Signiture verification with relative path

michaelbrauner_mysteryminds · MichaelBrauner · commit 93d5392b3f14 · 2025-06-02T08:22:37.000+02:00
diff --git a/src/DependencyInjection/Configuration.php b/src/DependencyInjection/Configuration.php
@@ -29,6 +29,10 @@ public function getConfigTreeBuilder(): TreeBuilder
                     ->defaultValue(3600)
                     ->info('The length of time in seconds that a signed URI is valid for after it is created.')
                 ->end()
+                ->booleanNode('use_relative_path')
+                    ->defaultValue(false)
+                    ->info('Decides whether to use an absolute url or a relative path for signing.')
+                ->end()
             ->end();
 
         return $treeBuilder;
diff --git a/src/DependencyInjection/SymfonyCastsVerifyEmailExtension.php b/src/DependencyInjection/SymfonyCastsVerifyEmailExtension.php
@@ -34,6 +34,7 @@ public function load(array $configs, ContainerBuilder $container): void
 
         $helperDefinition = $container->getDefinition('symfonycasts.verify_email.helper');
         $helperDefinition->replaceArgument(4, $config['lifetime']);
+        $helperDefinition->replaceArgument(5, $config['use_relative_path']);
     }
 
     public function getAlias(): string
diff --git a/src/Resources/config/verify_email_services.xml b/src/Resources/config/verify_email_services.xml
@@ -28,6 +28,7 @@
             <argument type="service" id="symfonycasts.verify_email.query_utility" />
             <argument type="service" id="symfonycasts.verify_email.token_generator" />
             <argument /> <!-- verify user signature lifetime -->
+            <argument /> <!-- verify user signature path generation method -->
         </service>
     </services>
 </container>
diff --git a/src/VerifyEmailHelper.php b/src/VerifyEmailHelper.php
@@ -38,14 +38,16 @@ final class VerifyEmailHelper implements VerifyEmailHelperInterface
      * @var int The length of time in seconds that a signed URI is valid for after it is created
      */
     private $lifetime;
+    private $useRelativePath;
 
-    public function __construct(UrlGeneratorInterface $router, /* no typehint for BC with legacy PHP */ $uriSigner, VerifyEmailQueryUtility $queryUtility, VerifyEmailTokenGenerator $generator, int $lifetime)
+    public function __construct(UrlGeneratorInterface $router, /* no typehint for BC with legacy PHP */ $uriSigner, VerifyEmailQueryUtility $queryUtility, VerifyEmailTokenGenerator $generator, int $lifetime, bool $useRelativePath)
     {
         $this->router = $router;
         $this->uriSigner = $uriSigner;
         $this->queryUtility = $queryUtility;
         $this->tokenGenerator = $generator;
         $this->lifetime = $lifetime;
+        $this->useRelativePath = $useRelativePath;
 
         if (!$uriSigner instanceof UriSigner) {
             /** @psalm-suppress UndefinedFunction */
@@ -63,10 +65,8 @@ public function generateSignature(string $routeName, string $userId, string $use
 
         $uri = $this->router->generate($routeName, $extraParams, UrlGeneratorInterface::ABSOLUTE_URL);
 
-        $signature = $this->uriSigner->sign($uri);
-
         /** @psalm-suppress PossiblyFalseArgument */
-        return new VerifyEmailSignatureComponents(\DateTimeImmutable::createFromFormat('U', (string) $expiryTimestamp), $signature, $generatedAt);
+        return new VerifyEmailSignatureComponents(\DateTimeImmutable::createFromFormat('U', (string) $expiryTimestamp), $this->getSignedUrl($uri), $generatedAt);
     }
 
     public function validateEmailConfirmation(string $signedUrl, string $userId, string $userEmail): void
@@ -111,4 +111,53 @@ public function validateEmailConfirmationFromRequest(Request $request, string $u
             throw new WrongEmailVerifyException();
         }
     }
+
+    private function generateAbsolutePath(string $absoluteUri): string
+    {
+        $parsedUri = parse_url($absoluteUri);
+
+        $path = $parsedUri['path'] ?? '';
+        $query = $this->getQueryStringFromParsedUrl($parsedUri);
+        $fragment = isset($parsedUri['fragment']) ? '#'.$parsedUri['fragment'] : '';
+
+        return $path.$query.$fragment;
+    }
+
+    public function generateSigningString(string $uri): string
+    {
+        if (!$this->useRelativePath) {
+            return $uri;
+        }
+
+        return $this->generateAbsolutePath($uri);
+    }
+
+    private function generateBaseUrl(string $absoluteUri): string
+    {
+        $parsedUri = parse_url($absoluteUri);
+        $scheme = isset($parsedUri['scheme']) ? $parsedUri['scheme'].'://' : '';
+        $host = $parsedUri['host'] ?? '';
+
+        return $scheme.$host;
+    }
+
+    private function getSignedUrl(string $uri): string
+    {
+        $signature = $this->uriSigner->sign($this->generateSigningString($uri));
+
+        if ($this->useRelativePath === false) {
+            return $signature;
+        }
+
+        return $this->generateBaseUrl($uri).$signature;
+    }
+
+    private function getQueryStringFromParsedUrl(array $parsedUrl): string
+    {
+        if (!\array_key_exists('query', $parsedUrl)) {
+            return '';
+        }
+
+        return $parsedUrl['query'] ? ('?'.$parsedUrl['query']) : '';
+    }
 }
diff --git a/tests/AcceptanceTests/VerifyEmailAcceptanceTest.php b/tests/AcceptanceTests/VerifyEmailAcceptanceTest.php
@@ -117,9 +117,77 @@ public function testValidateUsingRequestObject(): void
         $this->assertTrue(true, 'Test correctly does not throw an exception');
     }
 
-    private function getBootedKernel(): KernelInterface
+    public function testGenerateSignatureWithRelativePath(): void
+    {
+        $kernel = $this->getBootedKernel(['use_relative_path' => true]);
+
+        $container = $kernel->getContainer();
+
+        /** @var VerifyEmailHelper $helper */
+        $helper = $container->get(VerifyEmailAcceptanceFixture::class)->helper;
+
+        $components = $helper->generateSignature('verify-test', '1234', 'jr@rushlow.dev');
+
+        $signature = $components->getSignedUrl();
+
+        $expiresAt = $components->getExpiresAt()->getTimestamp();
+
+        $expectedUserData = json_encode(['1234', 'jr@rushlow.dev']);
+
+        $expectedToken = base64_encode(hash_hmac('sha256', $expectedUserData, 'foo', true));
+
+        $expectedSignature = base64_encode(hash_hmac(
+            'sha256',
+            sprintf('/verify/user?expires=%s&token=%s', $expiresAt, urlencode($expectedToken)),
+            'foo',
+            true
+        ));
+
+        $parsed = parse_url($signature);
+        parse_str($parsed['query'], $result);
+
+        self::assertTrue(hash_equals($expectedSignature, $result['signature']));
+        self::assertSame(
+            sprintf('/verify/user?expires=%s&signature=%s&token=%s', $expiresAt, urlencode($expectedSignature), urlencode($expectedToken)),
+            strstr($signature, '/verify/user')
+        );
+    }
+
+    public function testValidateEmailSignatureWithRelativePath(): void
+    {
+        $kernel = $this->getBootedKernel(['use_relative_path' => true]);
+
+        $container = $kernel->getContainer();
+
+        /** @var VerifyEmailHelper $helper */
+        $helper = $container->get(VerifyEmailAcceptanceFixture::class)->helper;
+        $expires = new \DateTimeImmutable('+1 hour');
+
+        $uriToTest = sprintf(
+            '/verify/user?%s',
+            http_build_query([
+                'expires' => $expires->getTimestamp(),
+                'token' => base64_encode(hash_hmac(
+                    'sha256',
+                    json_encode(['1234', 'jr@rushlow.dev']),
+                    'foo',
+                    true
+                )),
+            ])
+        );
+
+        $signature = base64_encode(hash_hmac('sha256', $uriToTest, 'foo', true));
+
+        $test = sprintf('%s&signature=%s', $uriToTest, urlencode($signature));
+
+        $helper->validateEmailConfirmation($test, '1234', 'jr@rushlow.dev');
+        $this->assertTrue(true, 'Test correctly does not throw an exception');
+    }
+
+    private function getBootedKernel(array $customConfig = []): KernelInterface
     {
         $builder = new ContainerBuilder();
+
         $builder->autowire(VerifyEmailAcceptanceFixture::class)
             ->setPublic(true)
             ->setArgument(1, new Reference('symfonycasts.verify_email.uri_signer'))
@@ -128,7 +196,9 @@ private function getBootedKernel(): KernelInterface
 
         $kernel = new VerifyEmailTestKernel(
             $builder,
-            ['verify-test' => '/verify/user']
+            ['verify-test' => '/verify/user'],
+            [],
+            $customConfig
         );
 
         $kernel->boot();
diff --git a/tests/FunctionalTests/VerifyEmailHelperFunctionalTest.php b/tests/FunctionalTests/VerifyEmailHelperFunctionalTest.php
@@ -106,7 +106,7 @@ private function getTestSignedUri(): string
         return \sprintf('/verify?%s', $sortedParams);
     }
 
-    private function getHelper(): VerifyEmailHelperInterface
+    private function getHelper(?bool $useRelativePath = false): VerifyEmailHelperInterface
     {
         if (class_exists(UriSigner::class)) {
             $this->uriSigner = new UriSigner('foo', 'signature');
@@ -119,7 +119,8 @@ private function getHelper(): VerifyEmailHelperInterface
             $this->uriSigner,
             new VerifyEmailQueryUtility(),
             new VerifyEmailTokenGenerator('foo'),
-            3600
+            3600,
+            $useRelativePath
         );
     }
 }
diff --git a/tests/UnitTests/VerifyEmailHelperTest.php b/tests/UnitTests/VerifyEmailHelperTest.php
@@ -88,6 +88,38 @@ public function testSignatureIsGenerated(): void
         self::assertSame($expectedSignedUrl, $components->getSignedUrl());
     }
 
+    public function testSignatureIsGeneratedWithRelativePath(): void
+    {
+        $expires = time() + 3600;
+
+        $expectedSignedUrl = sprintf('/verify?expires=%s&signature=1234&token=hashedToken', $expires);
+
+        $this->tokenGenerator
+            ->expects($this->once())
+            ->method('createToken')
+            ->with('1234', 'jr@rushlow.dev')
+            ->willReturn('hashedToken')
+        ;
+
+        $this->mockRouter
+            ->expects($this->once())
+            ->method('generate')
+            ->with('app_verify_route', ['token' => 'hashedToken', 'expires' => $expires])
+            ->willReturn(sprintf('/verify?expires=%s&token=hashedToken', $expires))
+        ;
+
+        $this->mockSigner
+            ->expects($this->once())
+            ->method('sign')
+            ->with(sprintf('/verify?expires=%s&token=hashedToken', $expires))
+            ->willReturn($expectedSignedUrl)
+        ;
+
+        $helper = $this->getHelper(true);
+        $components = $helper->generateSignature('app_verify_route', '1234', 'jr@rushlow.dev');
+        self::assertSame($expectedSignedUrl, $components->getSignedUrl());
+    }
+
     /** @group legacy */
     public function testValidationThrowsEarlyOnInvalidSignature(): void
     {
@@ -122,6 +154,39 @@ public function testValidationThrowsEarlyOnInvalidSignature(): void
         $helper->validateEmailConfirmation($signedUrl, '1234', 'jr@rushlow.dev');
     }
 
+    public function testValidationThrowsEarlyOnInvalidSignatureWithRelativePath(): void
+    {
+        $signedUrl = '/verify?expires=1&signature=1234%token=xyz';
+
+        $this->mockSigner
+            ->expects($this->once())
+            ->method('check')
+            ->with($signedUrl)
+            ->willReturn(false)
+        ;
+
+        $this->mockQueryUtility
+            ->expects($this->never())
+            ->method('getExpiryTimestamp')
+        ;
+
+        $this->mockQueryUtility
+            ->expects($this->never())
+            ->method('getTokenFromQuery')
+        ;
+
+        $this->tokenGenerator
+            ->expects($this->never())
+            ->method('createToken')
+        ;
+
+        $helper = $this->getHelper(true);
+
+        $this->expectException(InvalidSignatureException::class);
+
+        $helper->validateEmailConfirmation($signedUrl, '1234', 'jr@rushlow.dev');
+    }
+
     /** @group legacy */
     public function testExceptionThrownWithExpiredSignature(): void
     {
@@ -268,8 +333,8 @@ public function testValidationFromRequestThrowsWithInvalidToken(): void
         $helper->validateEmailConfirmationFromRequest($request, '1234', 'jr@rushlow.dev');
     }
 
-    private function getHelper(): VerifyEmailHelperInterface
+    private function getHelper(?bool $useRelativePath = false): VerifyEmailHelperInterface
     {
-        return new VerifyEmailHelper($this->mockRouter, $this->mockSigner, $this->mockQueryUtility, $this->tokenGenerator, 3600);
+        return new VerifyEmailHelper($this->mockRouter, $this->mockSigner, $this->mockQueryUtility, $this->tokenGenerator, 3600, $useRelativePath);
     }
 }
diff --git a/tests/VerifyEmailTestKernel.php b/tests/VerifyEmailTestKernel.php
@@ -29,16 +29,19 @@ class VerifyEmailTestKernel extends Kernel
     private $builder;
     private $routes;
     private $extraBundles;
+    /** @var array */
+    private $customConfig;
 
     /**
      * @param array             $routes  Routes to be added to the container e.g. ['name' => 'path']
      * @param BundleInterface[] $bundles Additional bundles to be registered e.g. [new Bundle()]
      */
-    public function __construct(?ContainerBuilder $builder = null, array $routes = [], array $bundles = [])
+    public function __construct(?ContainerBuilder $builder = null, array $routes = [], array $bundles = [], array $customConfig = [])
     {
         $this->builder = $builder;
         $this->routes = $routes;
         $this->extraBundles = $bundles;
+        $this->customConfig = $customConfig;
 
         parent::__construct('test', true);
     }
@@ -54,6 +57,7 @@ public function registerBundles(): iterable
         );
     }
 
+    /** @noinspection PhpParamsInspection */
     public function registerContainerConfiguration(LoaderInterface $loader): void
     {
         if (null === $this->builder) {
@@ -77,6 +81,10 @@ public function registerContainerConfiguration(LoaderInterface $loader): void
                 ]
             );
 
+            if (!empty($this->customConfig)) {
+                $container->loadFromExtension('symfonycasts_verify_email', $this->customConfig);
+            }
+
             $container->register('kernel', static::class)
                 ->setPublic(true)
             ;

Original file line number	Diff line number	Diff line change
`@@ -34,6 +34,7 @@ public function load(array $configs, ContainerBuilder $container): void`
`34`	`34`
`35`	`35`	`$helperDefinition = $container->getDefinition('symfonycasts.verify_email.helper');`
`36`	`36`	`$helperDefinition->replaceArgument(4, $config['lifetime']);`
	`37`	`+ $helperDefinition->replaceArgument(5, $config['use_relative_path']);`
`37`	`38`	`}`
`38`	`39`
`39`	`40`	`public function getAlias(): string`
Original file line number	Diff line number	Diff line change
`@@ -106,7 +106,7 @@ private function getTestSignedUri(): string`
`106`	`106`	`return \sprintf('/verify?%s', $sortedParams);`
`107`	`107`	`}`
`108`	`108`
`109`		`- private function getHelper(): VerifyEmailHelperInterface`
	`109`	`+ private function getHelper(?bool $useRelativePath = false): VerifyEmailHelperInterface`
`110`	`110`	`{`
`111`	`111`	`if (class_exists(UriSigner::class)) {`
`112`	`112`	`$this->uriSigner = new UriSigner('foo', 'signature');`
`@@ -119,7 +119,8 @@ private function getHelper(): VerifyEmailHelperInterface`
`119`	`119`	`$this->uriSigner,`
`120`	`120`	`new VerifyEmailQueryUtility(),`
`121`	`121`	`new VerifyEmailTokenGenerator('foo'),`
`122`		`- 3600`
	`122`	`+ 3600,`
	`123`	`+ $useRelativePath`
`123`	`124`	`);`
`124`	`125`	`}`
`125`	`126`	`}`
Original file line number	Diff line number	Diff line change
`@@ -29,16 +29,19 @@ class VerifyEmailTestKernel extends Kernel`
`29`	`29`	`private $builder;`
`30`	`30`	`private $routes;`
`31`	`31`	`private $extraBundles;`
	`32`	`+ /** @var array */`
	`33`	`+ private $customConfig;`
`32`	`34`
`33`	`35`	`/**`
`34`	`36`	`* @param array $routes Routes to be added to the container e.g. ['name' => 'path']`
`35`	`37`	`* @param BundleInterface[] $bundles Additional bundles to be registered e.g. [new Bundle()]`
`36`	`38`	`*/`
`37`		`- public function __construct(?ContainerBuilder $builder = null, array $routes = [], array $bundles = [])`
	`39`	`+ public function __construct(?ContainerBuilder $builder = null, array $routes = [], array $bundles = [], array $customConfig = [])`
`38`	`40`	`{`
`39`	`41`	`$this->builder = $builder;`
`40`	`42`	`$this->routes = $routes;`
`41`	`43`	`$this->extraBundles = $bundles;`
	`44`	`+ $this->customConfig = $customConfig;`
`42`	`45`
`43`	`46`	`parent::__construct('test', true);`
`44`	`47`	`}`
`@@ -54,6 +57,7 @@ public function registerBundles(): iterable`
`54`	`57`	`);`
`55`	`58`	`}`
`56`	`59`
	`60`	`+ /** @noinspection PhpParamsInspection */`
`57`	`61`	`public function registerContainerConfiguration(LoaderInterface $loader): void`
`58`	`62`	`{`
`59`	`63`	`if (null === $this->builder) {`
`@@ -77,6 +81,10 @@ public function registerContainerConfiguration(LoaderInterface $loader): void`
`77`	`81`	`]`
`78`	`82`	`);`
`79`	`83`
	`84`	`+ if (!empty($this->customConfig)) {`
	`85`	`+ $container->loadFromExtension('symfonycasts_verify_email', $this->customConfig);`
	`86`	`+ }`
	`87`	`+`
`80`	`88`	`$container->register('kernel', static::class)`
`81`	`89`	`->setPublic(true)`
`82`	`90`	`;`