add automatic padding of the payload and ability to disable it for bandwidth

Author: Minishlink

README.md

@@ -81,6 +81,25 @@ $webPush = new WebPush($apiKeys);
 $webPush->sendNotification($endpoint, null, null, true);
 ```
 
+### Payload length and security
+As previously stated, payload will be encrypted by the library. The maximum payload length is 4078 bytes (or ASCII characters).
+
+However, when you encrypt a string of a certain length, the resulting string will always have the same length,
+no matter how many times you encrypt the initial string. This can make attackers guess the content of the payload.
+In order to circumvent this, this library can add some null padding to the initial payload, so that all the input of the encryption process
+will have the same length. This way, all the output of the encryption process will also have the same length and attackers won't be able to 
+guess the content of your payload. The downside of this approach is that you will use more bandwidth than if you didn't pad the string.
+That's why the library provides the option to disable this security measure:
+
+```php
+<?php
+
+use Minishlink\WebPush\WebPush;
+
+$webPush = new WebPush();
+$webPush->setAutomaticPadding(false); // disable automatic padding
+```
+
 ### Time To Live
 Time To Live (TTL, in seconds) is how long a push message is retained by the push service (eg. Mozilla) in case the user browser 
 is not yet accessible (eg. is not connected). You may want to use a very long time for important notifications. The default TTL is 4 weeks. 

src/Encryption.php

@@ -18,6 +18,17 @@
 
 final class Encryption
 {
+    const MAX_PAYLOAD_LENGTH = 4078;
+
+    /**
+     * @param $payload
+     * @return string
+     */
+    public static function automaticPadding($payload)
+    {
+        return str_pad($payload, self::MAX_PAYLOAD_LENGTH, chr(0), STR_PAD_LEFT);
+    }
+
     /**
      * @param string $payload
      * @param string $userPublicKey MIME base 64 encoded

src/WebPush.php

@@ -36,6 +36,9 @@ class WebPush
     /** @var int Time To Live of notifications */
     private $TTL;
 
+    /** @var bool Automatic padding of payloads, if disabled, trade security for bandwidth */
+    private $automaticPadding = true;
+
     /** @var boolean */
     private $payloadEncryptionSupport;
 
@@ -45,9 +48,9 @@ class WebPush
     /**
      * WebPush constructor.
      *
-     * @param array               $apiKeys Some servers needs authentication. Provide your API keys here. (eg. array('GCM' => 'GCM_API_KEY'))
-     * @param int|null            $TTL     Time To Live of notifications, default being 4 weeks.
-     * @param int|null            $timeout Timeout of POST request
+     * @param array $apiKeys Some servers needs authentication. Provide your API keys here. (eg. array('GCM' => 'GCM_API_KEY'))
+     * @param int|null $TTL Time To Live of notifications, default being 4 weeks.
+     * @param int|null $timeout Timeout of POST request
      * @param AbstractClient|null $client
      */
     public function __construct(array $apiKeys = array(), $TTL = 2419200, $timeout = 30, AbstractClient $client = null)
@@ -82,8 +85,14 @@ public function sendNotification($endpoint, $payload = null, $userPublicKey = nu
             throw new \ErrorException('The API has changed: sendNotification now takes the optional user auth token as parameter.');
         }
 
-        if(isset($payload) && strlen($payload) > 4078) {
-            throw new \ErrorException('Size of payload must not be greater than 4078 octets.');
+        if(isset($payload)) {
+            if (strlen($payload) > Encryption::MAX_PAYLOAD_LENGTH) {
+                throw new \ErrorException('Size of payload must not be greater than '.Encryption::MAX_PAYLOAD_LENGTH.' octets.');
+            }
+
+            if ($this->automaticPadding) {
+                $payload = Encryption::automaticPadding($payload);
+            }
         }
 
         // sort notification by server type
@@ -298,10 +307,14 @@ public function getBrowser()
 
     /**
      * @param Browser $browser
+     *
+     * @return WebPush
      */
     public function setBrowser($browser)
     {
         $this->browser = $browser;
+
+        return $this;
     }
 
     /**
@@ -314,9 +327,33 @@ public function getTTL()
 
     /**
      * @param int $TTL
+     *
+     * @return WebPush
      */
     public function setTTL($TTL)
     {
         $this->TTL = $TTL;
+
+        return $this;
+    }
+
+    /**
+     * @return boolean
+     */
+    public function isAutomaticPadding()
+    {
+        return $this->automaticPadding;
+    }
+
+    /**
+     * @param boolean $automaticPadding
+     *
+     * @return WebPush
+     */
+    public function setAutomaticPadding($automaticPadding)
+    {
+        $this->automaticPadding = $automaticPadding;
+
+        return $this;
     }
 }

tests/EncryptionTest.php

@@ -0,0 +1,37 @@
+<?php
+
+/*
+ * This file is part of the WebPush library.
+ *
+ * (c) Louis Lagrange <[email protected]>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+use Minishlink\WebPush\Encryption;
+
+class EncryptionTest extends PHPUnit_Framework_TestCase
+{
+    /**
+     * @dataProvider payloadProvider
+     *
+     * @param string $payload
+     */
+    public function testAutomaticPadding($payload)
+    {
+        $res = Encryption::automaticPadding($payload);
+
+        $this->assertContains('test', $res);
+        $this->assertEquals(4078, strlen($res));
+    }
+
+    public function payloadProvider()
+    {
+        return array(
+            array('test'),
+            array(str_repeat('test', 1019)),
+            array(str_repeat('test', 1019).'te'),
+        );
+    }
+}