fix: add PHPStan type annotations for parse_url() return values in CheckAllowedOrigins

Spomky · claude · Spomky · commit ed039a7d8efd · 2026-03-08T18:01:15.000+01:00
Co-Authored-By: Claude Opus 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/src/webauthn/src/CeremonyStep/CheckAllowedOrigins.php b/src/webauthn/src/CeremonyStep/CheckAllowedOrigins.php
@@ -141,7 +141,9 @@ private function isSubdomainOfFullOrigins(array $parsedOrigin): bool
         if (! isset($parsedOrigin['scheme'], $parsedOrigin['host'])) {
             return false;
         }
+        /** @var string $originScheme */
         $originScheme = $parsedOrigin['scheme'];
+        /** @var string $originHost */
         $originHost = $parsedOrigin['host'];
         $originPort = $parsedOrigin['port'] ?? null;
 
@@ -150,14 +152,18 @@ private function isSubdomainOfFullOrigins(array $parsedOrigin): bool
             if (! is_array($parsedAllowed) || ! isset($parsedAllowed['scheme'], $parsedAllowed['host'])) {
                 continue;
             }
-            if ($originScheme !== $parsedAllowed['scheme']) {
+            /** @var string $allowedScheme */
+            $allowedScheme = $parsedAllowed['scheme'];
+            /** @var string $allowedHost */
+            $allowedHost = $parsedAllowed['host'];
+            if ($originScheme !== $allowedScheme) {
                 continue;
             }
             $allowedPort = $parsedAllowed['port'] ?? null;
             if ($originPort !== $allowedPort) {
                 continue;
             }
-            if ($this->isSubdomainOf($originHost, $parsedAllowed['host'])) {
+            if ($this->isSubdomainOf($originHost, $allowedHost)) {
                 return true;
             }
         }

Original file line number	Diff line number	Diff line change
`@@ -141,7 +141,9 @@ private function isSubdomainOfFullOrigins(array $parsedOrigin): bool`
`141`	`141`	`if (! isset($parsedOrigin['scheme'], $parsedOrigin['host'])) {`
`142`	`142`	`return false;`
`143`	`143`	`}`
	`144`	`+ /** @var string $originScheme */`
`144`	`145`	`$originScheme = $parsedOrigin['scheme'];`
	`146`	`+ /** @var string $originHost */`
`145`	`147`	`$originHost = $parsedOrigin['host'];`
`146`	`148`	`$originPort = $parsedOrigin['port'] ?? null;`
`147`	`149`
`@@ -150,14 +152,18 @@ private function isSubdomainOfFullOrigins(array $parsedOrigin): bool`
`150`	`152`	`if (! is_array($parsedAllowed) \|\| ! isset($parsedAllowed['scheme'], $parsedAllowed['host'])) {`
`151`	`153`	`continue;`
`152`	`154`	`}`
`153`		`- if ($originScheme !== $parsedAllowed['scheme']) {`
	`155`	`+ /** @var string $allowedScheme */`
	`156`	`+ $allowedScheme = $parsedAllowed['scheme'];`
	`157`	`+ /** @var string $allowedHost */`
	`158`	`+ $allowedHost = $parsedAllowed['host'];`
	`159`	`+ if ($originScheme !== $allowedScheme) {`
`154`	`160`	`continue;`
`155`	`161`	`}`
`156`	`162`	`$allowedPort = $parsedAllowed['port'] ?? null;`
`157`	`163`	`if ($originPort !== $allowedPort) {`
`158`	`164`	`continue;`
`159`	`165`	`}`
`160`		`- if ($this->isSubdomainOf($originHost, $parsedAllowed['host'])) {`
	`166`	`+ if ($this->isSubdomainOf($originHost, $allowedHost)) {`
`161`	`167`	`return true;`
`162`	`168`	`}`
`163`	`169`	`}`