fix: reject JSON array bodies in metadata enrichment

Treat JSON list arrays (e.g. [] or ["..."]) as invalid metadata in
enrichAuthServerMetadata() to prevent corrupting the response shape
by adding registration_endpoint to a non-object.

Author: simonchrz

src/Server/Transport/Http/Middleware/ClientRegistrationMiddleware.php

@@ -127,7 +127,7 @@ private function enrichAuthServerMetadata(ResponseInterface $response): Response
             return $response;
         }
 
-        if (!\is_array($metadata)) {
+        if (!\is_array($metadata) || ([] !== $metadata && array_is_list($metadata))) {
             if ($stream->isSeekable()) {
                 $stream->rewind();
             }

tests/Unit/Server/Transport/Http/Middleware/ClientRegistrationMiddlewareTest.php

@@ -274,6 +274,20 @@ public function testMetadataEnrichmentRewindsStreamOnNonObjectJsonBody(): void
         $this->assertSame('"just a string"', $response->getBody()->getContents());
     }
 
+    #[TestDox('GET /.well-known/oauth-authorization-server with JSON array body passes through unchanged')]
+    public function testMetadataEnrichmentPassesThroughJsonArrayBody(): void
+    {
+        $registrar = $this->createStub(ClientRegistrarInterface::class);
+        $middleware = $this->createMiddleware($registrar);
+
+        $request = $this->factory->createServerRequest('GET', 'http://localhost:8000/.well-known/oauth-authorization-server');
+        $handler = $this->createPlainTextHandler(200, '["not","an","object"]');
+
+        $response = $middleware->process($request, $handler);
+
+        $this->assertSame('["not","an","object"]', $response->getBody()->getContents());
+    }
+
     #[TestDox('GET /.well-known/oauth-authorization-server with non-200 status passes through unchanged')]
     public function testMetadataNon200PassesThrough(): void
     {