token->toString returns empty value

[carnage]

Code in this repository: https://github.com/conferencetools/auth-module/blob/master/src/Auth/Extractor/PasetoCookie.php results in an empty cookie being set on my production env; works fine in dev.

PHP environment is

FROM php:7.2-fpm-alpine3.7 as php

RUN docker-php-ext-install pdo_mysql

Fairly sure it's an environment thing, but I'd expect an exception instead of an empty string.

Interesting addendum: switched to V1 and it works fine. Suspect it might be something alpine/libsoduim related.

[Zegnat]

Fairly sure it's an environment thing, but I'd expect an exception instead of an empty string.

Casting an object to a string is not allowed to throw exceptions. I’d recommend using $token->toString() instead of (string) $token (as you seem to do now) if you are interested in getting exception. The exceptions will also be able to give you a better idea of what is going wrong.

(__toString() specifically catches all Throwables and returns an empty string if things go wrong.)

[paragonie-scott]

@Zegnat is completely spot-on here.

Try doing ->toString() instead, and you'll get (likely) a SodiumException.

[paragonie-security]

The only way we can mitigate this is to set the minimum PHP version to 7.4 in the next PASETO release.

[paragonie-security]

https://github.com/paragonie/paseto/blob/a91fb984a0a873b325a7890846a61b9af85e182c/src/Builder.php#L769-L772