Skip to content
Vendidit Auth

HttpTransport

class Vendidit\AuthServer\Http\HttpTransport Source: src/Http/HttpTransport.php

Default Transport implementation. PSR-18 client + PSR-17 factories.

Responsibilities:

  • Build absolute URLs from Config + path.
  • JSON-encode bodies + decode responses.
  • Auto-attach the bearer token when an access token is passed in.
  • Inject Idempotency-Key on unsafe methods (POST/PUT/PATCH/DELETE) so retries (when caller chooses to retry) hit the server’s idempotency middleware idempotently. AUTH-PHP-LARAVEL-DESIGN §3.10.
  • Redact sensitive fields from any log emission.
  • Map non-2xx via ErrorMapper.

Note: TwoFactorRequiredException is intentionally NOT thrown by this transport — LoginFlow checks for the requires_2fa flag and returns the AuthResponse directly so the caller can prompt the user. ErrorMapper does produce the exception class for callers that prefer the thrown shape, but flows skip the throw on that one specific case.

Methods

redact(array $payload)

@var array<string,list> $h */ $h = []; foreach ($resp->getHeaders() as $name => $values) { $h[$name] = $values; }

    $exception = ErrorMapper::fromResponse($status, $decoded, $h);
    // Flows that care about requires_2fa intercept before throw — but
    // by default a thrown TwoFactorRequiredException is fine for app-
    // level middleware. We always throw, never swallow.
    throw $exception;
}


/** Visible-for-tests: redact sensitive keys before logging.