99designs / http-signatures-php

Sign and verify PSR-7 HTTP messages in PHP.
MIT License
44 stars 33 forks source link

HTTP Signatures

PHP implementation of HTTP Signatures draft specification; allowing cryptographic signing and verifying of PSR7 messages.

See also:

Usage

Add 99designs/http-signatures to your composer.json.

Configure a context with your algorithm, keys, headers to sign. This is best placed in an application startup file.

use HttpSignatures\Context;

$context = new Context([
  'keys' => ['examplekey' => 'secret-key-here'],
  'algorithm' => 'hmac-sha256',
  'headers' => ['(request-target)', 'Date', 'Accept'],
]);

If there's only one key in the keys hash, that will be used for signing. Otherwise, specify one via 'signingKeyId' => 'examplekey'.

Messages

A message is assumed to be a PSR-7 compatible request or response object.

Signing a message

$context->signer()->sign($message);

Now $message contains the signature headers:

$message->headers->get('Signature');
// keyId="examplekey",algorithm="hmac-sha256",headers="...",signature="..."

$message->headers->get('Authorization');
// Signature keyId="examplekey",algorithm="hmac-sha256",headers="...",signature="..."

Verifying a signed message

$context->verifier()->isValid($message); // true or false

Symfony compatibility

Symfony requests normalize query strings which means the resulting request target can be incorrect. See https://github.com/symfony/psr-http-message-bridge/pull/30

When creating PSR-7 requests you use withRequestTarget to ensure the request target is correct. For example

use Symfony\Bridge\PsrHttpMessage\Factory\DiactorosFactory;
use Symfony\Component\HttpFoundation\Request;

$symfonyRequest = Request::create('/foo?b=1&a=2');
$psrRequest = (new DiactorosFactory())
    ->createRequest($symfonyRequest)
    ->withRequestTarget($symfonyRequest->getRequestUri());

Contributing

Pull Requests are welcome.

License

HTTP Signatures is licensed under The MIT License (MIT).