New property on AuthorizationServer to receive an encryption key which is used for future encryption/decryption instead of keybased encryption/decryption

src/AuthorizationServer.php

@@ -26,6 +26,8 @@ class AuthorizationServer implements EmitterAwareInterface
 {
     use EmitterAwareTrait;
 
+    const ENCRYPTION_KEY_ERROR = 'You must set the encryption key going forward to improve the security of this library - see this page for more information https://xxxx/xxxx';
+
     /**
      * @var GrantTypeInterface[]
      */
@@ -66,6 +68,11 @@ class AuthorizationServer implements EmitterAwareInterface
      */
     private $scopeRepository;
 
+    /**
+     * @var string
+     */
+    private $encryptionKey;
+
     /**
      * New server instance.
      *
@@ -101,6 +108,16 @@ class AuthorizationServer implements EmitterAwareInterface
         $this->responseType = $responseType;
     }
 
+    /**
+     * Set the encryption key
+     *
+     * @param string $key
+     */
+    public function setEncryptionKey($key)
+    {
+        $this->encryptionKey = $key;
+    }
+
     /**
      * Enable a grant type on the server.
      *
@@ -120,6 +137,11 @@ class AuthorizationServer implements EmitterAwareInterface
         $grantType->setPublicKey($this->publicKey);
         $grantType->setEmitter($this->getEmitter());
 
+        if ($this->encryptionKey === null) {
+            error_log(self::ENCRYPTION_KEY_ERROR);
+        }
+        $grantType->setEncryptionKey($this->encryptionKey);
+
         $this->enabledGrantTypes[$grantType->getIdentifier()] = $grantType;
         $this->grantTypeAccessTokenTTL[$grantType->getIdentifier()] = $accessTokenTTL;
     }
@@ -135,6 +157,10 @@ class AuthorizationServer implements EmitterAwareInterface
      */
     public function validateAuthorizationRequest(ServerRequestInterface $request)
     {
+        if ($this->encryptionKey === null) {
+            error_log(self::ENCRYPTION_KEY_ERROR);
+        }
+
         foreach ($this->enabledGrantTypes as $grantType) {
             if ($grantType->canRespondToAuthorizationRequest($request)) {
                 return $grantType->validateAuthorizationRequest($request);

src/CryptTrait.php

@@ -11,6 +11,8 @@
 
 namespace League\OAuth2\Server;
 
+use Defuse\Crypto\Crypto;
+
 trait CryptTrait
 {
     /**
@@ -23,6 +25,11 @@ trait CryptTrait
      */
     protected $publicKey;
 
+    /**
+     * @var string
+     */
+    protected $encryptionKey;
+
     /**
      * Set path to private key.
      *
@@ -54,6 +61,10 @@ trait CryptTrait
      */
     protected function encrypt($unencryptedData)
     {
+        if ($this->encryptionKey !== null) {
+            return Crypto::encryptWithPassword($unencryptedData, $this->encryptionKey);
+        }
+
         $privateKey = openssl_pkey_get_private($this->privateKey->getKeyPath(), $this->privateKey->getPassPhrase());
         $privateKeyDetails = @openssl_pkey_get_details($privateKey);
         if ($privateKeyDetails === null) {
@@ -91,6 +102,10 @@ trait CryptTrait
      */
     protected function decrypt($encryptedData)
     {
+        if ($this->encryptionKey !== null) {
+            return Crypto::decryptWithPassword($encryptedData, $this->encryptionKey);
+        }
+
         $publicKey = openssl_pkey_get_public($this->publicKey->getKeyPath());
         $publicKeyDetails = @openssl_pkey_get_details($publicKey);
         if ($publicKeyDetails === null) {
@@ -118,4 +133,14 @@ trait CryptTrait
 
         return $output;
     }
+
+    /**
+     * Set the encryption key
+     *
+     * @param string $key
+     */
+    public function setEncryptionKey($key = null)
+    {
+        $this->encryptionKey = $key;
+    }
 }

src/Grant/GrantTypeInterface.php

@@ -132,4 +132,11 @@ interface GrantTypeInterface extends EmitterAwareInterface
      * @param CryptKey $publicKey
      */
     public function setPublicKey(CryptKey $publicKey);
+
+    /**
+     * Set the encryption key
+     *
+     * @param string|null $key
+     */
+    public function setEncryptionKey($key = null);
 }