Merge pull request #543 from psr7-sessions/renovate/all-minor-patch

Update all non-major dependencies

composer.json

@@ -32,9 +32,9 @@
     },
     "require-dev": {
         "doctrine/coding-standard":               "^10.0.0",
-        "laminas/laminas-diactoros":              "^2.19.0",
-        "laminas/laminas-httphandlerrunner":      "^2.3.0",
-        "phpunit/phpunit":                        "^9.5.25",
+        "laminas/laminas-diactoros":              "^2.20.0",
+        "laminas/laminas-httphandlerrunner":      "^2.4.0",
+        "phpunit/phpunit":                        "^9.5.26",
         "psalm/plugin-phpunit":                   "^0.17.0",
         "roave/infection-static-analysis-plugin": "^1.25.0",
         "squizlabs/php_codesniffer":              "^3.7.1",

src/Storageless/Http/SessionMiddleware.php

@@ -199,7 +199,7 @@ private function appendToken(SessionInterface $sessionContainer, Response $respo
             return FigResponseCookies::set($response, $this->getExpirationCookie());
         }
 
-        if ($sessionContainerChanged || ($this->shouldTokenBeRefreshed($token) && ! $sessionContainer->isEmpty())) {
+        if ($sessionContainerChanged || $this->shouldTokenBeRefreshed($token)) {
             return FigResponseCookies::set($response, $this->getTokenCookie($sessionContainer));
         }
 
@@ -208,12 +208,15 @@ private function appendToken(SessionInterface $sessionContainer, Response $respo
 
     private function shouldTokenBeRefreshed(Token|null $token): bool
     {
+        if ($token === null) {
+            return false;
+        }
+
         $refreshTime = $this->clock->now()->sub(new DateInterval(sprintf('PT%sS', $this->refreshTime)));
 
         assert($refreshTime !== false);
 
-        return $token !== null
-            && $token->hasBeenIssuedBefore($refreshTime);
+        return $token->hasBeenIssuedBefore($refreshTime);
     }
 
     /** @throws BadMethodCallException */

test/StoragelessTest/Http/SessionMiddlewareTest.php

@@ -367,6 +367,33 @@ public function testWillRefreshTokenWithIssuedAtExactlyAtTokenRefreshTimeThresho
         self::assertEquals($now, $token->claims()->get(RegisteredClaims::ISSUED_AT), 'Token was refreshed');
     }
 
+    public function testWillNotRefreshATokenForARequestWithNoGivenTokenAndNoSessionModification(): void
+    {
+        $key        = self::makeRandomSymmetricKey();
+        $middleware = new SessionMiddleware(
+            Configuration::forAsymmetricSigner(
+                new Sha256(),
+                $key,
+                $key,
+            ),
+            SetCookie::create(SessionMiddleware::DEFAULT_COOKIE),
+            1000,
+            new FrozenClock(new DateTimeImmutable()),
+            100,
+        );
+
+        self::assertNull(
+            $this
+                ->getCookie($middleware->process(
+                    (new ServerRequest())
+                        ->withCookieParams([SessionMiddleware::DEFAULT_COOKIE => 'invalid-token']),
+                    $this->fakeDelegate(static fn (): ResponseInterface => new Response()),
+                ))
+                ->getValue(),
+            'No session cookie was set, since session data was not changed, and the token was not valid',
+        );
+    }
+
     /**
      * @param callable(): SessionMiddleware $middlewareFactory
      *