fix: address second Copilot review round

- Reject empty JSON array body by decoding with assoc=false and checking
  for stdClass instead of relying on array_is_list
- Remove stale Content-Length header after mutating response body in
  enrichAuthServerMetadata

Author: simonchrz

.idea/.gitignore

@@ -72,21 +72,24 @@ private function handleRegistration(ServerRequestInterface $request): ResponseIn
         $body = $request->getBody()->__toString();
 
         try {
-            $data = json_decode($body, true, 512, \JSON_THROW_ON_ERROR);
+            $decoded = json_decode($body, false, 512, \JSON_THROW_ON_ERROR);
         } catch (\JsonException) {
             return $this->jsonResponse(400, [
                 'error' => 'invalid_client_metadata',
                 'error_description' => 'Request body must be valid JSON.',
             ]);
         }
 
-        if (!\is_array($data) || ([] !== $data && array_is_list($data))) {
+        if (!$decoded instanceof \stdClass) {
             return $this->jsonResponse(400, [
                 'error' => 'invalid_client_metadata',
                 'error_description' => 'Request body must be a JSON object.',
             ]);
         }
 
+        /** @var array<string, mixed> $data */
+        $data = (array) $decoded;
+
         try {
             $result = $this->registrar->register($data);
         } catch (ClientRegistrationException $e) {
@@ -125,7 +128,8 @@ private function enrichAuthServerMetadata(ResponseInterface $response): Response
             ->withBody($this->streamFactory->createStream(
                 json_encode($metadata, \JSON_THROW_ON_ERROR | \JSON_UNESCAPED_SLASHES),
             ))
-            ->withHeader('Content-Type', 'application/json');
+            ->withHeader('Content-Type', 'application/json')
+            ->withoutHeader('Content-Length');
     }
 
     /**