Move credentials to JWTImpl

Author: jakubboucek

src/Plugin/JWT/JWTFirebaseV5.php

@@ -3,6 +3,8 @@
 /**
  * The MIT License (MIT)
  * Copyright (c) 2022 Redbit s.r.o., Jakub Bouček
+ *
+ * @noinspection PhpUndefinedClassInspection OpenSSL only optional dependency
  */
 
 declare(strict_types=1);
@@ -15,6 +17,20 @@
 
 class JWTFirebaseV5 implements JWTImpl
 {
+    /** @var OpenSSLAsymmetricKey|OpenSSLCertificate|resource|string */
+    protected $key;
+    protected string $algorithm;
+
+    /**
+     * @param OpenSSLAsymmetricKey|OpenSSLCertificate|resource|string $key
+     * @param string $algorithm
+     */
+    public function __construct($key, string $algorithm = 'HS256')
+    {
+        $this->key = $key;
+        $this->algorithm = $algorithm;
+    }
+
     public static function isAvailable(): bool
     {
         if (class_exists(JWT::class) === false) {
@@ -34,14 +50,14 @@ public static function isAvailable(): bool
             && $params[2]->getName() === 'allowed_algs';
     }
 
-    public function decode(string $jwt, $key, string $alg): stdClass
+    public function decode(string $jwt): stdClass
     {
-        return JWT::decode($jwt, $key, [$alg]);
+        return JWT::decode($jwt, $this->key, [$this->algorithm]);
     }
 
-    public function encode(array $payload, $key, string $alg): string
+    public function encode(array $payload): string
     {
-        return JWT::encode($payload, $key, $alg);
+        return JWT::encode($payload, $this->key, $this->algorithm);
     }
 
     public function setTimestamp(?int $timestamp): void

src/Plugin/JWT/JWTFirebaseV6.php

@@ -3,6 +3,8 @@
 /**
  * The MIT License (MIT)
  * Copyright (c) 2022 Redbit s.r.o., Jakub Bouček
+ *
+ * @noinspection PhpUndefinedClassInspection Library support JWT 5.0
  */
 
 declare(strict_types=1);
@@ -33,9 +35,9 @@ public static function isAvailable(): bool
         return isset($params[2]) === false || $params[2]->getName() !== 'allowed_algs';
     }
 
-    public function decode(string $jwt, $key, string $alg): stdClass
+    public function decode(string $jwt): stdClass
     {
-        return JWT::decode($jwt, new Key($key, $alg));
+        return JWT::decode($jwt, new Key($this->key, $this->algorithm));
     }
 
 

src/Plugin/JWT/JWTImpl.php

@@ -15,9 +15,9 @@ interface JWTImpl
 {
     public static function isAvailable(): bool;
 
-    public function decode(string $jwt, $key, string $alg): stdClass;
+    public function decode(string $jwt): stdClass;
 
-    public function encode(array $payload, $key, string $alg): string;
+    public function encode(array $payload): string;
 
     public function setTimestamp(?int $timestamp): void;
 }

src/Plugin/SignedUrl.php

@@ -45,37 +45,35 @@ class SignedUrl implements Plugin
     private const URL_QUERY_TOKEN_KEY = '_debug';
     private const ISSUER_ID = 'cz.redbit.debug.url';
 
-    /** @var resource|string|OpenSSLAsymmetricKey|OpenSSLCertificate */
-    private $key;
-    private string $algorithm;
     private ?string $audience;
     private ?int $timestamp;
 
     private JWTImpl $jwt;
 
+    /**
+     * @param string|null $audience Recipient for which the JWT is intended
+     */
+    public function __construct(JWTImpl $jwt, ?string $audience = null)
+    {
+        $this->jwt = $jwt;
+        $this->audience = $audience;
+    }
+
     /**
      * @param string|resource|OpenSSLAsymmetricKey|OpenSSLCertificate $key The key.
      * @param string $algorithm Supported algorithms are 'ES384','ES256', 'HS256', 'HS384', 'HS512', 'RS256', 'RS384', and 'RS512'
-     * @param string|null $audience Recipient for which the JWT is intended
      * @noinspection PhpRedundantVariableDocTypeInspection
      */
-    public function __construct($key, string $algorithm = 'HS256', ?string $audience = null)
+    public static function create($key, string $algorithm = 'HS256', ?string $audience = null): self
     {
         /** @var class-string<JWTImpl> $impl */
         foreach ([JWTFirebaseV5::class, JWTFirebaseV6::class] as $impl) {
             if ($impl::isAvailable()) {
-                $this->jwt = new $impl;
-                break;
+                return new self(new $impl($key, $algorithm), $audience);
             }
         }
 
-        if (isset($this->jwt) === false) {
-            throw new LogicException(__CLASS__ . ' requires JWT library: firebase/php-jwt version ~5.0 or ~6.0');
-        }
-
-        $this->key = $key;
-        $this->algorithm = $algorithm;
-        $this->audience = $audience;
+        throw new LogicException(__CLASS__ . ' requires JWT library: firebase/php-jwt version ~5.0 or ~6.0');
     }
 
     /**
@@ -134,7 +132,7 @@ public function getToken(
             'val' => $value,
         ];
 
-        return $this->jwt->encode($payload, $this->key, $this->algorithm);
+        return $this->jwt->encode($payload);
     }
 
     public function __invoke(Detector $detector): ?bool
@@ -246,7 +244,7 @@ public function verifyToken(string $token): array
     {
         try {
             /** @var ClaimsSet $payload */
-            $payload = $this->jwt->decode($token, $this->key, $this->algorithm);
+            $payload = $this->jwt->decode($token);
         } catch (RuntimeException $e) {
             throw new SignedUrlVerificationException('JWT Token invalid', 0, $e);
         }

tests/Plugin/SignUrlTest.php

@@ -31,7 +31,7 @@ public function testSign(): void
     {
         $audience = 'test.' . __FUNCTION__;
 
-        $plugin = new SignedUrl(self::KEY_HS256, 'HS256', $audience);
+        $plugin = SignedUrl::create(self::KEY_HS256, 'HS256', $audience);
         $plugin->setTimestamp(1600000000);
         $token = $plugin->signUrl('https://host.tld/path', 1600000600);
 
@@ -54,7 +54,7 @@ public function testSignQuery(): void
     {
         $audience = 'test.' . __FUNCTION__;
 
-        $plugin = new SignedUrl(self::KEY_HS256, 'HS256', $audience);
+        $plugin = SignedUrl::create(self::KEY_HS256, 'HS256', $audience);
         $plugin->setTimestamp(1600000000);
         $token = $plugin->signUrl('https://host.tld/path?query=value', 1600000600);
 
@@ -77,7 +77,7 @@ public function testSignFragment(): void
     {
         $audience = 'test.' . __FUNCTION__;
 
-        $plugin = new SignedUrl(self::KEY_HS256, 'HS256', $audience);
+        $plugin = SignedUrl::create(self::KEY_HS256, 'HS256', $audience);
         $plugin->setTimestamp(1600000000);
         $token = $plugin->signUrl('https://host.tld/path?query=value#fragment', 1600000600);
 
@@ -100,7 +100,7 @@ public function testGetToken(): void
     {
         $audience = 'test.' . __FUNCTION__;
 
-        $plugin = new SignedUrl(self::KEY_HS256, 'HS256', $audience);
+        $plugin = SignedUrl::create(self::KEY_HS256, 'HS256', $audience);
         $plugin->setTimestamp(1600000000);
         $token = $plugin->getToken(
             'https://host.tld/path?query=value',
@@ -130,7 +130,7 @@ public function testVerifyToken(): void
         $audience = 'test.' . __FUNCTION__;
         $timestamp = 1600000000;
 
-        $plugin = new SignedUrl(self::KEY_HS256, 'HS256', $audience);
+        $plugin = SignedUrl::create(self::KEY_HS256, 'HS256', $audience);
         $plugin->setTimestamp($timestamp);
         $token = $plugin->getToken(
             'https://host.tld/path?query=value',
@@ -140,7 +140,7 @@ public function testVerifyToken(): void
             SignedUrl::VALUE_ENABLE
         );
 
-        $plugin = new SignedUrl(self::KEY_HS256, 'HS256', $audience);
+        $plugin = SignedUrl::create(self::KEY_HS256, 'HS256', $audience);
         $plugin->setTimestamp($timestamp);
         JWT::$timestamp = $timestamp;
         $parsed = $plugin->verifyToken($token);
@@ -154,11 +154,11 @@ public function testVerifyUrl(): void
         $timestamp = 1600000000;
         $url = 'https://host.tld/path';
 
-        $plugin = new SignedUrl(self::KEY_HS256, 'HS256', $audience);
+        $plugin = SignedUrl::create(self::KEY_HS256, 'HS256', $audience);
         $plugin->setTimestamp($timestamp);
         $tokenUrl = $plugin->signUrl($url, 1600000600);
 
-        $plugin = new SignedUrl(self::KEY_HS256, 'HS256', $audience);
+        $plugin = SignedUrl::create(self::KEY_HS256, 'HS256', $audience);
         $plugin->setTimestamp($timestamp);
         JWT::$timestamp = $timestamp;
         $parsed = $plugin->verifyUrl($tokenUrl);
@@ -172,11 +172,11 @@ public function testVerifyUrlQuery(): void
         $timestamp = 1600000000;
         $url = 'https://host.tld/path?query=value';
 
-        $plugin = new SignedUrl(self::KEY_HS256, 'HS256', $audience);
+        $plugin = SignedUrl::create(self::KEY_HS256, 'HS256', $audience);
         $plugin->setTimestamp($timestamp);
         $tokenUrl = $plugin->signUrl($url, 1600000600);
 
-        $plugin = new SignedUrl(self::KEY_HS256, 'HS256', $audience);
+        $plugin = SignedUrl::create(self::KEY_HS256, 'HS256', $audience);
         $plugin->setTimestamp($timestamp);
         JWT::$timestamp = $timestamp;
         $parsed = $plugin->verifyUrl($tokenUrl);
@@ -190,11 +190,11 @@ public function testVerifyRequest(): void
         $timestamp = 1600000000;
         $url = 'https://host.tld/path?query=value';
 
-        $plugin = new SignedUrl(self::KEY_HS256, 'HS256', $audience);
+        $plugin = SignedUrl::create(self::KEY_HS256, 'HS256', $audience);
         $plugin->setTimestamp($timestamp);
         $tokenUrl = $plugin->signUrl($url, 1600000600);
 
-        $plugin = new SignedUrl(self::KEY_HS256, 'HS256', $audience);
+        $plugin = SignedUrl::create(self::KEY_HS256, 'HS256', $audience);
         $plugin->setTimestamp($timestamp);
         JWT::$timestamp = $timestamp;
         $parsed = $plugin->verifyRequest(false, $tokenUrl, 'GET');
@@ -206,7 +206,7 @@ public function testSignInvalidUrl(): void
     {
         Assert::exception(static function () {
             $url = (string)base64_decode('Ly8Eijrg+qawZw==');
-            $plugin = new SignedUrl(self::KEY_HS256, 'HS256');
+            $plugin = SignedUrl::create(self::KEY_HS256, 'HS256');
             $plugin->signUrl($url, 1600000600);
         }, LogicException::class);
     }
@@ -215,7 +215,7 @@ public function testSignRelativeUrl(): void
     {
         Assert::exception(static function () {
             $url = '/login?email=foo@bar.cz';
-            $plugin = new SignedUrl(self::KEY_HS256, 'HS256');
+            $plugin = SignedUrl::create(self::KEY_HS256, 'HS256');
             $plugin->signUrl($url, 1600000600);
         }, LogicException::class);
     }
@@ -226,11 +226,11 @@ public function testVerifyPostRequest(): void
         $timestamp = 1600000000;
         $url = 'https://host.tld/path?query=value';
 
-        $plugin = new SignedUrl(self::KEY_HS256, 'HS256', $audience);
+        $plugin = SignedUrl::create(self::KEY_HS256, 'HS256', $audience);
         $plugin->setTimestamp($timestamp);
         $tokenUrl = $plugin->signUrl($url, 1600000600);
 
-        $plugin = new SignedUrl(self::KEY_HS256, 'HS256', $audience);
+        $plugin = SignedUrl::create(self::KEY_HS256, 'HS256', $audience);
         $plugin->setTimestamp($timestamp);
         JWT::$timestamp = $timestamp;
         Assert::exception(static function () use ($plugin, $tokenUrl) {
@@ -241,7 +241,7 @@ public function testVerifyPostRequest(): void
     public function testVerifyInvalidRequest(): void
     {
         Assert::exception(static function () {
-            $plugin = new SignedUrl(self::KEY_HS256, 'HS256');
+            $plugin = SignedUrl::create(self::KEY_HS256, 'HS256');
             $url = (string)base64_decode('Ly8Eijrg+qawZw==');
             $plugin->verifyRequest(false, $url, 'GET');
         }, SignedUrlVerificationException::class, 'Url is invalid');
@@ -250,7 +250,7 @@ public function testVerifyInvalidRequest(): void
     public function testVerifyInvalidUrl(): void
     {
         Assert::exception(static function () {
-            $plugin = new SignedUrl(self::KEY_HS256, 'HS256');
+            $plugin = SignedUrl::create(self::KEY_HS256, 'HS256');
             $plugin->verifyUrl('https://host.tld/path?query=value');
         }, SignedUrlVerificationException::class, 'No token in URL');
     }
@@ -260,15 +260,15 @@ public function testVerifyUrlWithSuffix(): void
         $timestamp = 1600000000;
         $url = 'https://host.tld/path?query=value';
 
-        $plugin = new SignedUrl(self::KEY_HS256, 'HS256');
+        $plugin = SignedUrl::create(self::KEY_HS256, 'HS256');
         $plugin->setTimestamp($timestamp);
         $tokenUrl = $plugin->signUrl($url, 1600000600);
 
         $tokenUrl .= '&fbclid=123456789';
 
         Assert::exception(
             static function () use ($timestamp, $tokenUrl) {
-                $plugin = new SignedUrl(self::KEY_HS256, 'HS256');
+                $plugin = SignedUrl::create(self::KEY_HS256, 'HS256');
                 $plugin->setTimestamp($timestamp);
                 JWT::$timestamp = $timestamp;
                 $plugin->verifyUrl($tokenUrl);
@@ -288,7 +288,7 @@ public function testVerifyUrlWithSuffixRedirect(): void
             . '&fbclid=123456789';
 
         // Mock plugin without redirect
-        $plugin = new class(self::KEY_HS256, 'HS256', 'test.testSign') extends SignedUrl {
+        $plugin = new class(SignedUrl::create(self::KEY_HS256)->getJwt(), 'test.testSign') extends SignedUrl {
             protected function sendRedirectResponse(string $canonicalUrl): void
             {
                 $expected = 'https://host.tld/path?query=value&_debug=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJj'
@@ -315,7 +315,7 @@ public function testVerifyUrlWithSuffixRedirectFragment(): void
             . '#hash';
 
         // Mock plugin without redirect
-        $plugin = new class(self::KEY_HS256, 'HS256', 'test.testSign') extends SignedUrl {
+        $plugin = new class(SignedUrl::create(self::KEY_HS256)->getJwt(), 'test.testSign') extends SignedUrl {
             protected function sendRedirectResponse(string $canonicalUrl): void
             {
                 $expected = 'https://host.tld/path?query=value'