Hi, I've started using this library, and I want only the most modern technologies to be used.
So first I've read the doc, that says in 01-Protocol-Versions:
Version 1 is recommended only for legacy systems that cannot use modern cryptography.
Nice, I got directly into Version2 so.
After that, I've checked what I can strip out to double-check no old technology is used.
Looking into the composer.json I've found two external dependencies:
This is a hardcore way to NOT install dependencies I don't want.
I'd expect everything to still work as expected, but when I try to sign a token I get:
[Error] Class 'ParagonIE_Sodium_Core_Util' not found
#1 /var/www/html/vendor/paragonie/paseto/src/Util.php:120
#2 /var/www/html/vendor/paragonie/paseto/src/Protocol/Version2.php:190
#3 /var/www/html/vendor/paragonie/paseto/src/Builder.php:457
It appears that there are many hard-coded references to the polyfill library:
I may appear paranoid, but I'd prefer to rely on an extension much more than a library.
So, what I'm asking here (maybe wrong place, but this all started here):
May we have a separate package for ParagonIE_Sodium_Core_Util which, except for ParagonIE_Sodium_Compat::$fastMult, isn't strictly related to libsodium?
~May we use libsodium constants/functions in this library, and update paragonie/sodium_compat to be a proper polyfill, which in theory should not autoload anything where libsodium is present?~ Solved by https://github.com/paragonie/paseto/pull/112
Hi, I've started using this library, and I want only the most modern technologies to be used. So first I've read the doc, that says in 01-Protocol-Versions:
Nice, I got directly into Version2 so.
After that, I've checked what I can strip out to double-check no old technology is used.
Looking into the composer.json I've found two external dependencies:
phpseclib/phpseclib
: only used in V1 and I use V2, so no need for this https://github.com/paragonie/paseto/blob/fa662c687f6dcdc3ae177ca3bdcae405cf6d6d89/src/Protocol/Version1.php#L31paragonie/sodium_compat
: "PHP polyfill for the Sodium cryptography library (libsodium)", but I havelibsodium
, so no need for this neitherSo I've added both dependencies to my
composer.json
in the replace topic:This is a hardcore way to NOT install dependencies I don't want.
I'd expect everything to still work as expected, but when I try to sign a token I get:
It appears that there are many hard-coded references to the polyfill library:
I may appear paranoid, but I'd prefer to rely on an extension much more than a library.
So, what I'm asking here (maybe wrong place, but this all started here):
ParagonIE_Sodium_Core_Util
which, except forParagonIE_Sodium_Compat::$fastMult
, isn't strictly related tolibsodium
?libsodium
constants/functions in this library, and updateparagonie/sodium_compat
to be a proper polyfill, which in theory should not autoload anything wherelibsodium
is present?~ Solved by https://github.com/paragonie/paseto/pull/112