Begin OpenSSL development

Author: Greg Bowler

composer.json

@@ -4,6 +4,7 @@
 
 	"require": {
 		"php": ">=7.4",
+		"ext-openssl": "*",
 		"phpgt/http": "1.*"
 	},
 	"require-dev": {

src/Authenticator.php

@@ -5,8 +5,9 @@
 use Psr\Http\Message\UriInterface;
 
 class Authenticator {
-	private Cipher $cipher;
+	private Token $token;
 	private UriInterface $baseUri;
+	private string $returnPath;
 
 	/**
 	 * @param Token $token This must be the same instance of the Token when
@@ -15,17 +16,26 @@ class Authenticator {
 	 * @param string $baseUri The base URI of the application. This is the
 	 * URI authority with optional scheme, as localhost allows http://
 	 */
-	public function __construct(Token $token, string $baseUri) {
-		$this->cipher = $token->generateCipher();
+	public function __construct(
+		Token $token,
+		string $baseUri,
+		string $returnPath = "/"
+	) {
+		$this->token = $token;
 		$this->baseUri = $this->normaliseBaseUri($baseUri);
+		$this->returnPath = $returnPath;
 	}
 
 	/**
 	 * The AuthUri is where to redirect the user agent to for authentication
 	 * on the remote Authwave provider.
 	 */
 	public function getAuthUri():UriInterface {
-		return $this->baseUri;
+		return new AuthUri(
+			$this->baseUri,
+			$this->token,
+			$this->returnPath
+		);
 	}
 
 	private function normaliseBaseUri(string $baseUri):Uri {

src/Cipher.php

@@ -0,0 +1,14 @@
+<?php
+namespace Authwave;
+
+class InitVector {
+	private string $bytes;
+
+	public function __construct(int $length = 8) {
+		$this->bytes = random_bytes($length);
+	}
+
+	public function __toString():string {
+		return bin2hex($this->bytes);
+	}
+}

src/InitVector.php

@@ -2,15 +2,35 @@
 namespace Authwave;
 
 class Token {
+	const ENCRYPTION_METHOD = "aes128";
+
 	private string $key;
-	private string $tokenValue;
+	private string $secret;
+	private InitVector $iv;
 
-	public function __construct(string $key) {
+	public function __construct(
+		string $key,
+		string $secret,
+		InitVector $iv = null
+	) {
 		$this->key = $key;
-		$this->tokenValue = random_bytes(16);
+		$this->secret = $secret;
+		$this->iv = $iv ?? new InitVector();
 	}
 
-	public function generateCipher():Cipher {
+	public function generateCipher():string {
+		$rawCipher = openssl_encrypt(
+			$this->secret,
+			self::ENCRYPTION_METHOD,
+			$this->key,
+			0,
+			$this->iv
+		);
+
+		return base64_encode($rawCipher);
+	}
 
+	public function getIv():InitVector {
+		return $this->iv;
 	}
 }

src/Token.php

@@ -2,19 +2,13 @@
 namespace Authwave\Test;
 
 use Authwave\Authenticator;
-use Authwave\Cipher;
 use Authwave\InsecureProtocolException;
 use Authwave\Token;
-use PHPUnit\Framework\MockObject\MockObject;
 use PHPUnit\Framework\TestCase;
 
 class AuthenticatorTest extends TestCase {
 	public function testGetAuthUriHostname() {
-		$cipher = self::createMock(Cipher::class);
 		$token = self::createMock(Token::class);
-		$token->method("generateCipher")
-			->willReturn($cipher);
-
 		$sut = new Authenticator($token, "example.com");
 		$authUri = $sut->getAuthUri();
 		self::assertStringStartsWith(
@@ -26,11 +20,7 @@ public function testGetAuthUriHostname() {
 // All AuthUris MUST be served over HTTPS, with the one exception of localhost.
 // But it should still default to HTTPS on localhost.
 	public function testGetAuthUriHostnameLocalhostHttpsByDefault() {
-		$cipher = self::createMock(Cipher::class);
 		$token = self::createMock(Token::class);
-		$token->method("generateCipher")
-			->willReturn($cipher);
-
 		$sut = new Authenticator($token, "localhost");
 		$authUri = $sut->getAuthUri();
 		self::assertStringStartsWith(
@@ -41,11 +31,7 @@ public function testGetAuthUriHostnameLocalhostHttpsByDefault() {
 
 // We should be able to set the scheme to HTTP for localhost hostname only.
 	public function testGetAuthUriHostnameLocalhostHttpAllowed() {
-		$cipher = self::createMock(Cipher::class);
 		$token = self::createMock(Token::class);
-		$token->method("generateCipher")
-			->willReturn($cipher);
-
 		$sut = new Authenticator($token, "http://localhost");
 		$authUri = $sut->getAuthUri();
 		self::assertStringStartsWith(
@@ -56,11 +42,7 @@ public function testGetAuthUriHostnameLocalhostHttpAllowed() {
 
 // We should NOT be able to set the scheme to HTTP for other hostnames.
 	public function testGetAuthUriHostnameNotLocalhostHttpNotAllowed() {
-		$cipher = self::createMock(Cipher::class);
 		$token = self::createMock(Token::class);
-		$token->method("generateCipher")
-			->willReturn($cipher);
-
 		self::expectException(InsecureProtocolException::class);
 		new Authenticator($token, "http://localhost.com");
 	}

test/phpunit/AuthenticatorTest.php

@@ -0,0 +1,30 @@
+<?php
+namespace Authwave\Test;
+
+use Authwave\Token;
+use PHPUnit\Framework\TestCase;
+
+class TokenTest extends TestCase {
+	public function testGenerateCipherSameForSameToken() {
+		$token = new Token(
+			"test-key",
+			"test-secret"
+		);
+
+		$cipher1 = $token->generateCipher();
+		$cipher2 = $token->generateCipher();
+
+		self::assertSame($cipher1, $cipher2);
+	}
+
+	public function testGenerateCipherDifferentForDifferentTokenSameDetails() {
+		$key = "test-key";
+		$secret = "test-secret";
+		$token1 = new Token($key, $secret);
+		$token2 = new Token($key, $secret);
+		$cipher1 = $token1->generateCipher();
+		$cipher2 = $token2->generateCipher();
+
+		self::assertNotSame($cipher1, $cipher2);
+	}
+}