spray-media/src/Infrastructure/Validation/HmacPayloadValidator.php at master · sarkis-sh/spray-media · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
<?php

namespace SprayMedia\Infrastructure\Validation;

use SprayMedia\Contracts\PayloadValidatorInterface;
use SprayMedia\Domain\Enums\MediaAction;
use SprayMedia\Domain\Exceptions\ExpiredLinkException;
use SprayMedia\Domain\Exceptions\InvalidActionException;
use SprayMedia\Domain\Exceptions\InvalidPayloadException;
use SprayMedia\Domain\Exceptions\InvalidSignatureException;
use SprayMedia\Domain\Exceptions\MissingSignatureDataException;
use Illuminate\Support\Facades\Config;

/**
 * Class HmacPayloadValidator
 *
 * Validates an HMAC-signed request. Its responsibilities include signature
 * verification, payload decoding, and expiration checks.
 *
 * @package SprayMedia\Infrastructure\Validation
 */
class HmacPayloadValidator implements PayloadValidatorInterface
{
    public function validate(array $request): array
    {
        $payload = $this->verifySignatureAndDecode($request);

        $action = isset($payload['action']) ? MediaAction::tryFrom($payload['action']) : null;

        if (!$action) {
            throw new InvalidActionException();
        }

        $this->validateExpiration($payload);

        return $payload;
    }

    /**
     * Verifies the HMAC signature and decodes the payload from the request.
     */
    private function verifySignatureAndDecode(array $request): array
    {
        $data = $request['data'] ?? null;
        $signature = $request['signature'] ?? null;
        $config = Config::get('spray-media.hmac');

        if (!$data || !$signature) {
            throw new MissingSignatureDataException();
        }

        $expectedSignature = hash_hmac($config['algorithm'], $data, $config['secret']);

        if (!hash_equals($expectedSignature, $signature)) {
            throw new InvalidSignatureException();
        }

        $payload = json_decode(base64_decode($data), true);

        if (json_last_error() !== JSON_ERROR_NONE || !is_array($payload)) {
            throw new InvalidPayloadException();
        }

        return $payload;
    }

    /**
     * Validates the 'expires_at' timestamp within the payload.
     */
    private function validateExpiration(array $payload): void
    {
        if (isset($payload['expires_at']) && $payload['expires_at'] < now()->timestamp) {
            throw new ExpiredLinkException();
        }
    }
}