feat(http)!: automatically encrypt cookies

innocenzi · innocenzi · commit e3dfc0cd83c2 · 2025-08-02T01:22:39.000+02:00
diff --git a/packages/core/src/Kernel/LoadConfig.php b/packages/core/src/Kernel/LoadConfig.php
@@ -45,7 +45,7 @@ public function find(): array
         $suffixes = [
             'production' => ['.production.config.php', '.prod.config.php', '.prd.config.php'],
             'staging' => ['.staging.config.php', '.stg.config.php'],
-            'testing' => ['.test.config.php'],
+            'testing' => ['.test.config.php', '.testing.config.php'],
             'development' => ['.dev.config.php', '.local.config.php'],
         ];
 
diff --git a/packages/cryptography/src/CreateSigningKeyCommand.php b/packages/cryptography/src/CreateSigningKeyCommand.php
@@ -44,7 +44,7 @@ private function addToDotEnv(string $key): void
         $file = Filesystem\read_file($this->getDotEnvPath());
 
         if (! Str\contains($file, 'SIGNING_KEY=')) {
-            $file .= "\nSIGNING_KEY={$key}\n";
+            $file = "SIGNING_KEY={$key}\n" . $file;
         } else {
             $file = Regex\replace($file, '/^SIGNING_KEY=.*$/m', "SIGNING_KEY={$key}");
         }
diff --git a/packages/cryptography/src/Encryption/EncryptedData.php b/packages/cryptography/src/Encryption/EncryptedData.php
@@ -27,12 +27,12 @@ public function serialize(): string
             'algorithm' => $this->algorithm->value,
         ];
 
-        return base64_encode(Json\encode($data));
+        return Json\encode($data, base64: true);
     }
 
     public static function unserialize(string $data): self
     {
-        $decoded = Json\decode(base64_decode($data, strict: true));
+        $decoded = Json\decode($data, base64: true);
 
         if (! is_array($decoded) || ! isset($decoded['payload'], $decoded['iv'], $decoded['tag'], $decoded['signature'], $decoded['algorithm'])) {
             throw EncryptedDataWasInvalid::dueToInvalidFormat();
diff --git a/packages/cryptography/src/Encryption/EncryptionConfig.php b/packages/cryptography/src/Encryption/EncryptionConfig.php
@@ -6,7 +6,7 @@ final class EncryptionConfig
 {
     /**
      * @param EncryptionAlgorithm $algorithm The algorithm used for encrypting and decrypting values.
-     * @param non-empty-string $key A private, secure encryption key.
+     * @param null|non-empty-string $key A private, secure encryption key.
      */
     public function __construct(
         public EncryptionAlgorithm $algorithm,
diff --git a/packages/cryptography/src/Signing/SigningConfig.php b/packages/cryptography/src/Signing/SigningConfig.php
@@ -8,13 +8,13 @@ final class SigningConfig
 {
     /**
      * @param SigningAlgorithm $algorithm The algorithm used for signing and verifying signatures.
-     * @param non-empty-string $key The key used for signing and verifying signatures.
+     * @param null|non-empty-string $key The key used for signing and verifying signatures.
      * @param Duration|false $minimumExecutionDuration The minimum execution duration for signing operations, to prevent timing attacks. Set `false` to disable timing attack protection.
      */
     public function __construct(
         public SigningAlgorithm $algorithm,
         #[\SensitiveParameter]
-        public string $key,
+        public readonly ?string $key,
         public false|Duration $minimumExecutionDuration,
     ) {}
 }
diff --git a/packages/cryptography/src/Signing/SigningKey.php b/packages/cryptography/src/Signing/SigningKey.php
@@ -18,9 +18,9 @@ public function __construct(
     /**
      * Creates a signing key from a string.
      */
-    public static function fromString(string $key): self
+    public static function fromString(?string $key): self
     {
-        return new self($key);
+        return new self($key ?: '');
     }
 
     public function __toString(): string
diff --git a/packages/cryptography/src/Signing/signing.config.php b/packages/cryptography/src/Signing/signing.config.php
@@ -5,6 +5,6 @@
 
 return new SigningConfig(
     algorithm: SigningAlgorithm::SHA256,
-    key: Tempest\env('SIGNING_KEY', default: ''),
+    key: Tempest\env('SIGNING_KEY'),
     minimumExecutionDuration: false,
 );
diff --git a/packages/http/composer.json b/packages/http/composer.json
@@ -10,6 +10,7 @@
         "tempest/console": "dev-main",
         "tempest/mapper": "dev-main",
         "tempest/container": "dev-main",
+        "tempest/cryptography": "dev-main",
         "laminas/laminas-diactoros": "^3.3",
         "psr/http-factory": "^1.0",
         "psr/http-message": "^1.0|^2.0",
diff --git a/packages/http/src/Cookie/Cookie.php b/packages/http/src/Cookie/Cookie.php
@@ -4,6 +4,7 @@
 
 namespace Tempest\Http\Cookie;
 
+use InvalidArgumentException;
 use Stringable;
 use Tempest\DateTime\DateTimeInterface;
 
@@ -32,6 +33,14 @@ public function __construct(
         public ?SameSite $sameSite = null,
     ) {}
 
+    public function withValue(string $value): self
+    {
+        $clone = clone $this;
+        $clone->value = $value;
+
+        return $clone;
+    }
+
     public function __toString(): string
     {
         $parts = [
@@ -78,4 +87,49 @@ public function getExpiresAtTime(): ?int
 
         return null;
     }
+
+    /**
+     * Creates acookie from the `Set-Cookie` header.
+     */
+    public static function createFromString(string $string): self
+    {
+        if (! ($attributes = preg_split('/\s*;\s*/', $string, -1, PREG_SPLIT_NO_EMPTY))) {
+            throw new InvalidArgumentException(sprintf('The raw value of the `Set Cookie` header `%s` could not be parsed.', $string));
+        }
+
+        $nameAndValue = explode('=', array_shift($attributes), 2);
+        $cookie = ['name' => $nameAndValue[0], 'value' => isset($nameAndValue[1]) ? urldecode($nameAndValue[1]) : ''];
+
+        while ($attribute = array_shift($attributes)) {
+            $attribute = explode('=', $attribute, 2);
+            $attributeName = strtolower($attribute[0]);
+            $attributeValue = $attribute[1] ?? null;
+
+            if (in_array($attributeName, ['expires', 'domain', 'path', 'samesite'], true)) {
+                $cookie[$attributeName] = $attributeValue;
+                continue;
+            }
+
+            if (in_array($attributeName, ['secure', 'httponly'], true)) {
+                $cookie[$attributeName] = true;
+                continue;
+            }
+
+            if ($attributeName === 'max-age') {
+                $cookie['expires'] = time() + ((int) $attributeValue);
+            }
+        }
+
+        return new Cookie(
+            key: $cookie['name'],
+            value: $cookie['value'] ?? null,
+            expiresAt: isset($cookie['expires']) ? ((int) $cookie['expires']) : null,
+            maxAge: isset($cookie['max-age']) ? ((int) $cookie['max-age']) : null,
+            domain: $cookie['domain'] ?? null,
+            path: $cookie['path'] ?? '/',
+            secure: isset($cookie['secure']) && $cookie['secure'] === true,
+            httpOnly: isset($cookie['httponly']) && $cookie['httponly'] === true,
+            sameSite: isset($cookie['samesite']) ? SameSite::from($cookie['samesite']) : null,
+        );
+    }
 }
diff --git a/packages/http/src/Mappers/PsrRequestToGenericRequestMapper.php b/packages/http/src/Mappers/PsrRequestToGenericRequestMapper.php
@@ -6,6 +6,7 @@
 
 use Psr\Http\Message\ServerRequestInterface as PsrRequest;
 use Psr\Http\Message\UploadedFileInterface;
+use Tempest\Cryptography\Encryption\Encrypter;
 use Tempest\Http\Cookie\Cookie;
 use Tempest\Http\GenericRequest;
 use Tempest\Http\Method;
@@ -19,6 +20,10 @@
 
 final readonly class PsrRequestToGenericRequestMapper implements Mapper
 {
+    public function __construct(
+        private readonly Encrypter $encrypter,
+    ) {}
+
     public function canMap(mixed $from, mixed $to): bool
     {
         return false;
@@ -55,7 +60,13 @@ public function map(mixed $from, mixed $to): GenericRequest
             'path' => $from->getUri()->getPath(),
             'query' => $query,
             'files' => $uploads,
-            'cookies' => Arr\map_iterable($_COOKIE, static fn (string $value, string $key) => new Cookie($key, $value)),
+            'cookies' => Arr\map_iterable(
+                array: $_COOKIE,
+                map: fn (string $value, string $key) => new Cookie(
+                    key: $key,
+                    value: $this->encrypter->decrypt($value),
+                ),
+            ),
             ...$data,
             ...$uploads,
         ])
diff --git a/packages/router/src/SetCookieMiddleware.php b/packages/router/src/SetCookieMiddleware.php
@@ -5,6 +5,7 @@
 namespace Tempest\Router;
 
 use Tempest\Core\Priority;
+use Tempest\Cryptography\Encryption\Encrypter;
 use Tempest\Http\Cookie\CookieManager;
 use Tempest\Http\Request;
 use Tempest\Http\Response;
@@ -16,6 +17,7 @@
 final readonly class SetCookieMiddleware implements HttpMiddleware
 {
     public function __construct(
+        private Encrypter $encrypter,
         private CookieManager $cookies,
     ) {}
 
@@ -24,7 +26,8 @@ public function __invoke(Request $request, HttpMiddlewareCallable $next): Respon
         $response = $next($request);
 
         foreach ($this->cookies->all() as $cookie) {
-            $response->addHeader('set-cookie', (string) $cookie);
+            $cookieValue = $cookie->value === '' ? '' : $this->encrypter->encrypt($cookie->value)->serialize();
+            $response->addHeader('set-cookie', (string) $cookie->withValue($cookieValue));
         }
 
         return $response;
diff --git a/src/Tempest/Framework/Testing/Http/TestResponseHelper.php b/src/Tempest/Framework/Testing/Http/TestResponseHelper.php
@@ -7,11 +7,14 @@
 use Closure;
 use Generator;
 use PHPUnit\Framework\Assert;
-use Tempest\Http\Cookie\CookieManager;
+use PHPUnit\Framework\ExpectationFailedException;
+use Tempest\Cryptography\Encryption\Encrypter;
+use Tempest\Http\Cookie\Cookie;
 use Tempest\Http\Response;
 use Tempest\Http\Responses\Invalid;
 use Tempest\Http\Session\Session;
 use Tempest\Http\Status;
+use Tempest\Support\Arr;
 use Tempest\Validation\Rule;
 use Tempest\View\View;
 use Tempest\View\ViewRenderer;
@@ -49,13 +52,15 @@ public function assertHasHeader(string $name): self
         return $this;
     }
 
+    /**
+     * Asserts that the given header contains the given value.
+     */
     public function assertHeaderContains(string $name, mixed $value): self
     {
         $this->assertHasHeader($name);
 
         $header = $this->response->getHeader($name);
-
-        $headerString = var_export($header, true); // @mago-expect best-practices/no-debug-symbols
+        $headerString = var_export($header, return: true); // @mago-expect best-practices/no-debug-symbols
 
         Assert::assertContains(
             $value,
@@ -66,6 +71,28 @@ public function assertHeaderContains(string $name, mixed $value): self
         return $this;
     }
 
+    /**
+     * Asserts that the given header contains the given value. The value may contains placeholders such as `%s`, `%d`, etc.
+     */
+    public function assertHeaderMatches(string $name, string $format): self
+    {
+        $this->assertHasHeader($name);
+
+        $header = $this->response->getHeader($name);
+        $headerString = var_export($header, return: true); // @mago-expect best-practices/no-debug-symbols
+
+        foreach ($header->values as $value) {
+            try {
+                Assert::assertStringMatchesFormat($format, $value);
+
+                return $this;
+            } catch (ExpectationFailedException) { // @mago-expect best-practices/no-empty-catch-clause
+            }
+        }
+
+        Assert::fail(sprintf('Failed to assert that response header [%s] value contains [%s]. These header values were found: %s', $name, $format, $headerString));
+    }
+
     public function assertRedirect(?string $to = null): self
     {
         Assert::assertTrue(
@@ -108,16 +135,34 @@ public function assertStatus(Status $expected): self
         return $this;
     }
 
-    public function assertHasCookie(string $key, ?Closure $callback = null): self
+    public function assertHasCookie(string $key, null|string|Closure $value = null): self
     {
-        $cookies = get(CookieManager::class);
+        /** @var array<string,Cookie> */
+        $cookies = Arr\map_with_keys(
+            array: $this->response->getHeader('set-cookie')->values,
+            map: function (string $cookie) {
+                $cookie = Cookie::createFromString($cookie);
+                yield $cookie->key => $cookie;
+            },
+        );
 
-        $cookie = $cookies->get($key);
+        Assert::assertArrayHasKey(
+            key: $key,
+            array: $cookies,
+            message: sprintf('No cookie was set for [%s], available cookies: %s', $key, implode(', ', array_keys($cookies))),
+        );
 
-        Assert::assertNotNull($cookie);
+        $encrypter = get(Encrypter::class);
+        $cookie = $cookies[$key]->value
+            ? $encrypter->decrypt($cookies[$key]->value)
+            : '';
 
-        if ($callback !== null) {
-            $callback($cookie);
+        if ($value instanceof Closure) {
+            $value($cookie);
+        }
+
+        if (is_string($value)) {
+            Assert::assertEquals($value, $cookie);
         }
 
         return $this;
diff --git a/tests/Integration/Core/Config/LoadConfigTest.php b/tests/Integration/Core/Config/LoadConfigTest.php
@@ -39,6 +39,7 @@ public function test_config_loaded_in_order(): void
             'db.stg.config.php',
             'db.prd.config.php',
             'db.test.config.php',
+            'db.testing.config.php',
             'db.production.config.php',
         ]);
 
@@ -50,6 +51,7 @@ public function test_config_loaded_in_order(): void
         $this->assertStringContainsString('db.production.config.php', $config[3]);
         $this->assertStringContainsString('db.local.config.php', $config[4]);
         $this->assertStringContainsString('db.test.config.php', $config[5]);
+        $this->assertStringContainsString('db.testing.config.php', $config[6]);
     }
 
     public function test_non_production_configs_are_discarded_in_production(): void
diff --git a/tests/Integration/FrameworkIntegrationTestCase.php b/tests/Integration/FrameworkIntegrationTestCase.php
@@ -15,6 +15,7 @@
 use Tempest\Core\Application;
 use Tempest\Core\ShellExecutor;
 use Tempest\Core\ShellExecutors\NullShellExecutor;
+use Tempest\Cryptography\CreateSigningKeyCommand;
 use Tempest\Database\DatabaseInitializer;
 use Tempest\Database\Migrations\MigrationManager;
 use Tempest\Discovery\DiscoveryLocation;
@@ -61,6 +62,9 @@ protected function setUp(): void
             ->removeInitializer(DatabaseInitializer::class)
             ->addInitializer(TestingDatabaseInitializer::class);
 
+        // Generate signing key required for tests
+        $this->console->call(CreateSigningKeyCommand::class);
+
         $databaseConfigPath = __DIR__ . '/../Fixtures/Config/database.config.php';
 
         if (! file_exists($databaseConfigPath)) {
diff --git a/tests/Integration/Http/CookieManagerTest.php b/tests/Integration/Http/CookieManagerTest.php
diff --git a/tests/Integration/Http/CsrfTest.php b/tests/Integration/Http/CsrfTest.php
diff --git a/tests/Integration/Mapper/PsrRequestToRequestMapperTest.php b/tests/Integration/Mapper/PsrRequestToRequestMapperTest.php
diff --git a/tests/Integration/Route/ClientTest.php b/tests/Integration/Route/ClientTest.php
diff --git a/tests/Integration/Route/RequestTest.php b/tests/Integration/Route/RequestTest.php

Original file line number	Diff line number	Diff line change
`@@ -44,7 +44,7 @@ private function addToDotEnv(string $key): void`
`44`	`44`	`$file = Filesystem\read_file($this->getDotEnvPath());`
`45`	`45`
`46`	`46`	`if (! Str\contains($file, 'SIGNING_KEY=')) {`
`47`		`- $file .= "\nSIGNING_KEY={$key}\n";`
	`47`	`+ $file = "SIGNING_KEY={$key}\n" . $file;`
`48`	`48`	`} else {`
`49`	`49`	`$file = Regex\replace($file, '/^SIGNING_KEY=.*$/m', "SIGNING_KEY={$key}");`
`50`	`50`	`}`
Original file line number	Diff line number	Diff line change
`@@ -27,12 +27,12 @@ public function serialize(): string`
`27`	`27`	`'algorithm' => $this->algorithm->value,`
`28`	`28`	`];`
`29`	`29`
`30`		`- return base64_encode(Json\encode($data));`
	`30`	`+ return Json\encode($data, base64: true);`
`31`	`31`	`}`
`32`	`32`
`33`	`33`	`public static function unserialize(string $data): self`
`34`	`34`	`{`
`35`		`- $decoded = Json\decode(base64_decode($data, strict: true));`
	`35`	`+ $decoded = Json\decode($data, base64: true);`
`36`	`36`
`37`	`37`	`if (! is_array($decoded) \|\| ! isset($decoded['payload'], $decoded['iv'], $decoded['tag'], $decoded['signature'], $decoded['algorithm'])) {`
`38`	`38`	`throw EncryptedDataWasInvalid::dueToInvalidFormat();`
Original file line number	Diff line number	Diff line change
`@@ -6,7 +6,7 @@ final class EncryptionConfig`
`6`	`6`	`{`
`7`	`7`	`/**`
`8`	`8`	`* @param EncryptionAlgorithm $algorithm The algorithm used for encrypting and decrypting values.`
`9`		`- * @param non-empty-string $key A private, secure encryption key.`
	`9`	`+ * @param null\|non-empty-string $key A private, secure encryption key.`
`10`	`10`	`*/`
`11`	`11`	`public function __construct(`
`12`	`12`	`public EncryptionAlgorithm $algorithm,`
Original file line number	Diff line number	Diff line change
`@@ -18,9 +18,9 @@ public function __construct(`
`18`	`18`	`/**`
`19`	`19`	`* Creates a signing key from a string.`
`20`	`20`	`*/`
`21`		`- public static function fromString(string $key): self`
	`21`	`+ public static function fromString(?string $key): self`
`22`	`22`	`{`
`23`		`- return new self($key);`
	`23`	`+ return new self($key ?: '');`
`24`	`24`	`}`
`25`	`25`
`26`	`26`	`public function __toString(): string`