Deprecated Property Warnings in EventWebhook Signature Verification with PHP 8.2

sendgrid / sendgrid-php

The Official Twilio SendGrid PHP API Library

https://sendgrid.com

MIT License

1.48k stars 623 forks source link

Deprecated Property Warnings in EventWebhook Signature Verification with PHP 8.2 #1108

Open supercrocman opened 3 months ago

supercrocman commented 3 months ago

Issue Summary

The issue involves using the convertPublicKeyToECDSA and verifySignature functions in the SendGrid PHP client library. When executing these functions, deprecated warnings are logged.

Steps to Reproduce

Call the convertPublicKeyToECDSA function with the SendGrid webhook public key.
Use the output of the first function as input to the verifySignature function along with the request content and headers.

Code Snippet

$eventWebhook = new EventWebhook();
$ecPublicKey = $eventWebhook->convertPublicKeyToECDSA($_ENV['SENDGRID_WEBHOOK_PUBLIC_KEY']);
return $eventWebhook->verifySignature(
            $ecPublicKey,
            $request->getContent(),
            $request->headers->get(EventWebhookHeader::SIGNATURE),
            $request->headers->get(EventWebhookHeader::TIMESTAMP)
        );

Exception/Log

Deprecated: Creation of dynamic property EllipticCurve\PublicKey::$pem is deprecated
Deprecated: Creation of dynamic property EllipticCurve\Signature::$der is deprecated

Technical details:

sendgrid-php version: 8.1.1
php version: 8.2.19

ChrisHSandN commented 2 months ago

We are also waiting for this. I opened a SendGrid support ticket and after some struggles they agreed to "submit a JIRA" on the 16th May 2024. Its been almost a month now and still no change.

The EllipticCurve deprecations come from starkbank/ecdsa which is set to version 0.* in composer.json. There is a new version 2.1 https://github.com/starkbank/ecdsa-php which likely fixes the issue.

On a related note sendgrid/sendgrid-php prerequisites requires

PHP version 7.3, 7.4, 8.0, or 8.1

These versions are all outside of active support, and only 8.1 is still in security support. Could we please get official PHP 8.2/8.3 support!

ChrisHSandN commented 1 month ago

Well Sendgrid closed my support ticket in relation to this issue as "fixed" today 😒

I am getting the distinct feeling that SendGrid is just being left to decay by Twillo with some minimal outsourcing to keep the lights on...