Adjustment to test scripts to account for encryption.

Author: tswagger

docs/guides/api_hmac_keys.md

@@ -87,6 +87,18 @@ $user->revokeHmacToken($key);
 $user->revokeAllHmacTokens();
 ```
 
+## HMAC Secret Key Encryption
+
+The HMAC Secret Key is stored encrypted.  Before you start using HMAC, you will need to set/override the encryption key
+`$hmacEncryptionKey` in **app/Config/AuthToken.php**. This should be set using .env and/or system environment variables.
+Instructions on how to do that can be found in the
+[Setting Your Encryption Key](https://codeigniter.com/user_guide/libraries/encryption.html#setting-your-encryption-key)
+section of the CodeIgniter 4 documentation.
+
+You will also be able to adjust the default Driver `$hmacEncryptionDriver` and the default Digest
+`$hmacEncryptionDigest`, these default to `'OpenSSL'` and `'SHA512'` respectively.
+
+
 ## Protecting Routes
 
 The first way to specify which routes are protected is to use the `hmac` controller filter.

docs/references/authentication/hmac.md

@@ -156,3 +156,14 @@ if ($user->hmacTokenCant('forums.manage')) {
     // do something....
 }
 ```
+
+## HMAC Secret Key Encryption
+
+The HMAC Secret Key is stored encrypted.  Before you start using HMAC, you will need to set/override the encryption key
+`$hmacEncryptionKey` in **app/Config/AuthToken.php**. This should be set using .env and/or system environment variables.
+Instructions on how to do that can be found in the
+[Setting Your Encryption Key](https://codeigniter.com/user_guide/libraries/encryption.html#setting-your-encryption-key)
+section of the CodeIgniter 4 documentation.
+
+You will also be able to adjust the default Driver `$hmacEncryptionDriver` and the default Digest
+`$hmacEncryptionDigest`, these default to `'OpenSSL'` and `'SHA512'` respectively.

tests/Authentication/Filters/HmacFilterTest.php

@@ -13,6 +13,7 @@
 
 namespace Tests\Authentication\Filters;
 
+use CodeIgniter\Encryption\Encryption;
 use CodeIgniter\Shield\Entities\AccessToken;
 use CodeIgniter\Shield\Entities\User;
 use CodeIgniter\Shield\Filters\HmacAuth;
@@ -30,6 +31,14 @@ final class HmacFilterTest extends AbstractFilterTestCase
     protected string $alias     = 'hmacAuth';
     protected string $classname = HmacAuth::class;
 
+    protected function setUp(): void
+    {
+        parent::setUp();
+
+        $authConfig                    = config('AuthToken');
+        $authConfig->hmacEncryptionKey = Encryption::createKey();
+    }
+
     public function testFilterNotAuthorized(): void
     {
         $result = $this->call('get', 'protected-route');
@@ -47,7 +56,7 @@ public function testFilterSuccess(): void
         $user  = fake(UserModel::class);
         $token = $user->generateHmacToken('foo');
 
-        $rawToken = $this->generateRawHeaderToken($token->secret, $token->secret2, '');
+        $rawToken = $this->generateRawHeaderToken($token->secret, $token->rawSecretKey, '');
         $result   = $this->withHeaders(['Authorization' => 'HMAC-SHA256  ' . $rawToken])
             ->get('protected-route');
 
@@ -68,7 +77,7 @@ public function testFilterInvalidSignature(): void
         $user  = fake(UserModel::class);
         $token = $user->generateHmacToken('foo');
 
-        $result = $this->withHeaders(['Authorization' => 'HMAC-SHA256  ' . $this->generateRawHeaderToken($token->secret, $token->secret2, 'bar')])
+        $result = $this->withHeaders(['Authorization' => 'HMAC-SHA256  ' . $this->generateRawHeaderToken($token->secret, $token->rawSecretKey, 'bar')])
             ->get('protected-route');
 
         $result->assertStatus(401);
@@ -80,7 +89,7 @@ public function testRecordActiveDate(): void
         $user  = fake(UserModel::class);
         $token = $user->generateHmacToken('foo');
 
-        $this->withHeaders(['Authorization' => 'HMAC-SHA256 ' . $this->generateRawHeaderToken($token->secret, $token->secret2, '')])
+        $this->withHeaders(['Authorization' => 'HMAC-SHA256 ' . $this->generateRawHeaderToken($token->secret, $token->rawSecretKey, '')])
             ->get('protected-route');
 
         // Last Active should be greater than 'updated_at' column
@@ -97,15 +106,15 @@ public function testFiltersProtectsWithScopes(): void
         $token2 = $user2->generateHmacToken('foo', ['users-write']);
 
         // User 1 should be able to access the route
-        $result1 = $this->withHeaders(['Authorization' => 'HMAC-SHA256 ' . $this->generateRawHeaderToken($token1->secret, $token1->secret2, '')])
+        $result1 = $this->withHeaders(['Authorization' => 'HMAC-SHA256 ' . $this->generateRawHeaderToken($token1->secret, $token1->rawSecretKey, '')])
             ->get('protected-user-route');
 
         $result1->assertStatus(200);
         // Last Active should be greater than 'updated_at' column
         $this->assertGreaterThan(auth('hmac')->user()->updated_at, auth('hmac')->user()->last_active);
 
         // User 2 should NOT be able to access the route
-        $result2 = $this->withHeaders(['Authorization' => 'HMAC-SHA256 ' . $this->generateRawHeaderToken($token2->secret, $token2->secret2, '')])
+        $result2 = $this->withHeaders(['Authorization' => 'HMAC-SHA256 ' . $this->generateRawHeaderToken($token2->secret, $token2->rawSecretKey, '')])
             ->get('protected-user-route');
 
         $result2->assertStatus(401);
@@ -120,7 +129,7 @@ public function testBlocksInactiveUsers(): void
         // Activation only required with email activation
         setting('Auth.actions', ['register' => null]);
 
-        $result = $this->withHeaders(['Authorization' => 'HMAC-SHA256 ' . $this->generateRawHeaderToken($token->secret, $token->secret2, '')])
+        $result = $this->withHeaders(['Authorization' => 'HMAC-SHA256 ' . $this->generateRawHeaderToken($token->secret, $token->rawSecretKey, '')])
             ->get('protected-route');
 
         $result->assertStatus(200);
@@ -129,7 +138,7 @@ public function testBlocksInactiveUsers(): void
         // Now require user activation and try again
         setting('Auth.actions', ['register' => '\CodeIgniter\Shield\Authentication\Actions\EmailActivator']);
 
-        $result = $this->withHeaders(['Authorization' => 'HMAC-SHA256 ' . $this->generateRawHeaderToken($token->secret, $token->secret2, '')])
+        $result = $this->withHeaders(['Authorization' => 'HMAC-SHA256 ' . $this->generateRawHeaderToken($token->secret, $token->rawSecretKey, '')])
             ->get('protected-route');
 
         $result->assertStatus(403);

tests/Authentication/HasHmacTokensTest.php

@@ -13,6 +13,7 @@
 
 namespace Tests\Authentication;
 
+use CodeIgniter\Encryption\Encryption;
 use CodeIgniter\Shield\Entities\AccessToken;
 use CodeIgniter\Shield\Entities\User;
 use CodeIgniter\Shield\Models\UserIdentityModel;
@@ -30,6 +31,9 @@ protected function setUp(): void
     {
         parent::setUp();
 
+        $authConfig                    = config('AuthToken');
+        $authConfig->hmacEncryptionKey = Encryption::createKey();
+
         $this->user = fake(UserModel::class);
         $this->db->table($this->tables['identities'])->truncate();
     }
@@ -43,6 +47,7 @@ public function testGenerateHmacToken(): void
 
         $this->assertIsString($token->secret);
         $this->assertIsString($token->secret2);
+        $this->assertIsString($token->rawSecretKey);
 
         // All scopes are assigned by default via wildcard
         $this->assertSame(['*'], $token->scopes);