fix: address Copilot review feedback

simonchrz · simonchrz · commit 8ec1cfa25a90 · 2026-03-31T08:24:05.000+02:00
- Use array_key_exists() instead of isset() in LenientOidcDiscoveryMetadataPolicy to reject explicit null
- Use JSON_THROW_ON_ERROR in handleRegistration() and reject JSON arrays (non-objects)
- Preserve original response headers in enrichAuthServerMetadata() instead of rebuilding response
- Add Cache-Control: no-store to registration responses containing client_secret
diff --git a/src/Server/Transport/Http/Middleware/ClientRegistrationMiddleware.php b/src/Server/Transport/Http/Middleware/ClientRegistrationMiddleware.php
@@ -70,15 +70,23 @@ public function process(ServerRequestInterface $request, RequestHandlerInterface
     private function handleRegistration(ServerRequestInterface $request): ResponseInterface
     {
         $body = $request->getBody()->__toString();
-        $data = json_decode($body, true);
 
-        if (!\is_array($data)) {
+        try {
+            $data = json_decode($body, true, 512, \JSON_THROW_ON_ERROR);
+        } catch (\JsonException) {
             return $this->jsonResponse(400, [
                 'error' => 'invalid_client_metadata',
                 'error_description' => 'Request body must be valid JSON.',
             ]);
         }
 
+        if (!\is_array($data) || ([] !== $data && array_is_list($data))) {
+            return $this->jsonResponse(400, [
+                'error' => 'invalid_client_metadata',
+                'error_description' => 'Request body must be a JSON object.',
+            ]);
+        }
+
         try {
             $result = $this->registrar->register($data);
         } catch (ClientRegistrationException $e) {
@@ -88,7 +96,9 @@ private function handleRegistration(ServerRequestInterface $request): ResponseIn
             ]);
         }
 
-        return $this->jsonResponse(201, $result);
+        return $this->jsonResponse(201, $result, [
+            'Cache-Control' => 'no-store',
+        ]);
     }
 
     private function enrichAuthServerMetadata(ResponseInterface $response): ResponseInterface
@@ -111,9 +121,11 @@ private function enrichAuthServerMetadata(ResponseInterface $response): Response
 
         $metadata['registration_endpoint'] = rtrim($this->localBaseUrl, '/').self::REGISTRATION_PATH;
 
-        return $this->jsonResponse(200, $metadata, [
-            'Cache-Control' => $response->getHeaderLine('Cache-Control'),
-        ]);
+        return $response
+            ->withBody($this->streamFactory->createStream(
+                json_encode($metadata, \JSON_THROW_ON_ERROR | \JSON_UNESCAPED_SLASHES),
+            ))
+            ->withHeader('Content-Type', 'application/json');
     }
 
     /**
diff --git a/src/Server/Transport/Http/OAuth/LenientOidcDiscoveryMetadataPolicy.php b/src/Server/Transport/Http/OAuth/LenientOidcDiscoveryMetadataPolicy.php
@@ -37,7 +37,7 @@ public function isValid(mixed $metadata): bool
             return false;
         }
 
-        if (isset($metadata['code_challenge_methods_supported'])) {
+        if (\array_key_exists('code_challenge_methods_supported', $metadata)) {
             if (!\is_array($metadata['code_challenge_methods_supported']) || [] === $metadata['code_challenge_methods_supported']) {
                 return false;
             }
diff --git a/tests/Unit/Server/Transport/Http/Middleware/ClientRegistrationMiddlewareTest.php b/tests/Unit/Server/Transport/Http/Middleware/ClientRegistrationMiddlewareTest.php
@@ -50,6 +50,7 @@ public function testRegistrationSuccess(): void
 
         $this->assertSame(201, $response->getStatusCode());
         $this->assertSame('application/json', $response->getHeaderLine('Content-Type'));
+        $this->assertSame('no-store', $response->getHeaderLine('Cache-Control'));
 
         $payload = json_decode($response->getBody()->__toString(), true, 512, \JSON_THROW_ON_ERROR);
         $this->assertSame('new-client', $payload['client_id']);
@@ -75,6 +76,25 @@ public function testRegistrationWithInvalidJson(): void
         $this->assertSame('Request body must be valid JSON.', $payload['error_description']);
     }
 
+    #[TestDox('POST /register with JSON array instead of object returns 400')]
+    public function testRegistrationWithJsonArrayReturns400(): void
+    {
+        $registrar = $this->createStub(ClientRegistrarInterface::class);
+
+        $middleware = $this->createMiddleware($registrar);
+
+        $request = $this->factory->createServerRequest('POST', 'http://localhost:8000/register')
+            ->withBody($this->factory->createStream('["not","an","object"]'));
+
+        $response = $middleware->process($request, $this->createPassthroughHandler(404));
+
+        $this->assertSame(400, $response->getStatusCode());
+
+        $payload = json_decode($response->getBody()->__toString(), true, 512, \JSON_THROW_ON_ERROR);
+        $this->assertSame('invalid_client_metadata', $payload['error']);
+        $this->assertSame('Request body must be a JSON object.', $payload['error_description']);
+    }
+
     #[TestDox('POST /register returns 400 when registrar throws ClientRegistrationException')]
     public function testRegistrationWithRegistrarException(): void
     {
@@ -121,18 +141,23 @@ public function testMetadataEnrichment(): void
         $this->assertSame('http://localhost:8000/authorize', $payload['authorization_endpoint']);
     }
 
-    #[TestDox('GET /.well-known/oauth-authorization-server preserves Cache-Control header')]
-    public function testMetadataEnrichmentPreservesCacheControl(): void
+    #[TestDox('GET /.well-known/oauth-authorization-server preserves original response headers')]
+    public function testMetadataEnrichmentPreservesOriginalHeaders(): void
     {
         $registrar = $this->createStub(ClientRegistrarInterface::class);
         $middleware = $this->createMiddleware($registrar);
 
         $request = $this->factory->createServerRequest('GET', 'http://localhost:8000/.well-known/oauth-authorization-server');
-        $handler = $this->createJsonHandler(200, ['issuer' => 'http://localhost:8000'], 'max-age=3600');
+        $handler = $this->createJsonHandler(200, ['issuer' => 'http://localhost:8000'], 'max-age=3600', [
+            'X-Custom' => 'preserved',
+            'Vary' => 'Origin',
+        ]);
 
         $response = $middleware->process($request, $handler);
 
         $this->assertSame('max-age=3600', $response->getHeaderLine('Cache-Control'));
+        $this->assertSame('preserved', $response->getHeaderLine('X-Custom'));
+        $this->assertSame('Origin', $response->getHeaderLine('Vary'));
     }
 
     #[TestDox('GET /.well-known/oauth-authorization-server with non-200 status passes through unchanged')]
@@ -226,21 +251,24 @@ public function handle(ServerRequestInterface $request): ResponseInterface
     }
 
     /**
-     * @param array<string, mixed> $data
+     * @param array<string, mixed>  $data
+     * @param array<string, string> $extraHeaders
      */
-    private function createJsonHandler(int $status, array $data, string $cacheControl = ''): RequestHandlerInterface
+    private function createJsonHandler(int $status, array $data, string $cacheControl = '', array $extraHeaders = []): RequestHandlerInterface
     {
         $factory = $this->factory;
 
-        return new class($factory, $status, $data, $cacheControl) implements RequestHandlerInterface {
+        return new class($factory, $status, $data, $cacheControl, $extraHeaders) implements RequestHandlerInterface {
             /**
-             * @param array<string, mixed> $data
+             * @param array<string, mixed>  $data
+             * @param array<string, string> $extraHeaders
              */
             public function __construct(
                 private readonly ResponseFactoryInterface $factory,
                 private readonly int $status,
                 private readonly array $data,
                 private readonly string $cacheControl,
+                private readonly array $extraHeaders,
             ) {
             }
 
@@ -256,6 +284,10 @@ public function handle(ServerRequestInterface $request): ResponseInterface
                     $response = $response->withHeader('Cache-Control', $this->cacheControl);
                 }
 
+                foreach ($this->extraHeaders as $name => $value) {
+                    $response = $response->withHeader($name, $value);
+                }
+
                 return $response;
             }
         };
diff --git a/tests/Unit/Server/Transport/Http/OAuth/LenientOidcDiscoveryMetadataPolicyTest.php b/tests/Unit/Server/Transport/Http/OAuth/LenientOidcDiscoveryMetadataPolicyTest.php
@@ -101,6 +101,20 @@ public function testEmptyStringEndpointIsInvalid(): void
         ]));
     }
 
+    #[TestDox('null code challenge methods is invalid')]
+    public function testNullCodeChallengeMethodsIsInvalid(): void
+    {
+        $policy = new LenientOidcDiscoveryMetadataPolicy();
+        $metadata = [
+            'authorization_endpoint' => 'https://auth.example.com/authorize',
+            'token_endpoint' => 'https://auth.example.com/token',
+            'jwks_uri' => 'https://auth.example.com/jwks',
+            'code_challenge_methods_supported' => null,
+        ];
+
+        $this->assertFalse($policy->isValid($metadata));
+    }
+
     #[TestDox('non-array input is invalid')]
     public function testNonArrayInputIsInvalid(): void
     {

Original file line number	Diff line number	Diff line change
`@@ -37,7 +37,7 @@ public function isValid(mixed $metadata): bool`
`37`	`37`	`return false;`
`38`	`38`	`}`
`39`	`39`
`40`		`- if (isset($metadata['code_challenge_methods_supported'])) {`
	`40`	`+ if (\array_key_exists('code_challenge_methods_supported', $metadata)) {`
`41`	`41`	`if (!\is_array($metadata['code_challenge_methods_supported']) \|\| [] === $metadata['code_challenge_methods_supported']) {`
`42`	`42`	`return false;`
`43`	`43`	`}`