Use libsodium to encrypt data, stored in jwt tokens

This commit is contained in:
ErickSkrauch 2019-12-05 19:37:46 +03:00
parent c3ffb08c4a
commit 642db2e045
5 changed files with 27 additions and 8 deletions

View File

@ -4,7 +4,6 @@ declare(strict_types=1);
namespace api\components\Tokens;
use Carbon\Carbon;
use Defuse\Crypto\Crypto;
use Exception;
use Lcobucci\JWT\Builder;
use Lcobucci\JWT\Parser;
@ -92,8 +91,27 @@ class Component extends BaseComponent {
}
}
public function encryptValue(string $rawValue): string {
/** @noinspection PhpUnhandledExceptionInspection */
$nonce = random_bytes(SODIUM_CRYPTO_SECRETBOX_NONCEBYTES);
$cipher = base64_encode($nonce . sodium_crypto_secretbox($rawValue, $nonce, $this->encryptionKey));
sodium_memzero($rawValue);
return $cipher;
}
public function decryptValue(string $encryptedValue): string {
return Crypto::decryptWithPassword($encryptedValue, $this->encryptionKey);
$decoded = base64_decode($encryptedValue);
Assert::true($decoded !== false, 'passed value has an invalid base64 encoding');
Assert::true(mb_strlen($decoded, '8bit') >= (SODIUM_CRYPTO_SECRETBOX_NONCEBYTES + SODIUM_CRYPTO_SECRETBOX_MACBYTES));
$nonce = mb_substr($decoded, 0, SODIUM_CRYPTO_SECRETBOX_NONCEBYTES, '8bit');
$cipherText = mb_substr($decoded, SODIUM_CRYPTO_SECRETBOX_NONCEBYTES, null, '8bit');
$rawValue = sodium_crypto_secretbox_open($cipherText, $nonce, $this->encryptionKey);
Assert::true($rawValue !== false);
sodium_memzero($cipherText);
return $rawValue;
}
private function getAlgorithmManager(): AlgorithmsManager {
@ -113,7 +131,7 @@ class Component extends BaseComponent {
private function prepareValue($value) {
if ($value instanceof EncryptedValue) {
return Crypto::encryptWithPassword($value->getValue(), $this->encryptionKey);
return $this->encryptValue($value->getValue());
}
return $value;

View File

@ -9,7 +9,7 @@ return [
'privateKeyPath' => codecept_data_dir('certs/private.pem'),
'privateKeyPass' => null,
'publicKeyPath' => codecept_data_dir('certs/public.pem'),
'encryptionKey' => 'mock-encryption-key',
'encryptionKey' => 'aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa',
],
'reCaptcha' => [
'public' => 'public-key',

View File

@ -54,7 +54,7 @@ class RefreshCest {
}
/**
* @example {"accessToken": "eyJ0eXAiOiJKV1QiLCJhbGciOiJFUzI1NiJ9.eyJpYXQiOjE1NzU0Nzk1NTMsImV4cCI6MTU3NTY1MjM1MywiZWx5LXNjb3BlcyI6Im1pbmVjcmFmdF9zZXJ2ZXJfc2Vzc2lvbiIsImVseS1jbGllbnQtdG9rZW4iOiJkZWY1MDIwMDE2ZTEzMTBmMzM2YzVjYWQzZDdiMTJmYjcyNmVhYzdlYjgyOGUzMzg1MzBhMmFmODdkZTJhMjRiMTVmNzAxNWQ1MjU1MjhiNGZiMjgzMTgxOTA2ODhlMWE4Njk5MjAwMzBlMTQyZmQ5ZWM5ODBlZDkzMWI1Mzc2MzgyMTliMjVjMjI1MjQyYzdmMjgzMjE0NjcyNDg3ZDQ4MTYxYjMwMGU1MGIzYWJlMTYwYjVkMmE4ZWMyMzMwMGJhMGNlMTg3MzYyYTgyMjJiYjQ4OTU0MzM4MDJiNTBlZDBhYzFhMWUwZDk3NDgxNDciLCJzdWIiOiJlbHl8MSJ9.PuM-8rzj4qtD9l0lUANSIWC8yjJe8ifarOYsAjc3r4iYFt0P6za-gzJEPncDC80oCXsYVlJHtrEypcsB9wJFSg", "clientToken": "d1b1162c-3d73-4b35-b64f-7bf68bd0e853"}
* @example {"accessToken": "eyJ0eXAiOiJKV1QiLCJhbGciOiJFUzI1NiJ9.eyJpYXQiOjE1NzU1NjE1MjgsImV4cCI6MTU3NTU2MTUyOCwiZWx5LXNjb3BlcyI6Im1pbmVjcmFmdF9zZXJ2ZXJfc2Vzc2lvbiIsImVseS1jbGllbnQtdG9rZW4iOiJZQU1YZ3kwQXBCOWdnVC9VWDYzSWk3SnBrTXdmcE5sWmhPMlVVRHhGd2ExZmdoOHZLMjdEbVdubzdsam5NaVlicENVbktPWFZ0dldWK1VYNXVkUFVRbCtOMWNwQWZSQS9hK2VtQWc9PSIsInN1YiI6ImVseXwxIn0.Yt3k9NpTthBVrrmcO6npd8n3zksolC2RI1m-NH2-_YEiaaCGC2vW8iszi3WB-g6f6Q64OYuQXxxXMl516PLTfA", "clientToken": "4f368b58-9097-4e56-80b1-f421ae4b53cf"}
* @example {"accessToken": "6042634a-a1e2-4aed-866c-c661fe4e63e2", "clientToken": "47fb164a-2332-42c1-8bad-549e67bb210c"}
*/
public function refreshExpiredToken(AuthserverSteps $I, Example $example) {

View File

@ -12,8 +12,8 @@
"ext-mbstring": "*",
"ext-pdo": "*",
"ext-simplexml": "*",
"ext-sodium": "*",
"bacon/bacon-qr-code": "^1.0",
"defuse/php-encryption": "^2.2",
"domnikl/statsd": "^2.6",
"ely/mojang-api": "^0.2.0",
"ely/yii2-tempmail-validator": "^2.0",

5
composer.lock generated
View File

@ -4,7 +4,7 @@
"Read more about it at https://getcomposer.org/doc/01-basic-usage.md#installing-dependencies",
"This file is @generated automatically"
],
"content-hash": "10af6b999939a9f213664883387184ed",
"content-hash": "95971ae8836e4d182aae9e5c44021321",
"packages": [
{
"name": "bacon/bacon-qr-code",
@ -6733,7 +6733,8 @@
"ext-libxml": "*",
"ext-mbstring": "*",
"ext-pdo": "*",
"ext-simplexml": "*"
"ext-simplexml": "*",
"ext-sodium": "*"
},
"platform-dev": []
}