fix: Always store provided state in transient medium

.github/workflows/checks.yml

@@ -9,7 +9,7 @@ on:
 jobs:
   dependencies:
     name: Dependencies
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
 
     strategy:
       max-parallel: 10
@@ -25,10 +25,9 @@ jobs:
         with:
           php-version: ${{ matrix.php }}
           coverage: none
-          extensions: mbstring
+          extensions: mbstring, openssl
         env:
-          update: true
-          COMPOSER_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Get composer cache directory
         id: composer-cache
@@ -45,25 +44,24 @@ jobs:
 
   pest:
     name: Pest
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     continue-on-error: true
     needs: ["dependencies"]
 
     strategy:
       max-parallel: 10
       matrix:
-        php: ["8.0", "8.1", "8.2"]
+        php: ["8.1", "8.2"]
 
     steps:
       - name: Set up PHP ${{ matrix.php }}
         uses: shivammathur/setup-php@v2
         with:
           php-version: ${{ matrix.php }}
           coverage: pcov
-          extensions: mbstring
+          extensions: mbstring, openssl
         env:
-          update: true
-          COMPOSER_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Checkout code
         uses: actions/checkout@v3
@@ -79,6 +77,9 @@ jobs:
           key: ${{ matrix.php }}-composer-${{ hashFiles('**/composer.json') }}-${{ github.run_id }}
           restore-keys: ${{ matrix.php }}-composer-${{ hashFiles('**/composer.json') }}-${{ github.run_id }}
 
+      - name: PHP debug
+        run: php -i
+
       - name: Install dependencies with composer
         run: composer install --prefer-dist
 
@@ -92,7 +93,7 @@ jobs:
 
   phpstan:
     name: PHPStan
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     needs: ["dependencies"]
 
     strategy:
@@ -107,10 +108,9 @@ jobs:
         with:
           php-version: ${{ matrix.php }}
           coverage: none
-          extensions: mbstring
+          extensions: mbstring, openssl
         env:
-          update: true
-          COMPOSER_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Checkout code
         uses: actions/checkout@v3
@@ -134,7 +134,7 @@ jobs:
 
   psalm:
     name: Psalm
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     needs: ["dependencies"]
 
     strategy:
@@ -149,10 +149,9 @@ jobs:
         with:
           php-version: ${{ matrix.php }}
           coverage: none
-          extensions: mbstring
+          extensions: mbstring, openssl
         env:
-          update: true
-          COMPOSER_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Checkout code
         uses: actions/checkout@v3
@@ -176,7 +175,7 @@ jobs:
 
   pint:
     name: Laravel Pint
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     needs: ["dependencies"]
 
     strategy:
@@ -191,10 +190,9 @@ jobs:
         with:
           php-version: ${{ matrix.php }}
           coverage: none
-          extensions: mbstring
+          extensions: mbstring, openssl
         env:
-          update: true
-          COMPOSER_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Checkout code
         uses: actions/checkout@v3
@@ -218,7 +216,7 @@ jobs:
 
   rector:
     name: Rector
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     needs: ["dependencies"]
 
     strategy:
@@ -233,10 +231,9 @@ jobs:
         with:
           php-version: ${{ matrix.php }}
           coverage: none
-          extensions: mbstring
+          extensions: mbstring, openssl
         env:
-          update: true
-          COMPOSER_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Checkout code
         uses: actions/checkout@v3

composer.json

@@ -93,10 +93,10 @@
     "rector:fix": "@php vendor/bin/rector process src",
     "pest": "@php vendor/bin/pest --order-by random",
     "test": [
+      "@pint",
       "@phpstan",
       "@psalm",
       "@rector",
-      "@pint",
       "@pest"
     ]
   }

src/API/Authentication.php

@@ -23,7 +23,7 @@ final class Authentication implements AuthenticationInterface
     /**
      * Instance of SdkConfiguration, for shared configuration across classes.
      */
-    private SdkConfiguration $configuration;
+    private ?SdkConfiguration $validatedConfiguration = null;
 
     /**
      * Authentication constructor.
@@ -35,20 +35,22 @@ final class Authentication implements AuthenticationInterface
      * @psalm-suppress DocblockTypeContradiction
      */
     public function __construct(
-        $configuration
+        private SdkConfiguration|array $configuration
     ) {
-        // If we're passed an array, construct a new SdkConfiguration from that structure.
-        if (is_array($configuration)) {
-            $configuration = new SdkConfiguration($configuration);
-        }
+        $this->getConfiguration();
+    }
+
+    public function getConfiguration(): SdkConfiguration
+    {
+        if (null === $this->validatedConfiguration) {
+            if (is_array($this->configuration)) {
+                return $this->validatedConfiguration = new SdkConfiguration($this->configuration);
+            }
 
-        // We only accept an SdkConfiguration type.
-        if (! $configuration instanceof SdkConfiguration) {
-            throw \Auth0\SDK\Exception\ConfigurationException::requiresConfiguration();
+            return $this->validatedConfiguration = $this->configuration;
         }
 
-        // Store the configuration internally.
-        $this->configuration = $configuration;
+        return $this->validatedConfiguration;
     }
 
     public function getHttpClient(): HttpClient
@@ -57,7 +59,7 @@ public function getHttpClient(): HttpClient
             return $this->httpClient;
         }
 
-        return $this->httpClient = new HttpClient($this->configuration, HttpClient::CONTEXT_AUTHENTICATION_CLIENT);
+        return $this->httpClient = new HttpClient($this->getConfiguration(), HttpClient::CONTEXT_AUTHENTICATION_CLIENT);
     }
 
     public function getSamlpLink(
@@ -68,7 +70,7 @@ public function getSamlpLink(
 
         /** @var string $clientId */
         [$clientId] = Toolkit::filter([
-            [$clientId, $this->configuration->getClientId()],
+            [$clientId, $this->getConfiguration()->getClientId()],
         ])->array()->first(\Auth0\SDK\Exception\ConfigurationException::requiresClientId());
 
         /** @var array<string> $query */
@@ -78,7 +80,7 @@ public function getSamlpLink(
 
         return sprintf(
             '%s/samlp/%s?%s',
-            $this->configuration->formatDomain(),
+            $this->getConfiguration()->formatDomain(),
             $clientId,
             http_build_query($query, '', '&', PHP_QUERY_RFC3986)
         );
@@ -91,12 +93,12 @@ public function getSamlpMetadataLink(
 
         /** @var string $clientId */
         [$clientId] = Toolkit::filter([
-            [$clientId, $this->configuration->getClientId()],
+            [$clientId, $this->getConfiguration()->getClientId()],
         ])->array()->first(\Auth0\SDK\Exception\ConfigurationException::requiresClientId());
 
         return sprintf(
             '%s/samlp/metadata/%s',
-            $this->configuration->formatDomain(),
+            $this->getConfiguration()->formatDomain(),
             $clientId
         );
     }
@@ -112,12 +114,12 @@ public function getWsfedLink(
 
         /** @var string $clientId */
         [$clientId] = Toolkit::filter([
-            [$clientId, $this->configuration->getClientId()],
+            [$clientId, $this->getConfiguration()->getClientId()],
         ])->array()->first(\Auth0\SDK\Exception\ConfigurationException::requiresClientId());
 
         return sprintf(
             '%s/wsfed/%s?%s',
-            $this->configuration->formatDomain(),
+            $this->getConfiguration()->formatDomain(),
             $clientId,
             http_build_query($params, '', '&', PHP_QUERY_RFC3986)
         );
@@ -127,7 +129,7 @@ public function getWsfedMetadataLink(): string
     {
         return sprintf(
             '%s/wsfed/FederationMetadata/2007-06/FederationMetadata.xml',
-            $this->configuration->formatDomain()
+            $this->getConfiguration()->formatDomain()
         );
     }
 
@@ -146,21 +148,21 @@ public function getLoginLink(
         ])->isString();
 
         [$redirectUri] = Toolkit::filter([
-            [$redirectUri, isset($params['redirect_uri']) ? (string) $params['redirect_uri'] : null, $this->configuration->getRedirectUri()],
+            [$redirectUri, isset($params['redirect_uri']) ? (string) $params['redirect_uri'] : null, $this->getConfiguration()->getRedirectUri()],
         ])->array()->first(\Auth0\SDK\Exception\ConfigurationException::requiresRedirectUri());
 
         return sprintf(
             '%s/authorize?%s',
-            $this->configuration->formatDomain(),
+            $this->getConfiguration()->formatDomain(),
             http_build_query(Toolkit::merge([
                 'state' => $state,
-                'client_id' => $this->configuration->getClientId(\Auth0\SDK\Exception\ConfigurationException::requiresClientId()),
-                'audience' => $this->configuration->defaultAudience(),
-                'organization' => $this->configuration->defaultOrganization(),
+                'client_id' => $this->getConfiguration()->getClientId(\Auth0\SDK\Exception\ConfigurationException::requiresClientId()),
+                'audience' => $this->getConfiguration()->defaultAudience(),
+                'organization' => $this->getConfiguration()->defaultOrganization(),
                 'redirect_uri' => $redirectUri,
-                'scope' => $this->configuration->formatScope(),
-                'response_mode' => $this->configuration->getResponseMode(),
-                'response_type' => $this->configuration->getResponseType(),
+                'scope' => $this->getConfiguration()->formatScope(),
+                'response_mode' => $this->getConfiguration()->getResponseMode(),
+                'response_type' => $this->getConfiguration()->getResponseType(),
             ], $params), '', '&', PHP_QUERY_RFC3986)
         );
     }
@@ -176,15 +178,15 @@ public function getLogoutLink(
 
         /** @var string $returnTo */
         [$returnTo] = Toolkit::filter([
-            [$returnTo, isset($params['returnTo']) ? (string) $params['returnTo'] : null, $this->configuration->getRedirectUri()],
+            [$returnTo, isset($params['returnTo']) ? (string) $params['returnTo'] : null, $this->getConfiguration()->getRedirectUri()],
         ])->array()->first(\Auth0\SDK\Exception\ConfigurationException::requiresRedirectUri());
 
         return sprintf(
             '%s/v2/logout?%s',
-            $this->configuration->formatDomain(),
+            $this->getConfiguration()->formatDomain(),
             http_build_query(Toolkit::merge([
                 'returnTo' => $returnTo,
-                'client_id' => $this->configuration->getClientId(\Auth0\SDK\Exception\ConfigurationException::requiresClientId()),
+                'client_id' => $this->getConfiguration()->getClientId(\Auth0\SDK\Exception\ConfigurationException::requiresClientId()),
             ], $params), '', '&', PHP_QUERY_RFC3986)
         );
     }
@@ -202,8 +204,8 @@ public function passwordlessStart(
             ->method('post')
             ->addPath('passwordless', 'start')
             ->withBody((object) Toolkit::merge([
-                'client_id' => $this->configuration->getClientId(\Auth0\SDK\Exception\ConfigurationException::requiresClientId()),
-                'client_secret' => $this->configuration->getClientSecret(\Auth0\SDK\Exception\ConfigurationException::requiresClientSecret()),
+                'client_id' => $this->getConfiguration()->getClientId(\Auth0\SDK\Exception\ConfigurationException::requiresClientId()),
+                'client_secret' => $this->getConfiguration()->getClientSecret(\Auth0\SDK\Exception\ConfigurationException::requiresClientSecret()),
             ], $body))
             ->withHeaders($headers)
             ->call();
@@ -227,8 +229,8 @@ public function emailPasswordlessStart(
         ])->isString();
 
         /** @var array{scope: ?string} $params */
-        if ((! isset($params['scope']) || '' === $params['scope']) && $this->configuration->hasScope()) {
-            $params['scope'] = $this->configuration->formatScope() ?? '';
+        if ((! isset($params['scope']) || '' === $params['scope']) && $this->getConfiguration()->hasScope()) {
+            $params['scope'] = $this->getConfiguration()->formatScope() ?? '';
         }
 
         $body = Toolkit::filter([
@@ -307,8 +309,8 @@ public function oauthToken(
 
         $parameters = Toolkit::merge([
             'grant_type' => $grantType,
-            'client_id' => $this->configuration->getClientId(\Auth0\SDK\Exception\ConfigurationException::requiresClientId()),
-            'client_secret' => $this->configuration->getClientSecret(\Auth0\SDK\Exception\ConfigurationException::requiresClientSecret()),
+            'client_id' => $this->getConfiguration()->getClientId(\Auth0\SDK\Exception\ConfigurationException::requiresClientId()),
+            'client_secret' => $this->getConfiguration()->getClientSecret(\Auth0\SDK\Exception\ConfigurationException::requiresClientSecret()),
         ], $params);
 
         /** @var array<bool|int|string> $parameters */
@@ -334,7 +336,7 @@ public function codeExchange(
         ])->isString();
 
         [$redirectUri] = Toolkit::filter([
-            [$redirectUri, $this->configuration->getRedirectUri()],
+            [$redirectUri, $this->getConfiguration()->getRedirectUri()],
         ])->array()->first(\Auth0\SDK\Exception\ConfigurationException::requiresRedirectUri());
 
         $params = Toolkit::filter([
@@ -416,7 +418,7 @@ public function clientCredentials(
         /** @var array<int|string|null> $params */
 
         $parameters = Toolkit::merge([
-            'audience' => $this->configuration->defaultAudience(),
+            'audience' => $this->getConfiguration()->defaultAudience(),
         ], $params);
 
         /** @var array<int|string|null> $parameters */
@@ -472,7 +474,7 @@ public function dbConnectionsSignup(
             ->method('post')
             ->addPath('dbconnections', 'signup')
             ->withBody(Toolkit::merge([
-                'client_id' => $this->configuration->getClientId(\Auth0\SDK\Exception\ConfigurationException::requiresClientId()),
+                'client_id' => $this->getConfiguration()->getClientId(\Auth0\SDK\Exception\ConfigurationException::requiresClientId()),
                 'email' => $email,
                 'password' => $password,
                 'connection' => $connection,
@@ -502,7 +504,7 @@ public function dbConnectionsChangePassword(
             ->method('post')
             ->addPath('dbconnections', 'change_password')
             ->withBody(Toolkit::merge([
-                'client_id' => $this->configuration->getClientId(\Auth0\SDK\Exception\ConfigurationException::requiresClientId()),
+                'client_id' => $this->getConfiguration()->getClientId(\Auth0\SDK\Exception\ConfigurationException::requiresClientId()),
                 'email' => $email,
                 'connection' => $connection,
             ], $body))