[1.x] use UriSigner::checkRequest() to validate signatures using a Request object

src/Util/VerifyEmailQueryUtility.php

@@ -23,13 +23,19 @@ class VerifyEmailQueryUtility
 {
     public function getTokenFromQuery(string $uri): string
     {
+        /** @psalm-suppress UndefinedFunction */
+        @trigger_deprecation('symfonycasts/verify-email-bundle', '1.17.0', 'This method is deprecated and will be removed in 2.0.');
+
         $params = $this->getQueryParams($uri);
 
         return $params['token'];
     }
 
     public function getExpiryTimestamp(string $uri): int
     {
+        /** @psalm-suppress UndefinedFunction */
+        @trigger_deprecation('symfonycasts/verify-email-bundle', '1.17.0', 'This method is deprecated and will be removed in 2.0.');
+
         $params = $this->getQueryParams($uri);
 
         if (empty($params['expires'])) {

src/VerifyEmailHelper.php

@@ -9,6 +9,7 @@
 
 namespace SymfonyCasts\Bundle\VerifyEmail;
 
+use Symfony\Component\HttpFoundation\Request;
 use Symfony\Component\HttpFoundation\UriSigner;
 use Symfony\Component\HttpKernel\UriSigner as LegacyUriSigner;
 use Symfony\Component\Routing\Generator\UrlGeneratorInterface;
@@ -45,6 +46,11 @@ public function __construct(UrlGeneratorInterface $router, /* no typehint for BC
         $this->queryUtility = $queryUtility;
         $this->tokenGenerator = $generator;
         $this->lifetime = $lifetime;
+
+        if (!$uriSigner instanceof UriSigner) {
+            /** @psalm-suppress UndefinedFunction */
+            @trigger_deprecation('symfonycasts/verify-email-bundle', '1.17.0', 'Not providing an instance of %s is deprecated. It will be required in v2.0', UriSigner::class);
+        }
     }
 
     public function generateSignature(string $routeName, string $userId, string $userEmail, array $extraParams = []): VerifyEmailSignatureComponents
@@ -65,6 +71,9 @@ public function generateSignature(string $routeName, string $userId, string $use
 
     public function validateEmailConfirmation(string $signedUrl, string $userId, string $userEmail): void
     {
+        /** @psalm-suppress UndefinedFunction */
+        @trigger_deprecation('symfonycasts/verify-email-bundle', '1.17.0', '%s() is deprecated and will be removed in v2.0, use validateEmailConfirmationFromRequest() instead.', __METHOD__);
+
         if (!$this->uriSigner->check($signedUrl)) {
             throw new InvalidSignatureException();
         }
@@ -80,4 +89,26 @@ public function validateEmailConfirmation(string $signedUrl, string $userId, str
             throw new WrongEmailVerifyException();
         }
     }
+
+    public function validateEmailConfirmationFromRequest(Request $request, string $userId, string $userEmail): void
+    {
+        /** @legacy - Remove in 2.0 */
+        if (!$this->uriSigner instanceof UriSigner) {
+            throw new \RuntimeException(sprintf('An instance of %s is required, provided by symfony/http-kernel >=6.4, to validate an email confirmation.', UriSigner::class));
+        }
+
+        if (!$this->uriSigner->checkRequest($request)) {
+            throw new InvalidSignatureException();
+        }
+
+        if ($request->query->getInt('expires') <= time()) {
+            throw new ExpiredSignatureException();
+        }
+
+        $knownToken = $this->tokenGenerator->createToken($userId, $userEmail);
+
+        if (!hash_equals($knownToken, $request->query->getString('token'))) {
+            throw new WrongEmailVerifyException();
+        }
+    }
 }

src/VerifyEmailHelperInterface.php

@@ -9,6 +9,7 @@
 
 namespace SymfonyCasts\Bundle\VerifyEmail;
 
+use Symfony\Component\HttpFoundation\Request;
 use SymfonyCasts\Bundle\VerifyEmail\Exception\VerifyEmailExceptionInterface;
 use SymfonyCasts\Bundle\VerifyEmail\Model\VerifyEmailSignatureComponents;
 
@@ -17,6 +18,8 @@
  *
  * @author Jesse Rushlow <jr@rushlow.dev>
  * @author Ryan Weaver   <ryan@symfonycasts.com>
+ *
+ * @method void validateEmailConfirmationFromRequest(Request $request, string $userId, string $userEmail)
  */
 interface VerifyEmailHelperInterface
 {
@@ -33,6 +36,8 @@ interface VerifyEmailHelperInterface
     public function generateSignature(string $routeName, string $userId, string $userEmail, array $extraParams = []): VerifyEmailSignatureComponents;
 
     /**
+     * @deprecated since v1.17.0, use validateEmailConfirmationFromRequest instead.
+     *
      * Validate a signed an email confirmation request.
      *
      * If something is wrong with the email confirmation, a

tests/AcceptanceTests/VerifyEmailAcceptanceTest.php

@@ -11,6 +11,8 @@
 
 use PHPUnit\Framework\TestCase;
 use Symfony\Component\DependencyInjection\ContainerBuilder;
+use Symfony\Component\HttpFoundation\Request;
+use Symfony\Component\HttpFoundation\UriSigner;
 use Symfony\Component\HttpKernel\KernelInterface;
 use SymfonyCasts\Bundle\VerifyEmail\Tests\VerifyEmailTestKernel;
 use SymfonyCasts\Bundle\VerifyEmail\VerifyEmailHelper;
@@ -22,6 +24,11 @@
  */
 final class VerifyEmailAcceptanceTest extends TestCase
 {
+    /**
+     * @legacy - Remove annotation in 2.0
+     *
+     * @group legacy
+     */
     public function testGenerateSignature(): void
     {
         $kernel = $this->getBootedKernel();
@@ -57,6 +64,7 @@ public function testGenerateSignature(): void
         );
     }
 
+    /** @group legacy */
     public function testValidateEmailSignature(): void
     {
         $kernel = $this->getBootedKernel();
@@ -88,6 +96,38 @@ public function testValidateEmailSignature(): void
         $this->assertTrue(true, 'Test correctly does not throw an exception');
     }
 
+    public function testValidateUsingRequestObject(): void
+    {
+        if (!class_exists(UriSigner::class)) {
+            $this->markTestSkipped('Requires symfony/http-foundation 6.4+');
+        }
+        $container = $this->getBootedKernel()->getContainer();
+
+        /** @var VerifyEmailHelper $helper */
+        $helper = $container->get(VerifyEmailAcceptanceFixture::class)->helper;
+        $expires = new \DateTimeImmutable('+1 hour');
+
+        $uriToTest = sprintf(
+            'http://localhost/verify/user?%s',
+            http_build_query([
+                'expires' => $expires->getTimestamp(),
+                'token' => base64_encode(hash_hmac(
+                    'sha256',
+                    json_encode(['1234', 'jr@rushlow.dev']),
+                    'foo',
+                    true
+                )),
+            ])
+        );
+
+        $signature = base64_encode(hash_hmac('sha256', $uriToTest, 'foo', true));
+
+        $test = sprintf('%s&signature=%s', $uriToTest, urlencode($signature));
+
+        $helper->validateEmailConfirmationFromRequest(Request::create(uri: $test), '1234', 'jr@rushlow.dev');
+        $this->assertTrue(true, 'Test correctly does not throw an exception');
+    }
+
     private function getBootedKernel(): KernelInterface
     {
         $builder = new ContainerBuilder();

tests/FunctionalTests/VerifyEmailHelperFunctionalTest.php

@@ -39,6 +39,11 @@ protected function setUp(): void
         $this->mockRouter = $this->createMock(UrlGeneratorInterface::class);
     }
 
+    /**
+     * @legacy - Remove annotation in 2.0
+     *
+     * @group legacy
+     */
     public function testGenerateSignature(): void
     {
         $token = $this->getTestToken();
@@ -65,6 +70,11 @@ public function testGenerateSignature(): void
         self::assertTrue(hash_equals($knownSignature, $testSignature));
     }
 
+    /**
+     * @legacy - Remove annotation in 2.0
+     *
+     * @group legacy
+     */
     public function testValidSignature(): void
     {
         $testSignature = $this->getTestSignedUri();

tests/IntegrationTests/VerifyEmailBundleAutowireTest.php

@@ -20,6 +20,11 @@
  */
 final class VerifyEmailBundleAutowireTest extends TestCase
 {
+    /**
+     * @legacy - Remove annotation in 2.0
+     *
+     * @group legacy
+     */
     public function testVerifyEmailBundleInterfaceIsAutowiredByContainer(): void
     {
         $builder = new ContainerBuilder();

tests/IntegrationTests/VerifyEmailServiceDefinitionTest.php

@@ -33,6 +33,10 @@ public function bundleServiceDefinitionDataProvider(): \Generator
 
     /**
      * @dataProvider bundleServiceDefinitionDataProvider
+     *
+     * @legacy - Remove annotation in 2.0
+     *
+     * @group legacy
      */
     public function testBundleServiceDefinitions(string $definition): void
     {

tests/UnitTests/Util/VerifyEmailQueryTest.php

@@ -15,6 +15,8 @@
 /**
  * @author Jesse Rushlow <jr@rushlow.dev>
  * @author Ryan Weaver   <ryan@symfonycasts.com>
+ *
+ * @group legacy
  */
 final class VerifyEmailQueryTest extends TestCase
 {

tests/UnitTests/VerifyEmailHelperTest.php

@@ -11,6 +11,7 @@
 
 use PHPUnit\Framework\TestCase;
 use Symfony\Bridge\PhpUnit\ClockMock;
+use Symfony\Component\HttpFoundation\Request;
 use Symfony\Component\HttpFoundation\UriSigner;
 use Symfony\Component\HttpKernel\UriSigner as LegacyUriSigner;
 use Symfony\Component\Routing\RouterInterface;
@@ -49,6 +50,11 @@ protected function setUp(): void
         $this->tokenGenerator = $this->createMock(VerifyEmailTokenGenerator::class);
     }
 
+    /**
+     * @legacy - Remove annotation in 2.0
+     *
+     * @group legacy
+     */
     public function testSignatureIsGenerated(): void
     {
         $expires = time() + 3600;
@@ -82,6 +88,7 @@ public function testSignatureIsGenerated(): void
         self::assertSame($expectedSignedUrl, $components->getSignedUrl());
     }
 
+    /** @group legacy */
     public function testValidationThrowsEarlyOnInvalidSignature(): void
     {
         $signedUrl = '/verify?expires=1&signature=1234%token=xyz';
@@ -115,6 +122,7 @@ public function testValidationThrowsEarlyOnInvalidSignature(): void
         $helper->validateEmailConfirmation($signedUrl, '1234', 'jr@rushlow.dev');
     }
 
+    /** @group legacy */
     public function testExceptionThrownWithExpiredSignature(): void
     {
         $timestamp = (new \DateTimeImmutable('-1 seconds'))->getTimestamp();
@@ -139,6 +147,7 @@ public function testExceptionThrownWithExpiredSignature(): void
         $helper->validateEmailConfirmation($signedUrl, '1234', 'jr@rushlow.dev');
     }
 
+    /** @group legacy */
     public function testValidationThrowsWithInvalidToken(): void
     {
         $signedUrl = '/verify?token=badToken';
@@ -177,6 +186,88 @@ public function testValidationThrowsWithInvalidToken(): void
         $helper->validateEmailConfirmation($signedUrl, '1234', 'jr@rushlow.dev');
     }
 
+    public function testValidationWithRequestThrowsEarlyOnInvalidSignature(): void
+    {
+        /** @legacy - Remove conditional in 2.0 */
+        if (!class_exists(UriSigner::class)) {
+            $this->markTestSkipped('Requires symfony/http-foundation 6.4+');
+        }
+
+        $request = Request::create('/verify?expires=1&signature=1234%token=xyz');
+
+        $this->mockSigner
+            ->expects($this->once())
+            ->method('checkRequest')
+            ->with($request)
+            ->willReturn(false)
+        ;
+
+        $this->tokenGenerator
+            ->expects($this->never())
+            ->method('createToken')
+        ;
+
+        $helper = $this->getHelper();
+
+        $this->expectException(InvalidSignatureException::class);
+
+        $helper->validateEmailConfirmationFromRequest($request, '1234', 'jr@rushlow.dev');
+    }
+
+    public function testExceptionThrownWithExpiredSignatureFromRequest(): void
+    {
+        /** @legacy - Remove conditional in 2.0 */
+        if (!class_exists(UriSigner::class)) {
+            $this->markTestSkipped('Requires symfony/http-foundation 6.4+');
+        }
+
+        $timestamp = (new \DateTimeImmutable('-1 seconds'))->getTimestamp();
+        $signedUrl = '/?expires='.$timestamp;
+
+        $request = Request::create($signedUrl);
+
+        $this->mockSigner
+            ->expects($this->once())
+            ->method('checkRequest')
+            ->with($request)
+            ->willReturn(true)
+        ;
+
+        $this->expectException(ExpiredSignatureException::class);
+
+        $helper = $this->getHelper();
+        $helper->validateEmailConfirmationFromRequest($request, '1234', 'jr@rushlow.dev');
+    }
+
+    public function testValidationFromRequestThrowsWithInvalidToken(): void
+    {
+        /** @legacy - Remove conditional in 2.0 */
+        if (!class_exists(UriSigner::class)) {
+            $this->markTestSkipped('Requires symfony/http-foundation 6.4+');
+        }
+
+        $request = Request::create('/verify?expires=99999999999999&token=badToken');
+
+        $this->mockSigner
+            ->expects($this->once())
+            ->method('checkRequest')
+            ->with($request)
+            ->willReturn(true)
+        ;
+
+        $this->tokenGenerator
+            ->expects($this->once())
+            ->method('createToken')
+            ->with('1234', 'jr@rushlow.dev')
+            ->willReturn(base64_encode(hash_hmac('sha256', 'data', 'foo', true)))
+        ;
+
+        $this->expectException(WrongEmailVerifyException::class);
+
+        $helper = $this->getHelper();
+        $helper->validateEmailConfirmationFromRequest($request, '1234', 'jr@rushlow.dev');
+    }
+
     private function getHelper(): VerifyEmailHelperInterface
     {
         return new VerifyEmailHelper($this->mockRouter, $this->mockSigner, $this->mockQueryUtility, $this->tokenGenerator, 3600);