[RFC]: Autogenerate `OAuth2` keys when cloning the project

[alexmerlin]

RFC

Currently, the OAuth2 keys used to generate/check authorization tokens are stored in the repository under data/oauth/.
These files should be unique per project deployment because reusing the same keys might be a potential security threat.
I do not have a test case for exploiting this threat, but with the proper knowledge, I expect that it may prove exploitable.

Q	A
Proposed Version(s)	x.y.0
BC Break?	No

Goal

Public/private/encryption keys are not stored in the repo, but autogenerated after cloning the repo.

Proposal(s)

• Remove existing OAuth2 keys from data/oauth/
• Add Composer post-install-cmd/post-update-cmd command: ./vendor/bin/generate-oauth2-keys

Executing the command:

./vendor/bin/generate-oauth2-keys

will output:

This script is provided as a convenient way to generate keys for
the OAuth2 server provider. You may choose instead to use an
alternative method. For more information, see the install docs:
https://oauth2.thephpleague.com/installation/

Found a good location for keys:
/var/www/api.dotkernel.localhost/html/data

We'll put them in a subdirectory:
/var/www/api.dotkernel.localhost/html/data/oauth

Using 2048 bits to generate key of type RSA

Private key stored in:
/var/www/api.dotkernel.localhost/html/data/oauth/private.key
Public key stored in:
/var/www/api.dotkernel.localhost/html/data/oauth/public.key
Encryption key stored in:
/var/www/api.dotkernel.localhost/html/data/oauth/encryption.key

[alexmerlin]

@arhimede I need a 2nd opinion on this.

[alexmerlin]

Additionally, I would rename data/oauth to data/oauth2.

[arhimede]

@alexmerlin I agree with both.
Generate the keys as post install cmd, and rename the folder

[alexmerlin]

@alexmerlin I agree with both. Generate the keys as post install cmd, and rename the folder

💩
Unfortunately I had to keep the original path (data/oauth), because the output path is hardcoded in Mezzio's key generator tool.

[alexmerlin]

Implemented in #398