Rework of encryption methods

Typo fixes in documentation

Author: tswagger

UPGRADING.md

@@ -53,7 +53,7 @@ protected function redirectToDeniedUrl(): RedirectResponse
 #### Config\AuthToken
 
 If you are using the HMAC authentication you need to update the encryption settings in **app/Config/AuthToken.php**.
-You will need to update and set the encryption key `$hmacEncryptionKey`. This should be set using .env and/or system
+You will need to update and set the encryption key `$hmacEncryptionKey`. This should be set using **.env** and/or system
 environment variables. Instructions on how to do that can be found in the
 [Setting Your Encryption Key](https://codeigniter.com/user_guide/libraries/encryption.html#setting-your-encryption-key)
 section of the CodeIgniter 4 documentation.

docs/guides/api_hmac_keys.md

@@ -18,7 +18,7 @@ Tokens are issued with the `generateHmacToken()` method on the user. This return
 `CodeIgniter\Shield\Entities\AccessToken` instance. The `AccessToken` object returned will include a `secret` field
 which will be the '**key**' and a `rawSecretKey` field that will be the '**secretKey**'. You should display the
 '**secretKey**' to your user immediately, so they have a chance to copy it somewhere safe, as this is the only time
-you can reveal this key. The '**key**' and '**sharedKey**' are saved to the database. The '**secretKey**' is stored
+you can reveal this key. The '**key**' and '**secretKey**' are saved to the database. The '**secretKey**' is stored
 encrypted.
 
 The `generateHmacToken()` method requires a name for the token. These are free strings and are often used to identify
@@ -91,7 +91,7 @@ $user->revokeAllHmacTokens();
 ## HMAC Secret Key Encryption
 
 The HMAC Secret Key is stored encrypted.  Before you start using HMAC, you will need to set/override the encryption key
-`$hmacEncryptionKey` in **app/Config/AuthToken.php**. This should be set using .env and/or system environment variables.
+`$hmacEncryptionKey` in **app/Config/AuthToken.php**. This should be set using **.env** and/or system environment variables.
 Instructions on how to do that can be found in the
 [Setting Your Encryption Key](https://codeigniter.com/user_guide/libraries/encryption.html#setting-your-encryption-key)
 section of the CodeIgniter 4 documentation.

src/Authentication/HMAC/HmacEncrypter.php

@@ -49,30 +49,33 @@ public function __construct()
     /**
      * Decrypt
      *
-     * @param string $base64String Encrypted string in base64 format
+     * @param string $encString Encrypted string
      *
      * @return string Raw decrypted string
      *
      * @throws EncryptionException
      */
-    public function decrypt(string $base64String): string
+    public function decrypt(string $encString): string
     {
-        return $this->encrypter->decrypt(base64_decode($base64String, true));
+        // Removes `$b6$` for base64 format.
+        $encString = substr($encString, 4);
+
+        return $this->encrypter->decrypt(base64_decode($encString, true));
     }
 
     /**
      * Encrypt
      *
      * @param string $rawString Raw string to encrypt
      *
-     * @return string Encrypted string in base64 format
+     * @return string Encrypted string
      *
      * @throws EncryptionException
      * @throws RuntimeException
      */
     public function encrypt(string $rawString): string
     {
-        $encryptedString = base64_encode($this->encrypter->encrypt($rawString));
+        $encryptedString = '$b6$' . base64_encode($this->encrypter->encrypt($rawString));
 
         if (strlen($encryptedString) > $this->authConfig->secret2StorageLimit) {
             throw new RuntimeException('Encrypted key too long. Unable to store value.');
@@ -81,6 +84,14 @@ public function encrypt(string $rawString): string
         return $encryptedString;
     }
 
+    /**
+     * Check if the string already encrypted
+     */
+    public function isEncrypted(string $string): bool
+    {
+        return str_starts_with($string, '$b6$');
+    }
+
     /**
      * Generate Key
      *

src/Commands/Hmac.php

@@ -6,6 +6,7 @@
 
 use CodeIgniter\Shield\Authentication\HMAC\HmacEncrypter;
 use CodeIgniter\Shield\Commands\Exceptions\BadInputException;
+use CodeIgniter\Shield\Exceptions\RuntimeException;
 use CodeIgniter\Shield\Models\UserIdentityModel;
 use Exception;
 use ReflectionException;
@@ -99,15 +100,29 @@ public function run(array $params): int
      */
     public function encrypt(): void
     {
-        $uIdModel  = new UserIdentityModel();
-        $encrypter = $this->encrypter;
+        $uIdModel    = new UserIdentityModel();
+        $uIdModelSub = new UserIdentityModel(); // For saving.
+        $encrypter   = $this->encrypter;
 
-        $uIdModel->where('type', 'hmac_sha256')->chunk(
+        $that = $this;
+
+        $uIdModel->where('type', 'hmac_sha256')->orderBy('id')->chunk(
             100,
-            static function ($identity) use ($uIdModel, $encrypter): void {
-                $identity->secret2 = $encrypter->encrypt($identity->secret2);
+            static function ($identity) use ($uIdModelSub, $encrypter, $that): void {
+                if ($encrypter->isEncrypted($identity->secret2)) {
+                    $that->write('id: ' . $identity->id . ', already encrypted, skipped.');
+
+                    return;
+                }
+
+                try {
+                    $identity->secret2 = $encrypter->encrypt($identity->secret2);
+                    $uIdModelSub->save($identity);
 
-                $uIdModel->save($identity);
+                    $that->write('id: ' . $identity->id . ', encrypted.');
+                } catch (RuntimeException $e) {
+                    $that->error('id: ' . $identity->id . ', ' . $e->getMessage());
+                }
             }
         );
     }
@@ -119,15 +134,25 @@ static function ($identity) use ($uIdModel, $encrypter): void {
      */
     public function decrypt(): void
     {
-        $uIdModel  = new UserIdentityModel();
-        $encrypter = $this->encrypter;
+        $uIdModel    = new UserIdentityModel();
+        $uIdModelSub = new UserIdentityModel(); // For saving.
+        $encrypter   = $this->encrypter;
+
+        $that = $this;
 
         $uIdModel->where('type', 'hmac_sha256')->chunk(
             100,
-            static function ($identity) use ($uIdModel, $encrypter): void {
+            static function ($identity) use ($uIdModelSub, $encrypter, $that): void {
+                if (! $encrypter->isEncrypted($identity->secret2)) {
+                    $that->write('id: ' . $identity->id . ', not encrypted, skipped.');
+
+                    return;
+                }
+
                 $identity->secret2 = $encrypter->decrypt($identity->secret2);
+                $uIdModelSub->save($identity);
 
-                $uIdModel->save($identity);
+                $that->write('id: ' . $identity->id . ', decrypted.');
             }
         );
     }