feat(http)!: automatically encrypt cookies (#1447)

Author: innocenzi

packages/core/src/Kernel/LoadConfig.php

@@ -45,7 +45,7 @@ public function find(): array
         $suffixes = [
             'production' => ['.production.config.php', '.prod.config.php', '.prd.config.php'],
             'staging' => ['.staging.config.php', '.stg.config.php'],
-            'testing' => ['.test.config.php'],
+            'testing' => ['.test.config.php', '.testing.config.php'],
             'development' => ['.dev.config.php', '.local.config.php'],
         ];
 

packages/cryptography/src/Encryption/EncryptedData.php

@@ -27,12 +27,12 @@ public function serialize(): string
             'algorithm' => $this->algorithm->value,
         ];
 
-        return base64_encode(Json\encode($data));
+        return Json\encode($data, base64: true);
     }
 
     public static function unserialize(string $data): self
     {
-        $decoded = Json\decode(base64_decode($data, strict: true));
+        $decoded = Json\decode($data, base64: true);
 
         if (! is_array($decoded) || ! isset($decoded['payload'], $decoded['iv'], $decoded['tag'], $decoded['signature'], $decoded['algorithm'])) {
             throw EncryptedDataWasInvalid::dueToInvalidFormat();

packages/cryptography/src/Encryption/EncryptionConfig.php

@@ -6,7 +6,7 @@ final class EncryptionConfig
 {
     /**
      * @param EncryptionAlgorithm $algorithm The algorithm used for encrypting and decrypting values.
-     * @param non-empty-string $key A private, secure encryption key.
+     * @param null|non-empty-string $key A private, secure encryption key.
      */
     public function __construct(
         public EncryptionAlgorithm $algorithm,

…tography/src/CreateSigningKeyCommand.php …graphy/src/GenerateSigningKeyCommand.phppackages/cryptography/src/CreateSigningKeyCommand.php renamed to packages/cryptography/src/GenerateSigningKeyCommand.php packages/cryptography/src/CreateSigningKeyCommand.php renamed to packages/cryptography/src/GenerateSigningKeyCommand.php

@@ -13,23 +13,28 @@
 
 use function Tempest\root_path;
 
-final readonly class CreateSigningKeyCommand
+final readonly class GenerateSigningKeyCommand
 {
     public function __construct(
         private EncryptionConfig $encryptionConfig,
         private Console $console,
     ) {}
 
     #[ConsoleCommand('key:generate', description: 'Generates the signing key required to sign and verify data.')]
-    public function __invoke(): ExitCode
+    public function __invoke(bool $override = true): ExitCode
     {
         $key = EncryptionKey::generate($this->encryptionConfig->algorithm);
 
+        $this->createDotEnvIfNotExists();
+        $this->addToDotEnv($key->toString(), $override);
+
         $this->console->writeln();
-        $this->console->success('Signing key generated successfully.');
 
-        $this->createDotEnvIfNotExists();
-        $this->addToDotEnv($key->toString());
+        if ($override) {
+            $this->console->success('Signing key generated successfully.');
+        } else {
+            $this->console->info('The signing key already exists.');
+        }
 
         return ExitCode::SUCCESS;
     }
@@ -39,13 +44,13 @@ private function getDotEnvPath(): string
         return root_path('.env');
     }
 
-    private function addToDotEnv(string $key): void
+    private function addToDotEnv(string $key, bool $override): void
     {
         $file = Filesystem\read_file($this->getDotEnvPath());
 
         if (! Str\contains($file, 'SIGNING_KEY=')) {
-            $file .= "\nSIGNING_KEY={$key}\n";
-        } else {
+            $file = "SIGNING_KEY={$key}\n" . $file;
+        } elseif ($override) {
             $file = Regex\replace($file, '/^SIGNING_KEY=.*$/m', "SIGNING_KEY={$key}");
         }
 

packages/cryptography/src/Signing/SigningConfig.php

@@ -8,13 +8,13 @@ final class SigningConfig
 {
     /**
      * @param SigningAlgorithm $algorithm The algorithm used for signing and verifying signatures.
-     * @param non-empty-string $key The key used for signing and verifying signatures.
+     * @param null|non-empty-string $key The key used for signing and verifying signatures.
      * @param Duration|false $minimumExecutionDuration The minimum execution duration for signing operations, to prevent timing attacks. Set `false` to disable timing attack protection.
      */
     public function __construct(
         public SigningAlgorithm $algorithm,
         #[\SensitiveParameter]
-        public string $key,
+        public readonly ?string $key,
         public false|Duration $minimumExecutionDuration,
     ) {}
 }

packages/cryptography/src/Signing/SigningKey.php

@@ -18,9 +18,9 @@ public function __construct(
     /**
      * Creates a signing key from a string.
      */
-    public static function fromString(string $key): self
+    public static function fromString(?string $key): self
     {
-        return new self($key);
+        return new self($key ?: '');
     }
 
     public function __toString(): string

packages/cryptography/src/Signing/signing.config.php

@@ -5,6 +5,6 @@
 
 return new SigningConfig(
     algorithm: SigningAlgorithm::SHA256,
-    key: Tempest\env('SIGNING_KEY', default: ''),
+    key: Tempest\env('SIGNING_KEY'),
     minimumExecutionDuration: false,
 );

packages/http/composer.json

@@ -10,6 +10,7 @@
         "tempest/console": "dev-main",
         "tempest/mapper": "dev-main",
         "tempest/container": "dev-main",
+        "tempest/cryptography": "dev-main",
         "laminas/laminas-diactoros": "^3.3",
         "psr/http-factory": "^1.0",
         "psr/http-message": "^1.0|^2.0",

packages/http/src/Cookie/Cookie.php

@@ -4,6 +4,7 @@
 
 namespace Tempest\Http\Cookie;
 
+use InvalidArgumentException;
 use Stringable;
 use Tempest\DateTime\DateTimeInterface;
 
@@ -32,6 +33,14 @@ public function __construct(
         public ?SameSite $sameSite = null,
     ) {}
 
+    public function withValue(string $value): self
+    {
+        $clone = clone $this;
+        $clone->value = $value;
+
+        return $clone;
+    }
+
     public function __toString(): string
     {
         $parts = [
@@ -78,4 +87,49 @@ public function getExpiresAtTime(): ?int
 
         return null;
     }
+
+    /**
+     * Creates acookie from the `Set-Cookie` header.
+     */
+    public static function createFromString(string $string): self
+    {
+        if (! ($attributes = preg_split('/\s*;\s*/', $string, -1, PREG_SPLIT_NO_EMPTY))) {
+            throw new InvalidArgumentException(sprintf('The raw value of the `Set Cookie` header `%s` could not be parsed.', $string));
+        }
+
+        $nameAndValue = explode('=', array_shift($attributes), 2);
+        $cookie = ['name' => $nameAndValue[0], 'value' => isset($nameAndValue[1]) ? urldecode($nameAndValue[1]) : ''];
+
+        while ($attribute = array_shift($attributes)) {
+            $attribute = explode('=', $attribute, 2);
+            $attributeName = strtolower($attribute[0]);
+            $attributeValue = $attribute[1] ?? null;
+
+            if (in_array($attributeName, ['expires', 'domain', 'path', 'samesite'], true)) {
+                $cookie[$attributeName] = $attributeValue;
+                continue;
+            }
+
+            if (in_array($attributeName, ['secure', 'httponly'], true)) {
+                $cookie[$attributeName] = true;
+                continue;
+            }
+
+            if ($attributeName === 'max-age') {
+                $cookie['expires'] = time() + ((int) $attributeValue);
+            }
+        }
+
+        return new Cookie(
+            key: $cookie['name'],
+            value: $cookie['value'] ?? null,
+            expiresAt: isset($cookie['expires']) ? ((int) $cookie['expires']) : null,
+            maxAge: isset($cookie['max-age']) ? ((int) $cookie['max-age']) : null,
+            domain: $cookie['domain'] ?? null,
+            path: $cookie['path'] ?? '/',
+            secure: isset($cookie['secure']) && $cookie['secure'] === true,
+            httpOnly: isset($cookie['httponly']) && $cookie['httponly'] === true,
+            sameSite: isset($cookie['samesite']) ? SameSite::from($cookie['samesite']) : null,
+        );
+    }
 }

packages/http/src/Mappers/PsrRequestToGenericRequestMapper.php

@@ -6,6 +6,7 @@
 
 use Psr\Http\Message\ServerRequestInterface as PsrRequest;
 use Psr\Http\Message\UploadedFileInterface;
+use Tempest\Cryptography\Encryption\Encrypter;
 use Tempest\Http\Cookie\Cookie;
 use Tempest\Http\GenericRequest;
 use Tempest\Http\Method;
@@ -19,6 +20,10 @@
 
 final readonly class PsrRequestToGenericRequestMapper implements Mapper
 {
+    public function __construct(
+        private readonly Encrypter $encrypter,
+    ) {}
+
     public function canMap(mixed $from, mixed $to): bool
     {
         return false;
@@ -55,7 +60,13 @@ public function map(mixed $from, mixed $to): GenericRequest
             'path' => $from->getUri()->getPath(),
             'query' => $query,
             'files' => $uploads,
-            'cookies' => Arr\map_iterable($_COOKIE, static fn (string $value, string $key) => new Cookie($key, $value)),
+            'cookies' => Arr\map_iterable(
+                array: $_COOKIE,
+                map: fn (string $value, string $key) => new Cookie(
+                    key: $key,
+                    value: $this->encrypter->decrypt($value),
+                ),
+            ),
             ...$data,
             ...$uploads,
         ])