Skip to content

chore(phpstan): use unsealed array shapes for credentials#1330

Merged
datamweb merged 1 commit into
codeigniter4:developfrom
datamweb:fix-phpstan-error
May 30, 2026
Merged

chore(phpstan): use unsealed array shapes for credentials#1330
datamweb merged 1 commit into
codeigniter4:developfrom
datamweb:fix-phpstan-error

Conversation

@datamweb
Copy link
Copy Markdown
Collaborator

@datamweb datamweb commented May 30, 2026
edited
Loading

Description
This PR fixes PHPStan errors related to extra keys being passed to the $credentials array in Authenticators.

Error: Parameter #1 $credentials of method CodeIgniter\Shield\Authentication\Authenticators\Session::attempt() expects array{email?: string, username?: string, password?: string}, non-empty-array given.
Error: Parameter #1 $credentials of method CodeIgniter\Shield\Authentication\Authenticators\Session::attempt() expects array{email?: string, username?: string, password?: string}, array{status: 'abcde', password: 'secret123'} given.
Error: Parameter #1 $credentials of method CodeIgniter\Shield\Authentication\Authenticators\Session::attempt() expects array{email?: string, username?: string, password?: string}, array{status: '12345', password: 'secret123'} given.
 ------ ---------------------------------------------------------------------- 
  Line   src/Controllers/LoginController.php                                   
 ------ ---------------------------------------------------------------------- 
  71     Parameter #1 $credentials of method                                   
         CodeIgniter\Shield\Authentication\Authenticators\Session::attempt()   
         expects array{email?: string, username?: string, password?: string},  
         non-empty-array given.                                                
         🪪  argument.type                                                     
         💡  Sealed array shape can only accept a constant array. Extra keys   
         are not allowed.                                                      
 ------ ---------------------------------------------------------------------- 

 ------ ----------------------------------------------------------------------- 
  Line   tests/Authentication/Authenticators/SessionAuthenticatorTest.php       
 ------ ----------------------------------------------------------------------- 
  478    Parameter #1 $credentials of method                                    
         CodeIgniter\Shield\Authentication\Authenticators\Session::attempt()    
         expects array{email?: string, username?: string, password?: string},   
         array{status: 'abcde', password: 'secret123'} given.                   
         🪪  argument.type                                                      
         💡  Sealed array shape does not accept array with extra key 'status'.  
  482    Parameter #1 $credentials of method                                    
         CodeIgniter\Shield\Authentication\Authenticators\Session::attempt()    
         expects array{email?: string, username?: string, password?: string},   
         array{status: '12345', password: 'secret123'} given.                   
         🪪  argument.type                                                      
         💡  Sealed array shape does not accept array with extra key 'status'.  
 ------ ----------------------------------------------------------------------- 

Error:  [ERROR] Found 3 errors

Since Shield natively allows logging in with custom columns (via Auth.validFields) instead of just email or username, the strictly sealed array shapes in the DocBlocks were causing static analysis to fail when custom keys (like phone) were passed.

To solve this while preserving IDE autocomplete, I used PHPStan’s unsealed array shape feature by appending ... to the array definitions. This tells PHPStan to expect the defined keys but also safely allow extra custom columns without throwing the Extra keys are not allowed error.

see :
https://github.com/codeigniter4/shield/actions/runs/26674339169/job/78623302872
ref:
https://phpstan.org/blog/phpstan-2-2-unsealed-array-shapes-safer-array-keys

Checklist:

  • Securely signed commits
  • Component(s) with PHPDoc blocks, only if necessary or adds value
  • Unit testing, with >80% coverage
  • User guide updated
  • Conforms to style guide

@datamweb datamweb requested a review from michalsn May 30, 2026 07:05
@datamweb datamweb merged commit 056aae0 into codeigniter4:develop May 30, 2026
36 checks passed
@datamweb datamweb deleted the fix-phpstan-error branch May 30, 2026 07:30
@datamweb
Copy link
Copy Markdown
Collaborator Author

datamweb commented May 30, 2026

Thanks!

@paulbalandan
Copy link
Copy Markdown
Member

paulbalandan commented May 30, 2026

Sorry to be late to the show, but ... resolves to ...<array-key, mixed>, which means the keys can accept either string or int. Should it be string keys only?

@datamweb datamweb mentioned this pull request May 30, 2026
Open
5 tasks
@datamweb
Copy link
Copy Markdown
Collaborator Author

datamweb commented May 30, 2026

@paulbalandan Thanks for pointing that out! you were absolutely right.

I’ve opened a follow-up PR #1332 to correct this and restrict the extra credential keys accordingly.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@michalsn michalsn michalsn approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@datamweb @paulbalandan @michalsn