\Database\Eloquent\Builder $query */
+        $query = User::query();
+
+        return $query
             ->where('has_password', false)
             ->findOrFail($credential->userHandle());
     }

packages/core/src/Http/Concerns/Login/PasskeyBasedAuthentication.php

@@ -4,15 +4,19 @@
 
 use App\Models\User;
 use ClaudioDekker\LaravelAuth\CredentialType;
+use ClaudioDekker\LaravelAuth\Events\Mixins\EmitsLockoutEvent;
+use ClaudioDekker\LaravelAuth\Events\MultiFactorChallenged;
 use ClaudioDekker\LaravelAuth\Http\Concerns\InteractsWithRateLimiting;
 use ClaudioDekker\LaravelAuth\LaravelAuth;
 use Illuminate\Contracts\Auth\Authenticatable;
 use Illuminate\Http\Request;
 use Illuminate\Support\Collection;
+use Illuminate\Support\Facades\Event;
 use Illuminate\Support\Facades\Hash;
 
 trait PasswordBasedAuthentication
 {
+    use EmitsLockoutEvent;
     use InteractsWithRateLimiting;
 
     /**
@@ -81,7 +85,10 @@ protected function validatePasswordBasedRequest(Request $request): void
      */
     protected function resolvePasswordBasedUser(Request $request): ?Authenticatable
     {
-        return User::query()
+        /** @var \Illuminate\Database\Eloquent\Builder $query */
+        $query = User::query();
+
+        return $query
             ->where('has_password', true)
             ->where($this->usernameField(), $request->input($this->usernameField()))
             ->first();
@@ -124,6 +131,18 @@ protected function fetchMultiFactorCredentials(Authenticatable $user): Collectio
             ->get();
     }
 
+    /**
+     * Determines the preferred multi-factor authentication method.
+     */
+    protected function determinePreferredMultiFactorMethod(Authenticatable $user, Collection $credentials): CredentialType
+    {
+        if ($credentials->pluck('type')->contains(CredentialType::PUBLIC_KEY)) {
+            return CredentialType::PUBLIC_KEY;
+        }
+
+        return CredentialType::TOTP;
+    }
+
     /**
      * Prepares the details necessary for multi-factor authentication.
      */
@@ -135,14 +154,10 @@ protected function prepareMultiFactorAuthenticationDetails(Request $request, Aut
     }
 
     /**
-     * Determines the preferred multi-factor authentication method.
+     * Emits an event indicating the user received a multi-factor authentication challenge.
      */
-    protected function determinePreferredMultiFactorMethod(Authenticatable $user, Collection $credentials): CredentialType
+    protected function emitMultiFactorChallengedEvent(Request $request, Authenticatable $user): void
     {
-        if ($credentials->pluck('type')->contains(CredentialType::PUBLIC_KEY)) {
-            return CredentialType::PUBLIC_KEY;
-        }
-
-        return CredentialType::TOTP;
+        Event::dispatch(new MultiFactorChallenged($request, $user));
     }
 }

packages/core/src/Http/Concerns/Login/PasswordBasedAuthentication.php

@@ -153,7 +153,10 @@ protected function validatePasskeyBasedInitializationRequest(Request $request):
      */
     protected function claimPasswordlessUser(Request $request): Authenticatable
     {
-        return User::create([
+        /** @var \Illuminate\Database\Eloquent\Builder $query */
+        $query = User::query();
+
+        return $query->create([
             'email' => $request->input('email'),
             $this->usernameField() => $request->input($this->usernameField()),
             'name' => $request->name,
@@ -170,7 +173,10 @@ protected function claimPasswordlessUser(Request $request): Authenticatable
      */
     protected function releaseClaimedPasswordlessUser(Request $request, $userId)
     {
-        return User::where('id', $userId)->firstOrFail()->delete();
+        /** @var \Illuminate\Database\Eloquent\Builder $query */
+        $query = User::query();
+
+        return $query->where('id', $userId)->firstOrFail()->delete();
     }
 
     /**
@@ -240,7 +246,10 @@ protected function validateAndPrepareCredentialAttributes(Request $request, Publ
      */
     protected function resolveUserFromPasskeyCreationOptions(PublicKeyCredentialCreationOptions $options): Authenticatable
     {
-        return User::findOrFail($options->user()->id());
+        /** @var \Illuminate\Database\Eloquent\Builder $query */
+        $query = User::query();
+
+        return $query->findOrFail($options->user()->id());
     }
 
     /**

packages/core/src/Http/Concerns/Registration/PasskeyBasedRegistration.php

@@ -48,7 +48,10 @@ protected function validatePasswordBasedRequest(Request $request): void
      */
     protected function createPasswordBasedUser(Request $request): Authenticatable
     {
-        return User::create([
+        /** @var \Illuminate\Database\Eloquent\Builder $query */
+        $query = User::query();
+
+        return $query->create([
             'email' => $request->input('email'),
             $this->usernameField() => $request->input($this->usernameField()),
             'name' => $request->name,

packages/core/src/Http/Concerns/Registration/PasswordBasedRegistration.php

@@ -3,7 +3,7 @@
 namespace ClaudioDekker\LaravelAuth\Http\Controllers;
 
 use App\Models\User;
-use ClaudioDekker\LaravelAuth\Http\Concerns\EmitsAuthenticationEvents;
+use ClaudioDekker\LaravelAuth\Events\Mixins\EmitsLockoutEvent;
 use ClaudioDekker\LaravelAuth\Http\Concerns\InteractsWithRateLimiting;
 use ClaudioDekker\LaravelAuth\Notifications\AccountRecoveryNotification;
 use Illuminate\Contracts\Auth\Authenticatable;
@@ -13,7 +13,7 @@
 abstract class AccountRecoveryRequestController
 {
     use InteractsWithRateLimiting;
-    use EmitsAuthenticationEvents;
+    use EmitsLockoutEvent;
 
     /**
      * Handles the situation in which account recovery has already been requested.
@@ -113,7 +113,10 @@ protected function validateRecoveryRequest(Request $request): void
      */
     protected function getUser(Request $request)
     {
-        return User::query()
+        /** @var \Illuminate\Database\Eloquent\Builder $query */
+        $query = User::query();
+
+        return $query
             ->where('email', $request->input('email'))
             ->first();
     }