diff --git a/README.md b/README.md index 6f7a2b0e..57518dd5 100644 --- a/README.md +++ b/README.md @@ -26,8 +26,8 @@ Check our docs page to get a complete guide on how to install it in an existing ## Security Upgrade Notes 5.1.0+ -**State validation** is now default behaviour for improved security. By default this will automatically use **Session Storage** and will -apply if you are using the combination of the `Auth0->login()` method to call the `/authorize` endpoint and using any method which calls the `Auth0->exchange()` method in your callback. +**State validation** is now default behaviour for improved security. By default this will automatically use **Session Storage** and will apply if you are using the combination of the `Auth0->login()` method to call the `/authorize` endpoint and using any method which calls the `Auth0->exchange()` method in your callback. + If you require custom storage methods you can implement your own [StateHandler](https://github.com/auth0/auth0-PHP/blob/master/src/API/Helpers/State/StateHandler.php) and set it using the `state_handler` key when you initialize an `Auth0` instance. **Important:** If you are using the `Auth0->exchange()` and using a method other than `Auth0->login()` to generate the Authorize URL you can disable the *StateHandler* by setting the `state_handler` key to `false` when you initialize the `Auth0` instance. However, it is **Highly Recommended** to implement state validation. diff --git a/src/API/Helpers/State/SessionStateHandler.php b/src/API/Helpers/State/SessionStateHandler.php index 2d70ef52..999183ab 100644 --- a/src/API/Helpers/State/SessionStateHandler.php +++ b/src/API/Helpers/State/SessionStateHandler.php @@ -3,7 +3,6 @@ namespace Auth0\SDK\API\Helpers\State; use Auth0\SDK\Store\SessionStore; -use Auth0\SDK\Exception\CoreException; /* * This file is part of Auth0-PHP package. @@ -54,10 +53,12 @@ public function store($state) { /** * Perform validation of the returned state with the previously generated state. - * - * @param string $state - * - * @throws exception + * + * @param string $state + * + * @return bool + * + * @throws \Exception */ public function validate($state) { $valid = $this->store->get(self::STATE_NAME) == $state; diff --git a/src/API/Helpers/State/StateHandler.php b/src/API/Helpers/State/StateHandler.php index 78c5c9ef..721820f8 100644 --- a/src/API/Helpers/State/StateHandler.php +++ b/src/API/Helpers/State/StateHandler.php @@ -18,7 +18,8 @@ * * @author Auth0 */ -interface StateHandler { +interface StateHandler +{ /** * Generate state value to be used for the state param value during authorization. diff --git a/src/Auth0.php b/src/Auth0.php index 2582416e..82f95486 100644 --- a/src/Auth0.php +++ b/src/Auth0.php @@ -273,8 +273,8 @@ public function login($state = null, $connection = null, $additional_params = [] } $params['response_mode'] = $this->response_mode; - - if($additional_params) { + + if( ! empty( $additional_params ) && is_array( $additional_params ) ) { $params = array_replace($params, $additional_params); }