JwtClaims: strict-aud variant + verification/round-trip docs (S4+B4)#15
Merged
Conversation
S4 — audience-default hardening + verification docs: - Add `fromPayloadStrict(array): self` that THROWS when `aud` is absent, instead of defaulting to AUD_SERVER. `fromPayload()` keeps the v0.10.x legacy default (existing tests/behaviour unchanged) — BC-safe. - Add a prominent class docblock stating JwtClaims performs NO signature verification: it is a typed view over an already-decoded/verified payload; signature verification is the caller's responsibility (server/hub JwtHandler). B4 — round-trip symmetry note (no behaviour change): - Document the deliberate `toPayload()` null/empty-optional omission asymmetry (wire-compat for legacy decoders) and why the object round-trip stays lossless. - Add round-trip object-equality tests asserting fromPayload(toPayload($claims)) == $claims for both the all-fields and minimal-claims cases. Refactor fromPayload/fromPayloadStrict to share a private build() helper. CHANGELOG [Unreleased] updated. No Version bump (batch-final release step). Gate: PHPUnit 349 tests / 2838 assertions OK; PHPStan L9 (no baseline) no errors; phpcs PSR-12 clean; Psalm no errors. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
|
You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard. |
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## master #15 +/- ##
============================================
+ Coverage 58.57% 58.81% +0.24%
- Complexity 422 424 +2
============================================
Files 38 38
Lines 1260 1265 +5
============================================
+ Hits 738 744 +6
+ Misses 522 521 -1
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Harness. 🚀 New features to boost your workflow:
|
Not up to standards ⛔🔴 Issues
|
| Category | Results |
|---|---|
| BestPractice | 3 medium |
| CodeStyle | 9 minor |
| Complexity | 4 medium |
🟢 Metrics 7 complexity · 0 duplication
Metric Results Complexity 7 Duplication 0
NEW Get contextual insights on your PRs based on Codacy's metrics, along with PR and Jira context, without leaving GitHub. Enable AI reviewer
TIP This summary will be updated as you push new changes.
detain
added a commit
that referenced
this pull request
Jun 28, 2026
Bump Version::VERSION to 0.11.0 and promote the [Unreleased] CHANGELOG section to [0.11.0] - 2026-06-28, rolling up the four changes merged since v0.10.1: - #14 S1: harden RelayHttpRequest with path/method gate + forbidden-header helpers (isForbiddenHeader/withoutForbiddenHeaders/assertSafe) - #15 JwtClaims: strict-aud variant (fromPayloadStrict) + verification/ round-trip docs (S4+B4) - #16 refactor(arr): extract AbstractArrClient to dedup the four *arr clients (F2a) - #17 feat(arr): inject async HTTP transport via ArrTransportInterface (F2b/B1/P1) composer.json carries no hardcoded version field (tags drive version), so it is left unchanged. The git tag is applied by the coordinator after merge. Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Steps
Implements S4 and B4 from
findings/plan_phlix-shared.md(combined per the plan: both touchsrc/Auth/JwtClaims.php+ its tests). NoVersion.phpbump — that is the batch-final release step.S4 —
JwtClaimsaudience-default hardening + verification docs (finding S4, LOW)fromPayloadStrict(array $payload): selfthat throwsInvalidArgumentExceptionwhenaudis absent, rather than defaulting it.fromPayload()keeps defaulting a missingaud→AUD_SERVERfor legacy v0.10.x tokens (BC; existing tests unchanged).JwtClaimsperforms no signature verification — it is a typed view over an already-decoded/verified payload; signature verification (and rejectingalg: none) is the caller's responsibility (server/hubJwtHandler).fromPayload()/fromPayloadStrict()share a privatebuild()helper.B4 — round-trip symmetry note (finding B4, LOW; no behaviour change)
toPayload()null/empty-optional omission asymmetry (nbf/jti/scope/serverIdomitted for legacy-decoder wire-compat) and whyfromPayload(toPayload($claims)) == $claimsstill holds (re-defaulting on input).toPayload()behaviour unchanged (wire compat).How verified (full gate, green, not weakened)
composer test— PHPUnit 349 tests, 2838 assertions, OK (9 new tests added).composer stan— PHPStan Level 9, no baseline, No errors.composer cs— phpcs PSR-12, clean.composer psalm— No errors found.BC / consumer impact
Additive, BC-safe (minor bump at release). Optional later migration of phlix-server/phlix-hub
JwtHandlertofromPayloadStrict()once all issuers setaud— not required by this PR.🤖 Generated with Claude Code