Merge pull request #938 from Slamdunk/no_empty_please

Deprecate empty Signer, empty Key and empty Signature
lcobucci · Nov 4, 2022 · 68caae9 · 68caae9
2 parents 007530d + 3388430
commit 68caae9
Show file tree

Hide file tree

Showing 7 changed files with 53 additions and 23 deletions.
diff --git a/docs/configuration.md b/docs/configuration.md
@@ -105,26 +105,6 @@ $configuration = Configuration::forAsymmetricSigner(
 );
 ```
 
-### For no algorithm
-
-!!! Warning
-    This configuration type is **NOT** recommended for production environments.
-    It's only provided to allow people to have a simpler and faster setup for tests, avoiding any kind of signature creation/verification.
-
-```php
-<?php
-declare(strict_types=1);
-
-use Lcobucci\JWT\Configuration;
-
-require 'vendor/autoload.php';
-
-$configuration = Configuration::forUnsecuredSigner(
-    // You may also override the JOSE encoder/decoder if needed by providing
-    // extra arguments here
-);
-```
-
 ## Customisation
 
 By using the setters of the `Lcobucci\JWT\Configuration` you may customise the setup of this library.

diff --git a/docs/upgrading.md b/docs/upgrading.md
@@ -25,13 +25,13 @@ If you are using any variant of ECDSA, please change your code following this ex
 ```diff
  <?php
  declare(strict_types=1);
- 
+
  use Lcobucci\JWT\Configuration;
  use Lcobucci\JWT\Signer;
  use Lcobucci\JWT\Signer\Key\InMemory;
- 
+
  require 'vendor/autoload.php';
- 
+
  $configuration = Configuration::forAsymmetricSigner(
 -    Signer\Ecdsa\Sha256::create(),
 +    new Signer\Ecdsa\Sha256(),
@@ -42,6 +42,36 @@ If you are using any variant of ECDSA, please change your code following this ex
  );
 ```
 
+### Removal of `none` algorithm
+
+To promote a more secure usage of the library and prevent misuse we decided to deviate from the RFC and drop `none`, which means that the following components are being removed:
+
+* `Lcobucci\JWT\Configuration::forUnsecuredSigner()`
+* `Lcobucci\JWT\Signer\Key\InMemory::empty()`
+* `Lcobucci\JWT\Signer\None`
+* `Lcobucci\JWT\Token\Signature::fromEmptyData()`
+
+If you're relying on it and still want to have that on your system, please create your own implementation.
+
+If you're using it because it's "fast", please look into adoption the non-standard Blake2b implementation:
+
+```diff
+ <?php
+ declare(strict_types=1);
+
+ use Lcobucci\JWT\Configuration;
+ use Lcobucci\JWT\Signer;
+ use Lcobucci\JWT\Signer\Key\InMemory;
+
+ require 'vendor/autoload.php';
+
+-$configuration = Configuration::forUnsecuredSigner();
++$configuration = Configuration::forSymmetricSigner(
++    new Signer\Blake2b(),
++    InMemory::base64Encoded('MpQd6dDPiqnzFSWmpUfLy4+Rdls90Ca4C8e0QD0IxqY=')
++);
+```
+
 ## v3.x to v4.x
 
 The `v4.0.0` aggregates about 5 years of work and contains **several BC-breaks**.

diff --git a/phpstan.neon.dist b/phpstan.neon.dist
@@ -11,3 +11,19 @@ parameters:
             #^.+ deprecated class Lcobucci\\\\JWT\\\\Signer\\\\.+:
             Deprecated since v4\\.2$#
         """
+        - """
+            #^Call to deprecated method fromEmptyData\\(\\) of class Lcobucci\\\\JWT\\\\Token\\\\Signature:
+            Deprecated since v4\\.3$#
+        """
+        - """
+            #^Call to deprecated method forUnsecuredSigner\\(\\) of class Lcobucci\\\\JWT\\\\Configuration:
+            Deprecated since v4\\.3$#
+        """
+        - """
+            #^Call to deprecated method empty\\(\\) of class Lcobucci\\\\JWT\\\\Signer\\\\Key\\\\InMemory:
+            Deprecated since v4\\.3$#
+        """
+        - """
+            #^.+ of deprecated class Lcobucci\\\\JWT\\\\Signer\\\\None:
+            Deprecated since v4\\.3$#
+        """
diff --git a/src/Configuration.php b/src/Configuration.php
@@ -80,6 +80,7 @@ public static function forSymmetricSigner(
         );
     }
 
+    /** @deprecated Deprecated since v4.3 */
     public static function forUnsecuredSigner(
         ?Encoder $encoder = null,
         ?Decoder $decoder = null

diff --git a/src/Signer/Key/InMemory.php b/src/Signer/Key/InMemory.php
@@ -29,6 +29,7 @@ private function __construct(string $contents, string $passphrase)
         $this->passphrase = $passphrase;
     }
 
+    /** @deprecated Deprecated since v4.3 */
     public static function empty(): self
     {
         $emptyKey             = new self('empty', 'empty');

diff --git a/src/Signer/None.php b/src/Signer/None.php
@@ -5,6 +5,7 @@
 
 use Lcobucci\JWT\Signer;
 
+/** @deprecated Deprecated since v4.3 */
 final class None implements Signer
 {
     public function algorithmId(): string

diff --git a/src/Token/Signature.php b/src/Token/Signature.php
@@ -14,6 +14,7 @@ public function __construct(string $hash, string $encoded)
         $this->encoded = $encoded;
     }
 
+    /** @deprecated Deprecated since v4.3 */
     public static function fromEmptyData(): self
     {
         return new self('', '');