Refactor filters and models for improved type safety and code clarity

- Updated AuthFilter, CorsFilter, RateLimitFilter to enforce stricter type hints and nullability.
- Enhanced error handling and response generation in filters.
- Refactored Format class to use mixed types and improved string handling.
- Added type annotations and docblocks in AccessModel, KeyModel, LimitModel, and LogModel for better code documentation.
- Improved test stubs in ApiKeyFilterTest and FiltersTest for better type safety.
- Ensured consistent use of ResponseInterface in response handling across filters and controllers.

Author: chriskacerguis

.gitignore

@@ -19,4 +19,5 @@ application/logs/*
 !application/logs/.htaccess
 /vendor/
 *.phar
-.phpunit.result.cache
+.phpunit.result.cache
+phpstan.neon.dist

README.md

@@ -254,6 +254,15 @@ php spark migrate -n 'chriskacerguis\RestServer'
 curl -H 'X-API-KEY: YOUR_KEY' http://localhost:8080/api/users
 ```
 
+## Testing
+
+```bash
+php phpcs.phar --standard=phpcs.xml
+php phpunit.phar -c phpunit.xml.dist --testdox
+php -d memory_limit=512M phpstan.phar analyse src --no-progress -c phpstan.neon.dist
+```
+
+
 ## License
 
 MIT

src/Config/Rest.php

@@ -13,6 +13,7 @@ class Rest extends BaseConfig
 
     // Output formats
     public string $defaultFormat = 'json';
+    /** @var array<string> */
     public array $supportedFormats = [
         'json', 'array', 'csv', 'html', 'jsonp', 'php', 'serialized', 'xml',
     ];
@@ -30,6 +31,7 @@ class Rest extends BaseConfig
     public $auth = false;
     /** @var ''|'ldap'|'library' */
     public string $authSource = '';
+    /** @var array<string,string> */
     public array $validLogins = ['admin' => '1234'];
 
     // Allow Authentication and API Keys
@@ -63,7 +65,7 @@ class Rest extends BaseConfig
     /**
      * Override the model class used to validate API keys (for testing or customization)
      *
-     * @var class-string
+     * @var class-string<\chriskacerguis\RestServer\Models\KeyModel>
      */
     public string $keyModelClass = 'chriskacerguis\\RestServer\\Models\\KeyModel';
 
@@ -86,7 +88,7 @@ class Rest extends BaseConfig
     /**
      * Override the model class used to persist limits (for testing or customization)
      *
-     * @var class-string
+     * @var class-string<\chriskacerguis\RestServer\Models\LimitModel>
      */
     public string $limitModelClass = 'chriskacerguis\\RestServer\\Models\\LimitModel';
 
@@ -101,11 +103,15 @@ class Rest extends BaseConfig
 
     // CORS
     public bool $checkCors = false;
+    /** @var array<string> */
     public array $allowedCorsHeaders = [
         'Origin', 'X-Requested-With', 'Content-Type', 'Accept', 'Access-Control-Request-Method',
     ];
+    /** @var array<string> */
     public array $allowedCorsMethods = ['GET', 'POST', 'OPTIONS', 'PUT', 'PATCH', 'DELETE'];
     public bool $allowAnyCorsDomain = false;
+    /** @var array<string> */
     public array $allowedCorsOrigins = [];
+    /** @var array<string,string> */
     public array $forcedCorsHeaders = [];
 }

src/Filters/ApiKeyFilter.php

@@ -13,30 +13,49 @@
 
 class ApiKeyFilter implements FilterInterface
 {
-    public function before(RequestInterface $request, $arguments = null)
+    /**
+     * @param array<string,mixed>|null $arguments
+     */
+    public function before(RequestInterface $request, $arguments = null): ?ResponseInterface
     {
         $config = config(RestConfig::class);
+        if (!$config instanceof RestConfig) {
+            $config = new RestConfig();
+        }
         if (!$config->enableKeys) {
             return null;
         }
 
-        $headerName = $config->keyHeaderName;
-        $apiKey = $request->getHeaderLine($headerName)
-            ?: ($request->getGet('api_key') ?? ($request->getGet($headerName) ?? ''));
+        $headerName = (string) $config->keyHeaderName;
+        $apiKey = $request->getHeaderLine($headerName);
+        if ($apiKey === '') {
+            $queryKey = $request->getGet('api_key');
+            if (!is_string($queryKey) || $queryKey === '') {
+                $queryKey = $request->getGet($headerName);
+            }
+            $apiKey = is_string($queryKey) ? $queryKey : '';
+        }
 
         if ($apiKey === '') {
-            $response = service('response') ?: new Response(config('App'));
+            $response = service('response');
+            if (!$response instanceof ResponseInterface) {
+                $response = new Response(config('App'));
+            }
             return $response->setStatusCode(401)->setJSON([
                 $config->statusFieldName => false,
                 $config->messageFieldName => 'API key missing',
             ]);
         }
 
         $modelClass = $config->keyModelClass ?? KeyModel::class;
+        /** @var KeyModel $model */
         $model = new $modelClass();
-        $row = $model->findValidKey($apiKey);
+        $row = $model->findValidKey((string) $apiKey);
         if (!$row) {
-            $response = service('response') ?: new Response(config('App'));
+            $response = service('response');
+            if (!$response instanceof ResponseInterface) {
+                $response = new Response(config('App'));
+            }
             return $response->setStatusCode(401)->setJSON([
                 $config->statusFieldName => false,
                 $config->messageFieldName => 'Invalid or expired API key',
@@ -46,7 +65,10 @@ public function before(RequestInterface $request, $arguments = null)
         return null;
     }
 
-    public function after(RequestInterface $request, ResponseInterface $response, $arguments = null)
+    /**
+     * @param array<string,mixed>|null $arguments
+     */
+    public function after(RequestInterface $request, ResponseInterface $response, $arguments = null): void
     {
         // no-op
     }

src/Filters/AuthFilter.php

@@ -12,75 +12,89 @@
 
 class AuthFilter implements FilterInterface
 {
-    public function before(RequestInterface $request, $arguments = null)
+    /**
+     * @param array<string,mixed>|null $arguments
+     */
+    public function before(RequestInterface $request, $arguments = null): ?ResponseInterface
     {
         $config = config(RestConfig::class);
-
-        if ($config->auth === false || $config->auth === '') {
-            // Auth disabled
-            return null;
+        if (!$config instanceof RestConfig) {
+            $config = new RestConfig();
         }
 
-        if ($config->auth === 'session') {
-            $session = service('session');
-            if ($session && ($session->get('isLoggedIn') === true || $session->get('logged_in') === true)) {
-                return null;
-            }
-
-            return $this->unauthorizedResponse('basic', $config->realm, 'Session authentication required');
+        if ($config->auth === false) {
+            return null; // Auth disabled
         }
 
-        $authHeader = (string) ($request->getHeaderLine('Authorization') ?? '');
+        $authHeader = $request->getHeaderLine('Authorization');
         $method = strtoupper($request->getMethod());
 
-        if ($config->auth === 'basic') {
-            $creds = $this->parseBasic($authHeader);
-            if (!$creds) {
-                return $this->unauthorizedResponse('basic', $config->realm);
-            }
-
-            $isValid = $this->validateCredentials($creds['username'], $creds['password'], $config);
-            if ($isValid) {
-                return null;
-            }
-
-            return $this->unauthorizedResponse('basic', $config->realm);
-        }
-
-        if ($config->auth === 'digest') {
-            $digest = $this->parseDigest($authHeader);
-            if (!$digest) {
-                return $this->unauthorizedResponse('digest', $config->realm);
-            }
-
-            $username = $digest['username'] ?? '';
-            $password = $this->findPasswordForUser($username, $config);
-            if ($password === null) {
-                return $this->unauthorizedResponse('digest', $config->realm);
-            }
-
-            $ha1 = md5($username . ':' . $config->realm . ':' . $password);
-            $ha2 = md5($method . ':' . ($digest['uri'] ?? ''));
+        switch ($config->auth) {
+            case 'session':
+                $session = service('session');
+                if (
+                    is_object($session)
+                    && method_exists($session, 'get')
+                    && (
+                        $session->get('isLoggedIn') === true
+                        || $session->get('logged_in') === true
+                    )
+                ) {
+                    return null;
+                }
+                return $this->unauthorizedResponse(
+                    'basic',
+                    (string) ($config->realm ?? ''),
+                    'Session authentication required'
+                );
+
+            case 'basic':
+                $creds = $this->parseBasic($authHeader);
+                if (!$creds) {
+                    return $this->unauthorizedResponse('basic', (string) ($config->realm ?? ''));
+                }
+                if ($this->validateCredentials($creds['username'], $creds['password'], $config)) {
+                    return null;
+                }
+                return $this->unauthorizedResponse('basic', (string) ($config->realm ?? ''));
 
-            $data = $ha1 . ':' . ($digest['nonce'] ?? '') . ':' . ($digest['nc'] ?? '') . ':'
-                . ($digest['cnonce'] ?? '') . ':' . ($digest['qop'] ?? '') . ':' . $ha2;
-            $validResponse = md5($data);
+            case 'digest':
+                $digest = $this->parseDigest($authHeader);
+                if (!$digest) {
+                    return $this->unauthorizedResponse('digest', (string) ($config->realm ?? ''));
+                }
+                $username = $digest['username'] ?? '';
+                $password = $this->findPasswordForUser($username, $config);
+                if ($password === null) {
+                    return $this->unauthorizedResponse('digest', (string) ($config->realm ?? ''));
+                }
+                $realm = (string) ($config->realm ?? '');
+                $ha1 = md5($username . ':' . $realm . ':' . $password);
+                $ha2 = md5($method . ':' . (string) ($digest['uri'] ?? ''));
+                $data = $ha1 . ':' . ($digest['nonce'] ?? '') . ':' . ($digest['nc'] ?? '') . ':'
+                    . ($digest['cnonce'] ?? '') . ':' . ($digest['qop'] ?? '') . ':' . $ha2;
+                $validResponse = md5($data);
+                if (hash_equals($validResponse, (string) ($digest['response'] ?? ''))) {
+                    return null;
+                }
+                return $this->unauthorizedResponse('digest', (string) ($config->realm ?? ''));
 
-            if (hash_equals($validResponse, (string) ($digest['response'] ?? ''))) {
+            default:
                 return null;
-            }
-
-            return $this->unauthorizedResponse('digest', $config->realm);
         }
-
-        return null;
     }
 
-    public function after(RequestInterface $request, ResponseInterface $response, $arguments = null)
+    /**
+     * @param array<string,mixed>|null $arguments
+     */
+    public function after(RequestInterface $request, ResponseInterface $response, $arguments = null): void
     {
         // No-op
     }
 
+    /**
+     * @return array{username:string,password:string}|null
+     */
     private function parseBasic(string $authHeader): ?array
     {
         if (!str_starts_with(strtolower($authHeader), 'basic ')) {
@@ -101,6 +115,9 @@ private function parseBasic(string $authHeader): ?array
         return ['username' => $parts[0], 'password' => $parts[1]];
     }
 
+    /**
+     * @return array<string,string>|null
+     */
     private function parseDigest(string $authHeader): ?array
     {
         if (!str_starts_with(strtolower($authHeader), 'digest ')) {

src/Filters/CorsFilter.php

@@ -11,37 +11,52 @@
 
 class CorsFilter implements FilterInterface
 {
-    public function before(RequestInterface $request, $arguments = null)
+    /**
+     * @param array<string,mixed>|null $arguments
+     */
+    public function before(RequestInterface $request, $arguments = null): ?ResponseInterface
     {
         $config = config(RestConfig::class);
+        if (!$config instanceof RestConfig) {
+            $config = new RestConfig();
+        }
 
-        $allowedHeaders = implode(', ', $config->allowedCorsHeaders);
-        $allowedMethods = implode(', ', $config->allowedCorsMethods);
+        $allowedHeaders = implode(', ', (array) $config->allowedCorsHeaders);
+        $allowedMethods = implode(', ', (array) $config->allowedCorsMethods);
 
         $origin = $request->getHeaderLine('Origin');
 
-        if ($config->allowAnyCorsDomain) {
+        if ((bool) $config->allowAnyCorsDomain) {
             header('Access-Control-Allow-Origin: *');
             header('Access-Control-Allow-Headers: ' . $allowedHeaders);
             header('Access-Control-Allow-Methods: ' . $allowedMethods);
             header('Vary: Origin');
-        } elseif ($origin && in_array($origin, $config->allowedCorsOrigins, true)) {
+        } elseif ($origin && in_array($origin, (array) $config->allowedCorsOrigins, true)) {
             header('Access-Control-Allow-Origin: ' . $origin);
             header('Access-Control-Allow-Headers: ' . $allowedHeaders);
             header('Access-Control-Allow-Methods: ' . $allowedMethods);
             header('Vary: Origin');
         }
 
-        foreach ($config->forcedCorsHeaders as $h => $v) {
+        foreach ((array) $config->forcedCorsHeaders as $h => $v) {
             header($h . ': ' . $v);
         }
 
-        if (strtoupper($request->getMethod()) === 'OPTIONS') {
-            return service('response')->setStatusCode(204);
+        if (strtoupper((string) $request->getMethod()) === 'OPTIONS') {
+            $response = service('response');
+            if ($response instanceof ResponseInterface) {
+                return $response->setStatusCode(204);
+            }
+            return null;
         }
+
+        return null;
     }
 
-    public function after(RequestInterface $request, ResponseInterface $response, $arguments = null)
+    /**
+     * @param array<string,mixed>|null $arguments
+     */
+    public function after(RequestInterface $request, ResponseInterface $response, $arguments = null): void
     {
         // no-op
     }