fix: remove mbstring dependency for better PHP compatibility (#262)

* fix: remove mbstring dependency for better PHP compatibility

The library was using several mbstring functions that are either
unavailable in older PHP versions (mb_trim requires PHP 8.4+) or
unnecessary for ASCII-only data.

Changes:
- Replace mb_trim with trim (mb_trim requires PHP 8.4+)
- Replace mb_strtoupper with strtoupper (secrets are base32/ASCII)
- Replace mb_strtolower with strtolower (algorithm names are ASCII)
- Replace mb_substr with substr (removing leading '/' from URIs)
- Replace mb_strlen with strlen in tests (base32 secrets are ASCII)
- Remove ext-mbstring dependency from composer.json
- Remove MBString mutator config from infection.json.dist

All replacements are safe because the library only processes:
- Base32-encoded secrets (A-Z, 2-7, = characters only)
- Algorithm names (sha1, sha256, etc.)
- URI paths (always start with ASCII '/' character)

Fixes #261

* fix: add missing strlen function import in test files

Author: Spomky

.ci-tools/infection.json.dist

@@ -14,12 +14,6 @@
             "\\$this->logger.*",
             "\\$this->cache->save.*",
             "parent::build(\\$container);"
-        ],
-        "MBString": {
-            "settings": {
-                "mb_substr": false,
-                "mb_strlen": false
-            }
-        }
+        ]
     }
 }

composer.json

@@ -17,7 +17,6 @@
     ],
     "require": {
         "php": ">=8.1",
-        "ext-mbstring": "*",
         "paragonie/constant_time_encoding": "^2.0 || ^3.0",
         "psr/clock": "^1.0",
         "symfony/deprecation-contracts": "^3.2"

src/Factory.php

@@ -57,7 +57,7 @@ private static function populateParameters(OTPInterface $otp, Url $data): void
     private static function populateOTP(OTPInterface $otp, Url $data): void
     {
         self::populateParameters($otp, $data);
-        $result = explode(':', rawurldecode(mb_substr($data->getPath(), 1)));
+        $result = explode(':', rawurldecode(substr($data->getPath(), 1)));
 
         if (count($result) < 2) {
             $otp->setIssuerIncludedAsParameter(false);
@@ -105,7 +105,7 @@ private static function createOTP(Url $parsed_url, ClockInterface $clock): OTPIn
      */
     private static function getLabel(string $data): string
     {
-        $result = explode(':', rawurldecode(mb_substr($data, 1)));
+        $result = explode(':', rawurldecode(substr($data, 1)));
         $label = count($result) === 2 ? $result[1] : $result[0];
         $label !== '' || throw new InvalidProvisioningUriException('Label must not be empty.');
 

src/OTP.php

@@ -339,9 +339,9 @@ protected function getParameterMap(): array
 
                 return $value;
             },
-            'secret' => static fn (string $value): string => mb_strtoupper(mb_trim($value, '=')),
+            'secret' => static fn (string $value): string => strtoupper(trim($value, '=')),
             'algorithm' => static function (string $value): string {
-                $value = mb_strtolower($value);
+                $value = strtolower($value);
                 in_array($value, hash_algos(), true) || throw new InvalidParameterException(
                     sprintf('The "%s" digest is not supported.', $value),
                     'algorithm',

tests/HOTPTest.php

@@ -9,6 +9,7 @@
 use PHPUnit\Framework\Attributes\Test;
 use PHPUnit\Framework\TestCase;
 use RuntimeException;
+use function strlen;
 
 /**
  * @internal
@@ -274,7 +275,7 @@ public function generateWithDefaultSecretSize(): void
 
         static::assertMatchesRegularExpression('/^[A-Z2-7]+$/', $otp->getSecret());
         // Default secret size is 64 bytes, which encodes to ceil(64 * 8 / 5) = 103 base32 chars
-        static::assertSame(103, mb_strlen($otp->getSecret()));
+        static::assertSame(103, strlen($otp->getSecret()));
     }
 
     #[Test]
@@ -284,7 +285,7 @@ public function generateWithCustomSecretSize(): void
 
         static::assertMatchesRegularExpression('/^[A-Z2-7]+$/', $otp->getSecret());
         // 16 bytes encodes to ceil(16 * 8 / 5) = 26 base32 chars
-        static::assertSame(26, mb_strlen($otp->getSecret()));
+        static::assertSame(26, strlen($otp->getSecret()));
     }
 
     #[Test]
@@ -294,7 +295,7 @@ public function generateWithCustomSecretSizeViaCreate(): void
 
         static::assertMatchesRegularExpression('/^[A-Z2-7]+$/', $otp->getSecret());
         // 32 bytes encodes to ceil(32 * 8 / 5) = 52 base32 chars
-        static::assertSame(52, mb_strlen($otp->getSecret()));
+        static::assertSame(52, strlen($otp->getSecret()));
     }
 
     #[Test]

tests/TOTPTest.php

@@ -16,6 +16,7 @@
 use Psr\Clock\ClockInterface;
 use RuntimeException;
 use function assert;
+use function strlen;
 
 /**
  * @internal
@@ -509,7 +510,7 @@ public function generateWithDefaultSecretSize(): void
 
         static::assertMatchesRegularExpression('/^[A-Z2-7]+$/', $otp->getSecret());
         // Default secret size is 64 bytes, which encodes to ceil(64 * 8 / 5) = 103 base32 chars
-        static::assertSame(103, mb_strlen($otp->getSecret()));
+        static::assertSame(103, strlen($otp->getSecret()));
     }
 
     #[Test]
@@ -519,7 +520,7 @@ public function generateWithCustomSecretSize(): void
 
         static::assertMatchesRegularExpression('/^[A-Z2-7]+$/', $otp->getSecret());
         // 16 bytes encodes to ceil(16 * 8 / 5) = 26 base32 chars
-        static::assertSame(26, mb_strlen($otp->getSecret()));
+        static::assertSame(26, strlen($otp->getSecret()));
     }
 
     #[Test]
@@ -530,7 +531,7 @@ public function generateWithCustomSecretSizeViaCreate(): void
 
         static::assertMatchesRegularExpression('/^[A-Z2-7]+$/', $otp->getSecret());
         // 32 bytes encodes to ceil(32 * 8 / 5) = 52 base32 chars
-        static::assertSame(52, mb_strlen($otp->getSecret()));
+        static::assertSame(52, strlen($otp->getSecret()));
     }
 
     #[Test]