Use paragonie's Base64UrlSafe encoding library

This commit is contained in:
ErickSkrauch 2019-12-11 14:16:11 +03:00
parent cda4be04a1
commit 2caf0558de
3 changed files with 5 additions and 13 deletions

View File

@ -8,6 +8,7 @@ use Exception;
use Lcobucci\JWT\Builder; use Lcobucci\JWT\Builder;
use Lcobucci\JWT\Parser; use Lcobucci\JWT\Parser;
use Lcobucci\JWT\Token; use Lcobucci\JWT\Token;
use ParagonIE\ConstantTime\Base64UrlSafe;
use Webmozart\Assert\Assert; use Webmozart\Assert\Assert;
use yii\base\Component as BaseComponent; use yii\base\Component as BaseComponent;
@ -96,15 +97,14 @@ class Component extends BaseComponent {
public function encryptValue(string $rawValue): string { public function encryptValue(string $rawValue): string {
/** @noinspection PhpUnhandledExceptionInspection */ /** @noinspection PhpUnhandledExceptionInspection */
$nonce = random_bytes(SODIUM_CRYPTO_SECRETBOX_NONCEBYTES); $nonce = random_bytes(SODIUM_CRYPTO_SECRETBOX_NONCEBYTES);
$cipher = $this->base64UrlEncode($nonce . sodium_crypto_secretbox($rawValue, $nonce, $this->encryptionKey)); $cipher = Base64UrlSafe::encodeUnpadded($nonce . sodium_crypto_secretbox($rawValue, $nonce, $this->encryptionKey));
sodium_memzero($rawValue); sodium_memzero($rawValue);
return $cipher; return $cipher;
} }
public function decryptValue(string $encryptedValue): string { public function decryptValue(string $encryptedValue): string {
$decoded = $this->base64UrlDecode($encryptedValue); $decoded = Base64UrlSafe::decode($encryptedValue);
Assert::true($decoded !== false, 'passed value has an invalid base64 encoding');
Assert::true(mb_strlen($decoded, '8bit') >= (SODIUM_CRYPTO_SECRETBOX_NONCEBYTES + SODIUM_CRYPTO_SECRETBOX_MACBYTES)); Assert::true(mb_strlen($decoded, '8bit') >= (SODIUM_CRYPTO_SECRETBOX_NONCEBYTES + SODIUM_CRYPTO_SECRETBOX_MACBYTES));
$nonce = mb_substr($decoded, 0, SODIUM_CRYPTO_SECRETBOX_NONCEBYTES, '8bit'); $nonce = mb_substr($decoded, 0, SODIUM_CRYPTO_SECRETBOX_NONCEBYTES, '8bit');
$cipherText = mb_substr($decoded, SODIUM_CRYPTO_SECRETBOX_NONCEBYTES, null, '8bit'); $cipherText = mb_substr($decoded, SODIUM_CRYPTO_SECRETBOX_NONCEBYTES, null, '8bit');
@ -139,12 +139,4 @@ class Component extends BaseComponent {
return $value; return $value;
} }
private function base64UrlEncode(string $rawValue): string {
return rtrim(strtr(base64_encode($rawValue), '+/', '-_'), '=');
}
private function base64UrlDecode(string $encodedValue): string {
return base64_decode(str_pad(strtr($encodedValue, '-_', '+/'), strlen($encodedValue) % 4, '=', STR_PAD_RIGHT));
}
} }

View File

@ -54,7 +54,7 @@ class RefreshCest {
} }
/** /**
* @example {"accessToken": "eyJ0eXAiOiJKV1QiLCJhbGciOiJFUzI1NiJ9.eyJpYXQiOjE1NzU1NjE1MjgsImV4cCI6MTU3NTU2MTUyOCwiZWx5LXNjb3BlcyI6Im1pbmVjcmFmdF9zZXJ2ZXJfc2Vzc2lvbiIsImVseS1jbGllbnQtdG9rZW4iOiJZQU1YZ3kwQXBCOWdnVC9VWDYzSWk3SnBrTXdmcE5sWmhPMlVVRHhGd2ExZmdoOHZLMjdEbVdubzdsam5NaVlicENVbktPWFZ0dldWK1VYNXVkUFVRbCtOMWNwQWZSQS9hK2VtQWc9PSIsInN1YiI6ImVseXwxIn0.Yt3k9NpTthBVrrmcO6npd8n3zksolC2RI1m-NH2-_YEiaaCGC2vW8iszi3WB-g6f6Q64OYuQXxxXMl516PLTfA", "clientToken": "4f368b58-9097-4e56-80b1-f421ae4b53cf"} * @example {"accessToken": "eyJ0eXAiOiJKV1QiLCJhbGciOiJFUzI1NiJ9.eyJpYXQiOjE1NzU1NjE1MjgsImV4cCI6MTU3NTU2MTUyOCwiZWx5LXNjb3BlcyI6Im1pbmVjcmFmdF9zZXJ2ZXJfc2Vzc2lvbiIsImVseS1jbGllbnQtdG9rZW4iOiIydnByWnRVdk40VTVtSnZzc0ozaXNpekdVWFhQYnFsV1FsQjVVRWVfUV81bkxKYzlsbUJ3VU1hQWJ1MjBtZC1FNzNtengxNWFsZmRJSU1OMTV5YUpBalZOM29vQW9IRDctOWdOcmciLCJzdWIiOiJlbHl8MSJ9.vwjXzy0VtjJlP6B4RxqoE69yRSBsluZ29VELe4vDi8GCy487eC5cIf9hz9oxp5YcdE7uEJZeqX2yi3nk_0nCaA", "clientToken": "4f368b58-9097-4e56-80b1-f421ae4b53cf"}
* @example {"accessToken": "6042634a-a1e2-4aed-866c-c661fe4e63e2", "clientToken": "47fb164a-2332-42c1-8bad-549e67bb210c"} * @example {"accessToken": "6042634a-a1e2-4aed-866c-c661fe4e63e2", "clientToken": "47fb164a-2332-42c1-8bad-549e67bb210c"}
*/ */
public function refreshExpiredToken(AuthserverSteps $I, Example $example) { public function refreshExpiredToken(AuthserverSteps $I, Example $example) {

View File

@ -55,7 +55,7 @@ class JwtIdentityTest extends TestCase {
'Token has been revoked', 'Token has been revoked',
]; ];
yield 'revoked by unauthorized minecraft launcher' => [ yield 'revoked by unauthorized minecraft launcher' => [
'eyJ0eXAiOiJKV1QiLCJhbGciOiJFUzI1NiJ9.eyJlbHktc2NvcGVzIjoibWluZWNyYWZ0X3NlcnZlcl9zZXNzaW9uIiwiZWx5LWNsaWVudC10b2tlbiI6IllBTVhneTBBcEI5Z2dUL1VYNjNJaTdKcGtNd2ZwTmxaaE8yVVVEeEZ3YTFmZ2g4dksyN0RtV25vN2xqbk1pWWJwQ1VuS09YVnR2V1YrVVg1dWRQVVFsK04xY3BBZlJBL2ErZW1BZz09IiwiaWF0IjoxNTY0NjEwNTAwLCJzdWIiOiJlbHl8MSJ9.mxFgf4M1QSG4_Zd3sGoJUx9L9_XbjHd4T8-CWIVzmSPp2_9OHjq-CIFEwSwlfoz3QGN7NV0TpC8-PfRvjd93eQ', 'eyJ0eXAiOiJKV1QiLCJhbGciOiJFUzI1NiJ9.eyJlbHktc2NvcGVzIjoibWluZWNyYWZ0X3NlcnZlcl9zZXNzaW9uIiwiZWx5LWNsaWVudC10b2tlbiI6IllBTVhneTBBcEI5Z2dUX1VYNjNJaTdKcGtNd2ZwTmxaaE8yVVVEeEZ3YTFmZ2g4dksyN0RtV25vN2xqbk1pWWJwQ1VuS09YVnR2V1YtVVg1dWRQVVFsLU4xY3BBZlJBX2EtZW1BZyIsImlhdCI6MTU2NDYxMDUwMCwic3ViIjoiZWx5fDEifQ.LtE9cQJ4z5dGVkDZl50M2HZH6kOYHgGz2RIycS_lzU9YLhosQ3ux7i2KI7qGI7BNuxO5zJ1OkxF2r9Qc240EpA',
'Token has been revoked', 'Token has been revoked',
]; ];
yield 'invalid signature' => [ yield 'invalid signature' => [