Implement decryption of response cipher

Author: Greg Bowler

src/Token.php

@@ -8,7 +8,7 @@ class Token {
 	const ENCRYPTION_METHOD = "aes128";
 
 	private string $key;
-	private string $secretIv;
+	private InitVector $secretIv;
 	private InitVector $iv;
 
 	public function __construct(
@@ -21,6 +21,10 @@ public function __construct(
 		$this->iv = $iv ?? new InitVector();
 	}
 
+	public function getIv():InitVector {
+		return $this->iv;
+	}
+
 // The request cipher is sent to the remote provider in the querystring. It
 // consists of the secret IV, encrypted with the client key. The remote provider
 // will decrypt the secret and use it as the key when encrypting the response
@@ -45,7 +49,10 @@ public function decryptResponseCipher(string $cipher):UserData {
 		$decrypted = openssl_decrypt(
 			base64_decode($cipher),
 			self::ENCRYPTION_METHOD,
-			$this->secretIv->getBytes(),
+			implode("|", [
+				$this->key,
+				$this->secretIv->getBytes(),
+			]),
 			0,
 			$this->iv->getBytes()
 		);
@@ -68,8 +75,4 @@ public function decryptResponseCipher(string $cipher):UserData {
 
 		return new UserData($obj->uuid, $obj->email);
 	}
-
-	public function getIv():InitVector {
-		return $this->iv;
-	}
 }

test/phpunit/TokenTest.php

@@ -2,7 +2,10 @@
 namespace Authwave\Test;
 
 use Authwave\InitVector;
+use Authwave\InvalidUserDataSerializationException;
+use Authwave\ResponseCipherDecryptionException;
 use Authwave\Token;
+use Authwave\UserData;
 use PHPUnit\Framework\TestCase;
 
 class TokenTest extends TestCase {
@@ -32,4 +35,65 @@ public function testGetIv() {
 		$sut = new Token("", null, $iv);
 		self::assertSame($iv, $sut->getIv());
 	}
+
+	public function testDecryptResponseCipherInvalid() {
+		$cipher = "0123456789abcdef";
+		$sut = new Token("test-key");
+		self::expectException(ResponseCipherDecryptionException::class);
+		$sut->decryptResponseCipher($cipher);
+	}
+
+	public function testDecryptResponseCipherBadJson() {
+		$key = uniqid("test-key-");
+		$secretIv = self::createMock(InitVector::class);
+		$secretIv->method("getBytes")
+			->willReturn(str_repeat("0", 16));
+		$iv = self::createMock(InitVector::class);
+		$iv->method("getBytes")
+			->willReturn(str_repeat("f", 16));
+		$cipher = openssl_encrypt(
+			"{badly-formed: json]",
+			Token::ENCRYPTION_METHOD,
+			implode("|", [$key, $secretIv->getBytes()]),
+			0,
+			$iv->getBytes()
+		);
+		$cipher = base64_encode($cipher);
+		$sut = new Token($key, $secretIv, $iv);
+		self::expectException(InvalidUserDataSerializationException::class);
+		$sut->decryptResponseCipher($cipher);
+	}
+
+	public function testDecryptResponseCipher() {
+		$key = uniqid("test-key-");
+		$secretIv = self::createMock(InitVector::class);
+		$secretIv->method("getBytes")
+			->willReturn(str_repeat("0", 16));
+		$iv = self::createMock(InitVector::class);
+		$iv->method("getBytes")
+			->willReturn(str_repeat("f", 16));
+
+		$uuid = "aabb-ccdd-eeff";
+		$email = "user@example.com";
+		$json = <<<JSON
+		{
+			"uuid": "$uuid",
+			"email": "$email"
+		}
+		JSON;
+
+		$cipher = openssl_encrypt(
+			$json,
+			Token::ENCRYPTION_METHOD,
+			implode("|", [$key, $secretIv->getBytes()]),
+			0,
+			$iv->getBytes()
+		);
+		$cipher = base64_encode($cipher);
+		$sut = new Token($key, $secretIv, $iv);
+		$userData = $sut->decryptResponseCipher($cipher);
+		self::assertInstanceOf(UserData::class, $userData);
+		self::assertEquals($uuid, $userData->getUuid());
+		self::assertEquals($email, $userData->getEmail());
+	}
 }