@@ -45,24 +45,48 @@ public function __construct(PropertyAccessorInterface $propertyAccessor, array $
4545 }
4646
4747 /**
48- * Verifies the hash using the provided user and expire time.
48+ * Verifies the hash using the provided user identifier and expire time.
49+ *
50+ * This method must be called before the user object is loaded from a provider.
4951 *
5052 * @param int $expires The expiry time as a unix timestamp
5153 * @param string $hash The plaintext hash provided by the request
5254 *
5355 * @throws InvalidSignatureException If the signature does not match the provided parameters
5456 * @throws ExpiredSignatureException If the signature is no longer valid
5557 */
56- public function verifySignatureHash ( UserInterface $ user int $ expiresstring $ hashvoid
58+ public function acceptSignatureHash ( string $ userIdentifier int $ expiresstring $ hashvoid
5759 {
58- if (!hash_equals ($ hash$ this computeSignatureHash ($ user$ expires
60+ if ($ expirestime ()) {
61+ throw new ExpiredSignatureException ('Signature has expired. ' );
62+ }
63+ $ hmacsubstr ($ hash0 , 44 );
64+ $ payloadsubstr ($ hash44 ).': ' .$ expires': ' .$ userIdentifier
65+
66+ if (!hash_equals ($ hmac$ this generateHash ($ payload
5967 throw new InvalidSignatureException ('Invalid or expired signature. ' );
6068 }
69+ }
6170
71+ /**
72+ * Verifies the hash using the provided user and expire time.
73+ *
74+ * @param int $expires The expiry time as a unix timestamp
75+ * @param string $hash The plaintext hash provided by the request
76+ *
77+ * @throws InvalidSignatureException If the signature does not match the provided parameters
78+ * @throws ExpiredSignatureException If the signature is no longer valid
79+ */
80+ public function verifySignatureHash (UserInterface $ userint $ expiresstring $ hashvoid
81+ {
6282 if ($ expirestime ()) {
6383 throw new ExpiredSignatureException ('Signature has expired. ' );
6484 }
6585
86+ if (!hash_equals ($ hash$ this computeSignatureHash ($ user$ expires
87+ throw new InvalidSignatureException ('Invalid or expired signature. ' );
88+ }
89+
6690 if ($ this expiredSignaturesStorage && $ this maxUses ) {
6791 if ($ this expiredSignaturesStorage ->countUsages ($ hash$ this maxUses ) {
6892 throw new ExpiredSignatureException (sprintf ('Signature can only be used "%d" times. ' , $ this maxUses ));
@@ -79,7 +103,8 @@ public function verifySignatureHash(UserInterface $user, int $expires, string $h
79103 */
80104 public function computeSignatureHash (UserInterface $ userint $ expiresstring
81105 {
82- $ signatureFieldsbase64_encode ($ usergetUserIdentifier ()), $ expires
106+ $ userIdentifier$ usergetUserIdentifier ();
107+ $ fieldsHashhash_init ('sha256 ' );
83108
84109 foreach ($ this signatureProperties as $ property
85110 $ value$ this propertyAccessor ->getValue ($ user$ property'' ;
@@ -90,9 +115,16 @@ public function computeSignatureHash(UserInterface $user, int $expires): string
90115 if (!\is_scalar ($ value$ valueinstanceof \Stringable) {
91116 throw new \InvalidArgumentException (sprintf ('The property path "%s" on the user object "%s" must return a value that can be cast to a string, but "%s" was returned. ' , $ property$ userget_debug_type ($ value
92117 }
93- $ signatureFields [] = base64_encode ($ value
118+ hash_update ( $ fieldsHash , ' : ' . base64_encode ($ value) );
94119 }
95120
96- return base64_encode (hash_hmac ('sha256 ' , implode (': ' , $ signatureFields$ this secret ));
121+ $ fieldsHashstrtr (base64_encode (hash_final ($ fieldsHashtrue )), '+/= ' , '-_~ ' );
122+
123+ return $ this generateHash ($ fieldsHash': ' .$ expires': ' .$ userIdentifier$ fieldsHash
124+ }
125+
126+ private function generateHash (string $ tokenValuestring
127+ {
128+ return strtr (base64_encode (hash_hmac ('sha256 ' , $ tokenValue$ this secret , true )), '+/= ' , '-_~ ' );
97129 }
98130}
0 commit comments