Yiisoft\Security\TokenMask

Complexity

Total Complexity

3

Size/Duplication

Total Lines	37
Duplicated Lines	0 %

Test Coverage

Coverage

100%

Importance

Changes	1
Bugs	0	Features	0

2 Methods

Rating	Name	Duplication	Size	Complexity
A	apply()	0	6	1
A	remove()	0	10	2

<?php

declare(strict_types=1);

namespace Yiisoft\Security;

use Yiisoft\Strings\StringHelper;

/**
 * TokenMask helps to mitigate BREACH attack by randomizing how token is outputted on each request.
 * A random mask is applied to the token making the string always unique.
 */
final class TokenMask
{
    /**
     * Masks a token to make it incompressible.
     * Applies a random mask to the token and prepends the mask used to the result making the string always unique.
     *
     * @param string $token An unmasked token.
     *
     * @throws \Exception if unable to securely generate random bytes
     *
     * @return string A masked token.
     */
    public static function apply(string $token): string
    {
        // The number of bytes in a mask is always equal to the number of bytes in a token.
        /** @psalm-suppress ArgumentTypeCoercion */
        $mask = random_bytes(StringHelper::byteLength($token));
        return StringHelper::base64UrlEncode($mask . ($mask ^ $token));
    }

    /**
     * Unmasks a token previously masked by `mask`.
     *
     * @param string $maskedToken A masked token.
     *
     * @return string An unmasked token, or an empty string in case of token format is invalid.
     */
    public static function remove(string $maskedToken): string
    {
        $decoded = StringHelper::base64UrlDecode($maskedToken);
        $length = StringHelper::byteLength($decoded) / 2;
        // Check if the masked token has an even length.
        if (!is_int($length)) {

The condition is_int($length) is always true.

            return '';
        }

        return StringHelper::byteSubstring($decoded, $length, $length) ^ StringHelper::byteSubstring($decoded, 0, $length);
    }
}