Fix PHPCS and PHPStan issues across multiple files

[aslamdoctor]

Summary

• Add PHPStan bootstrap file for runtime constants (TWO_FACTOR_DIR, TWO_FACTOR_VERSION) unreachable during static analysis
• Add missing properties ($new, $last_used) to Registration class in includes/Yubico/U2F.php
• Fix PHPDoc types for show_two_factor_login, process_provider, authentication_page, rename_link, delete_link, and pack64
• Fix undefined variable bug in wp_ajax_inline_save where a non-matching key could be incorrectly updated
• Add input validation, sanitization (sanitize_text_field), and wp_unslash for $_POST/$_REQUEST usage in class-two-factor-fido-u2f-admin.php
• Remove redundant isset($user->ID) checks and always-true conditions
• Cast base_convert() result to (int) for array offset usage in base32_encode()

Reference #437

Test plan

• Run ./vendor/bin/phpstan analyse --memory-limit=1G --no-progress — should pass with 0 errors at level 0
• Temporarily set PHPStan level to 3 in phpstan.dist.neon and run analysis — should pass with 0 errors
• Temporarily set PHPStan level to 4 in phpstan.dist.neon and run analysis — should pass with 0 errors
• Run ./vendor/bin/phpcs --standard=WordPress providers/class-two-factor-fido-u2f-admin.php — should pass with 0 errors/warnings
• Verify TOTP authentication and setup still works
• Verify email-based two-factor authentication still works

[github-actions]

The following accounts have interacted with this PR and/or linked issues. I will continue to update these lists as activity occurs. You can also manually ask me to refresh this list by adding the props-bot label.

If you're merging code through a pull request on GitHub, copy and paste the following into the bottom of the merge commit message.

Co-authored-by: aslamdoctor <aslamdoctor@git.wordpress.org>
Co-authored-by: masteradhoc <masteradhoc@git.wordpress.org>
Co-authored-by: georgestephanis <georgestephanis@git.wordpress.org>

To understand the WordPress project's expectations around crediting contributors, please review the Contributor Attribution page in the Core Handbook.

[masteradhoc]

@aslamdoctor U2F.php and fido-u2f-admin you can ignore, we'll remove them in PR #439 completely.

[georgestephanis]

I almost wonder if this would be good to rename more generally and include from the main plugin file so these aren't needing to be maintained in multiple places?

I could be overthinking this though.

[georgestephanis]

A number of these extra conditionals that you're clearing are there to account for unit tests that pass in false to authentication page methods --

#19

Are we sure they're safe to remove in the testing context as well as the real-world use context?

[aslamdoctor]

Good catch! Tests do pass false as $user to these methods (e.g. test_authentication_page_no_user), so removing isset($user->ID) without a replacement guard would cause errors when $code is truthy or the resend param is set.

I've added explicit early return guards (if ( \! $user ) return false;) to both pre_process_authentication() and validate_authentication(), matching the pattern already used in authentication_page(). Also updated the @param docs to WP_User|false.

[georgestephanis]

Whoops my stuff was outdated. That's what I get for being up and working early on a Sunday.

[masteradhoc]

Thanks for your reviews @georgestephanis. Always highly appreciated!! :)

[aslamdoctor]

Can you mark them resolved? I didn't as I wanted to make sure all is ok.