acquia / http-hmac-php Goto Github PK

Currently the list of custom headers is a whitelist, it would be great to specify a glob of headers prefixed with something like "acquia".

Silex will become end-of-life in June. We should stop supporting it.

Any chance this can be updated to be included with a project that requires PHP 8.1?
It is locked to PHP 7.2

Via typhonius/acquia-php-sdk-v2#1, ResponseAuthenticator will throw a MalformedRequest exception if it detects there is no X-Server-Authorization-HMAC-SHA256 header.

However, according to the spec, the header should be set if, and only if, the request could be authenticated (emphasis mine):

If the server authenticates the request successfully, it will add the following HTTP headers to the response (for all non-HEAD requests):

X-Server-Authorization-HMAC-SHA256: <HMACServerAuthorization>

ResponseAuthenticator should not throw an exception if the server response indicates the request could not be authenticated. We're probably safe to assume that this means a 401 response.

In both files equals operators are used to test the expected hmac against the calculated hmac.
This makes the check susceptible to timing attacks.

Instead you should use: hash_equals(hmac1, hmac2) - available since PHP 5.6

I'm using the Guzzle handler on the request side and the Symfony firewall on the response side, everything seems to be configured as it should (the key is found, the headers are found, etc..) but I alway receive the "401 Signature not valid" response.

I also tried without the symfony intergration, doing the validation manually but the problem remain the same.

I believe either there is a bug or there is something missing in the documentation.

Please tell me what information you need to resolve this issue. Thanks !

Hey, I tried to install this library on Symfony 5.2 with PHP 8

composer update
Loading composer repositories with package information
Restricting packages listed in "symfony/symfony" to "5.2.*"
Updating dependencies
Your requirements could not be resolved to an installable set of packages.

  Problem 1
    - Root composer.json requires acquia/http-hmac-php ^5.0 -> satisfiable by acquia/http-hmac-php[5.0.0].
    - acquia/http-hmac-php 5.0.0 requires php ^7.2 -> your php version (8.0.2) does not satisfy that requirement.

By default it will install ^3.4 which in turn will later result in

In ClassExistenceResource.php line 74:

  Class "Symfony\Component\Security\Http\Firewall\ListenerInterface" not found while loading "Acquia\Hmac\Symfony\HmacAuthenticationListener".

Are there any plans on supporting PHP 8 any soon?

Thanks in advance!

From the spec:

Host: The (lowercase) hostname, matching the HTTP "Host" request header field (including any port number)

But in the code, no port number is added to the string, so the signature does not match when using a non-standard port.

Hey,

In ResponseSigner.php the Response body stream in being consumed by signResponse() at line 60. Although explicit casting using __toString() will always rewind a stream before reading it, calling the getContents() method from StreamInterface will not. As a result, the middleware is breaking expected behavior, since Response::getBody()->getContents() will always return empty string after a POST.

I fixed it with a simple $response->getBody()->rewind() just after assigning $parts. I guess you can also use tell() and the seek() but I failed to find any real-life scenarios where it would make sense for a middleware to start reading the stream halfway through.

Do you want a pull request for this or is the fix trivial enough like this?

Cheers,

Matt

https://github.com/kriswallsmith/Buzz

We need a RequestInterface implementation for Guzzle5 as well as an Auth Plugin modeled after the one implemented for Guzzle3.

PHP 5.5 reached end of life at the end of July: we should stop supporting it, as it would avoid us having to maintain polyfills like in #21.

My recommendation is to deprecate it in the next version, 3.1.2, and then release an acquia/http-hmac-php 4.0 that removes the hash_equals() polyfill and pegs support to PHP 5.6 only.

Describe the bug
I created a ticket at https://www.drupal.org/project/drupal/issues/3424183#comment-15464851

When trying to upgrade Drupal core to 10.2.2 or later with drupal/core-recommended installed, it fails.

drupal/core-recommended requires symfony/psr-http-message-bridge ~v6.4.0
acquia/http-hmac-php requires "symfony/psr-http-message-bridge": "^2.0",

Problem 1

• Root composer.json requires drupal/core-recommended 10.2.3 -> satisfiable by drupal/core-recommended[10.2.3].
• drupal/core-recommended 10.2.3 requires symfony/psr-http-message-bridge ~v6.4.0 -> found symfony/psr-http-message-bridge[v6.4.0-BETA1, ..., 6.4.x-dev] but these were not loaded, likely because it conflicts with another require.

Version 1 is effectively deprecated, v2 is the latest and greatest. We should implement v2 of the spec in this library.

This will likely be a massive refactoring, so this will result in a 3.0 version of this library. We can therefore drop support for the V1 version of the algorithm, as if you are using V1 then you should stick with the V2 version of this library.

\Acquia\Hmac\RequestSigner::signRequest
so each test fails, prerequest JS for postman also do not set hmac.key so generaly it sucks.

API keys that are UUIDs or have underscores do not validate.

I've written a Symfony2 Integration, can you take a look and tell me your opinion
https://github.com/ibrows/IbrowsHmacBundle