Fix GPG nonce UUID validation using incorrect operand

[flightlesstux]

Problem

In GpgAuthenticator::_checkNonce(), the UUID validation check compares the wrong operand:

// Before — semantically wrong
if ($version != Validation::uuid($uuid)) {

Validation::uuid() returns a boolean (true/false), not the UUID string. The variable being compared is $version — the protocol string 'gpgauthv1.3.0' — which has nothing to do with UUID validation.

This works today only because PHP loose type coercion happens to produce the correct boolean outcome:

• Valid UUID → Validation::uuid() returns true → 'gpgauthv1.3.0' != true → false → no error ✓
• Invalid UUID → Validation::uuid() returns false → 'gpgauthv1.3.0' != false → true → error triggered ✓

However, this is a fragile coincidence. If Validation::uuid() ever returns a non-boolean (e.g., the validated string itself), the check would silently stop rejecting invalid UUIDs in the GPG authentication flow.

Fix

Replace the accidental loose comparison with a direct boolean check on the validation result:

// After — explicit and correct
if (!Validation::uuid($uuid)) {

Impact

• The authentication behaviour is unchanged in the current PHP/CakePHP version
• The fix makes the intent explicit and removes reliance on accidental type coercion
• Prevents a silent security regression if the validation helper's return type changes

[CLAassistant]

All committers have signed the CLA.

[stripthis]

@flightlesstux Looks good. Good catch.

[flightlesstux]

@flightlesstux Looks good. Good catch.

Thank you!