app/Libraries/SignedRandomString.php at master · keii.dev/osu-web

keii.dev / osu-web

the browser-facing portion of osu!

osu-web / app / Libraries / SignedRandomString.php

at master 970 B view raw

 1<?php
 2
 3// Copyright (c) ppy Pty Ltd <contact@ppy.sh>. Licensed under the GNU Affero General Public License v3.0.
 4// See the LICENCE file in the repository root for full licence text.
 5
 6declare(strict_types=1);
 7
 8namespace App\Libraries;
 9
10class SignedRandomString
11{
12    public static function create(int $randomSize): string
13    {
14        $key = random_bytes($randomSize);
15        $hmac = static::hmac($key);
16
17        return Base64Url::encode($hmac.$key);
18    }
19
20    public static function isValid(string $input): bool
21    {
22        $bin = Base64Url::decode($input);
23        if ($bin === null) {
24            return false;
25        }
26
27        // hmac size for sha1 is 20
28        $hmac = substr($bin, 0, 20);
29        $key = substr($bin, 20);
30        $expectedHmac = static::hmac($key);
31
32        return hash_equals($expectedHmac, $hmac);
33    }
34
35    private static function hmac(string $key): string
36    {
37        return hash_hmac('sha1', $key, \Crypt::getKey(), true);
38    }
39}