Fix PHPCS and PHPStan issues across multiple files

- Add PHPStan bootstrap file for runtime constants (TWO_FACTOR_DIR, TWO_FACTOR_VERSION)
- Add missing properties ($new, $last_used) to Registration class
- Fix PHPDoc types for show_two_factor_login, process_provider, authentication_page,
  rename_link, delete_link, and pack64
- Fix undefined variable bug in wp_ajax_inline_save
- Add input validation, sanitization, and wp_unslash for $_POST/$_REQUEST usage
- Remove redundant isset($user->ID) checks and always-true conditions
- Cast base_convert() result to int for array offset usage

Author: aslamdoctor

class-two-factor-core.php

@@ -897,7 +897,7 @@ public static function is_api_request() {
 	 *
 	 * @since 0.2.0
 	 *
-	 * @param WP_User $user WP_User object of the logged-in user.
+	 * @param WP_User|false $user WP_User object of the logged-in user.
 	 */
 	public static function show_two_factor_login( $user ) {
 		if ( ! $user ) {
@@ -1708,9 +1708,9 @@ public static function _login_form_revalidate_2fa( $nonce = '', $provider = '',
 	 *
 	 * @since 0.9.0
 	 *
-	 * @param object  $provider        The Two Factor Provider.
-	 * @param WP_User $user            The user being authenticated.
-	 * @param bool    $is_post_request Whether the request is a POST request.
+	 * @param object|null $provider        The Two Factor Provider.
+	 * @param WP_User    $user            The user being authenticated.
+	 * @param bool       $is_post_request Whether the request is a POST request.
 	 * @return false|WP_Error|true WP_Error when an error occurs, true when the user is authenticated, false if no action occurred.
 	 */
 	public static function process_provider( $provider, $user, $is_post_request ) {
@@ -2013,7 +2013,7 @@ public static function user_two_factor_options( $user ) {
 		<h2><?php esc_html_e( 'Two-Factor Options', 'two-factor' ); ?></h2>
 
 		<?php foreach ( $notices as $notice_type => $notice ) : ?>
-		<div class="<?php echo esc_attr( $notice_type ? 'notice inline notice-' . $notice_type : '' ); ?>">
+		<div class="<?php echo esc_attr( 'notice inline notice-' . $notice_type ); ?>">
 			<p><?php echo wp_kses_post( $notice ); ?></p>
 		</div>
 		<?php endforeach; ?>

includes/Yubico/U2F.php

@@ -486,6 +486,12 @@ class Registration
 
     /** The counter associated with this registration */
     public $counter = -1;
+
+    /** Whether this is a new registration */
+    public $new;
+
+    /** Timestamp when this registration was last used */
+    public $last_used;
 }
 
 /**

phpstan-bootstrap.php

@@ -0,0 +1,10 @@
+<?php
+/**
+ * PHPStan bootstrap file.
+ *
+ * Defines constants that are set at runtime in two-factor.php
+ * but unreachable during static analysis because of the ABSPATH guard.
+ */
+
+define( 'TWO_FACTOR_DIR', __DIR__ . '/' );
+define( 'TWO_FACTOR_VERSION', '0.15.0' );

phpstan.dist.neon

@@ -2,6 +2,8 @@ includes:
 	- vendor/szepeviktor/phpstan-wordpress/extension.neon
 parameters:
 	level: 0
+	bootstrapFiles:
+		- phpstan-bootstrap.php
 	paths:
 		- includes
 		- providers

providers/class-two-factor-email.php

@@ -328,7 +328,7 @@ public function generate_and_email_token( $user ) {
 	 *
 	 * @since 0.1-dev
 	 *
-	 * @param WP_User $user WP_User object of the logged-in user.
+	 * @param WP_User|false $user WP_User object of the logged-in user.
 	 */
 	public function authentication_page( $user ) {
 		if ( ! $user ) {
@@ -379,7 +379,7 @@ public function authentication_page( $user ) {
 	 * @return boolean
 	 */
 	public function pre_process_authentication( $user ) {
-		if ( isset( $user->ID ) && isset( $_REQUEST[ self::INPUT_NAME_RESEND_CODE ] ) ) { // phpcs:ignore WordPress.Security.NonceVerification.Recommended -- non-distructive option that relies on user state.
+		if ( isset( $_REQUEST[ self::INPUT_NAME_RESEND_CODE ] ) ) { // phpcs:ignore WordPress.Security.NonceVerification.Recommended -- non-distructive option that relies on user state.
 			$this->generate_and_email_token( $user );
 			return true;
 		}
@@ -397,7 +397,7 @@ public function pre_process_authentication( $user ) {
 	 */
 	public function validate_authentication( $user ) {
 		$code = $this->sanitize_code_from_request( 'two-factor-email-code' );
-		if ( ! isset( $user->ID ) || ! $code ) {
+		if ( ! $code ) {
 			return false;
 		}
 

providers/class-two-factor-fido-u2f-admin.php

@@ -237,11 +237,15 @@ public static function show_user_profile( $user ) {
 	 * @return void|never
 	 */
 	public static function catch_submission( $user_id ) {
-		if ( ! empty( $_REQUEST['do_new_security_key'] ) ) {
+		if ( ! empty( $_REQUEST['do_new_security_key'] ) ) { // phpcs:ignore WordPress.Security.NonceVerification.Recommended -- Nonce is verified immediately below.
 			check_admin_referer( "user_security_keys-{$user_id}", '_nonce_user_security_keys' );
 
+			if ( ! isset( $_POST['u2f_response'] ) ) {
+				return;
+			}
+
 			try {
-				$response = json_decode( stripslashes( $_POST['u2f_response'] ) );
+				$response = json_decode( wp_unslash( $_POST['u2f_response'] ) ); // phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized -- JSON data decoded immediately.
 				$reg      = Two_Factor_FIDO_U2F::$u2f->doRegister( get_user_meta( $user_id, self::REGISTER_DATA_USER_META_KEY, true ), $response );
 				$reg->new = true;
 
@@ -277,8 +281,8 @@ public static function catch_submission( $user_id ) {
 	public static function catch_delete_security_key() {
 		$user_id = Two_Factor_Core::current_user_being_edited();
 
-		if ( ! empty( $user_id ) && ! empty( $_REQUEST['delete_security_key'] ) ) {
-			$slug = $_REQUEST['delete_security_key'];
+		if ( ! empty( $user_id ) && ! empty( $_REQUEST['delete_security_key'] ) ) { // phpcs:ignore WordPress.Security.NonceVerification.Recommended -- Nonce requires the slug value, verified immediately below.
+			$slug = sanitize_text_field( wp_unslash( $_REQUEST['delete_security_key'] ) );
 
 			check_admin_referer( "delete_security_key-{$slug}", '_nonce_delete_security_key' );
 
@@ -297,10 +301,10 @@ public static function catch_delete_security_key() {
 	 * @access public
 	 * @static
 	 *
-	 * @param array $item The current item.
+	 * @param object $item The current item.
 	 * @return string
 	 */
-	public static function rename_link( $item ) {
+	public static function rename_link( $item ) { // phpcs:ignore Generic.CodeAnalysis.UnusedFunctionParameter.Found -- Required by WP_List_Table column callback interface.
 		return sprintf( '<a href="#" class="editinline">%s</a>', esc_html__( 'Rename', 'two-factor' ) );
 	}
 
@@ -312,7 +316,7 @@ public static function rename_link( $item ) {
 	 * @access public
 	 * @static
 	 *
-	 * @param array $item The current item.
+	 * @param object $item The current item.
 	 * @return string
 	 */
 	public static function delete_link( $item ) {
@@ -345,13 +349,23 @@ public static function wp_ajax_inline_save() {
 			wp_die();
 		}
 
-		foreach ( $security_keys as &$key ) {
-			if ( $key->keyHandle === $_POST['keyHandle'] ) { // phpcs:ignore WordPress.NamingConventions.ValidVariableName.UsedPropertyNotSnakeCase
+		$key = null;
+		foreach ( $security_keys as $security_key ) {
+			if ( $security_key->keyHandle === $_POST['keyHandle'] ) { // phpcs:ignore WordPress.NamingConventions.ValidVariableName.UsedPropertyNotSnakeCase
+				$key = $security_key;
 				break;
 			}
 		}
 
-		$key->name = $_POST['name'];
+		if ( ! $key ) {
+			wp_die();
+		}
+
+		if ( ! isset( $_POST['name'] ) ) {
+			wp_die();
+		}
+
+		$key->name = sanitize_text_field( wp_unslash( $_POST['name'] ) );
 
 		$updated = Two_Factor_FIDO_U2F::update_security_key( $user_id, $key );
 		if ( ! $updated ) {

providers/class-two-factor-totp.php

@@ -317,10 +317,6 @@ public static function generate_qr_code_url( $user, $secret_key ) {
 	 * @codeCoverageIgnore
 	 */
 	public function user_two_factor_options( $user ) {
-		if ( ! isset( $user->ID ) ) {
-			return;
-		}
-
 		$key = $this->get_user_totp_key( $user->ID );
 
 		wp_enqueue_script( 'two-factor-qr-code-generator' );
@@ -690,15 +686,15 @@ public static function generate_key( $bitsize = self::DEFAULT_KEY_BIT_SIZE ) {
 	 *
 	 * @since 0.2.0
 	 *
-	 * @param string $value The value to be packed.
+	 * @param int $value The value to be packed.
 	 *
 	 * @return string Binary packed string.
 	 */
 	public static function pack64( $value ) {
 		// 64bit mode (PHP_INT_SIZE == 8).
 		if ( PHP_INT_SIZE >= 8 ) {
 			// If we're on PHP 5.6.3+ we can use the new 64bit pack functionality.
-			if ( version_compare( PHP_VERSION, '5.6.3', '>=' ) && PHP_INT_SIZE >= 8 ) {
+			if ( version_compare( PHP_VERSION, '5.6.3', '>=' ) ) {
 				return pack( 'J', $value ); // phpcs:ignore PHPCompatibility.ParameterValues.NewPackFormat.NewFormatFound
 			}
 			$highmap = 0xffffffff << 32;
@@ -870,7 +866,7 @@ public static function base32_encode( $string ) {
 		$base32_string     = '';
 
 		foreach ( $five_bit_sections as $five_bit_section ) {
-			$base32_string .= self::$base_32_chars[ base_convert( str_pad( $five_bit_section, 5, '0' ), 2, 10 ) ];
+			$base32_string .= self::$base_32_chars[ (int) base_convert( str_pad( $five_bit_section, 5, '0' ), 2, 10 ) ];
 		}
 
 		return $base32_string;