uma/psr7-hmac

基于PSR-7规范的HMAC认证库

维护者

详细信息

github.com/1ma/Psr7Hmac

主页

源代码

问题

安装次数: 43,043

依赖项: 2

建议者: 0

安全: 0

星标: 24

关注者: 3

分支: 2

开放问题: 3

v1.0.0 2020-12-26 03:06 UTC

Requires

Requires (Dev)

MIT de1ef760ad801a9218217eee6c2687d35061833d

httphmacpsr7

This package is auto-updated.

Last update: 2024-08-26 23:45:23 UTC

README

基于PSR-7规范的HMAC认证库。

.github/workflows/phpunit.yml Code Coverage Scrutinizer Code Quality Total Downloads

版本

Latest Stable Version

如果您想基于Symfony构建基于HMAC认证的API,请查看UMAPsr7HmacBundle,它提供了一个方便的库与Symfony的安全组件的集成。

库API

/**
 * @param string $secret
 */
Signer::__construct($secret);

/**
 * @param RequestInterface $request
 *
 * @return RequestInterface
 */
Signer::sign(RequestInterface $request);

/**
 * @param InspectorInterface|null $inspector
 */
Verifier::__construct(InspectorInterface $inspector = null);

/**
 * @param RequestInterface $request
 * @param string           $secret
 *
 * @return bool
 */
Verifier::verify(RequestInterface $request, $secret);

示例脚本

<?php

require_once __DIR__.'/vendor/autoload.php';

use UMA\Psr7Hmac\Signer;
use UMA\Psr7Hmac\Verifier;


//// CLIENT SIDE
$psr7request = new \Zend\Diactoros\Request('http://www.example.com/index.html', 'GET');
// GET /index.html HTTP/1.1
// host: www.example.com

$signer = new Signer('secret');

$signedRequest = $signer->sign($psr7request);
// GET /index.html HTTP/1.1
// host: www.example.com
// authorization: HMAC-SHA256 63IQ8RWDbC9p4ipNrkJz0e0UeGiBrR96zkNdujE5cl8=
// signed-headers: host,signed-headers


//// SERVER SIDE
$verifier = new Verifier();

var_dump($verifier->verify($signedRequest, 'secret'));
// true

var_dump($verifier->verify($signedRequest, 'another secret'));
// false

// Headers added after calling sign() do not break the verification, as
// they are not included in the signed-headers list.
var_dump($verifier->verify($signedRequest->withHeader('User-Agent', 'PHP/5.x'), 'secret'));
// true

// Changes made to any chunk of data that was present at the time of the
// signature are still detected, though. In this example a signed header
// is omitted from the Signed-Headers list.
var_dump($verifier->verify($signedRequest->withHeader('Signed-Headers', 'host,signed-headers'), 'secret'));
// false

// The verification also fails if any single part of the request is
// removed altogether after signing it.
var_dump($verifier->verify($signedRequest->withoutHeader('Signed-Headers'), 'secret'));
// false

外部资源

免责声明

本库中包含的代码未经过任何密码学家或安全专家的审查,我本人也不自诩为其中之一。如果您打算将其用于自己的项目,建议您阅读文档,理解代码,并报告您发现的问题。