Yiisoft\Security\TokenMasker

Complexity

Total Complexity

3

Size/Duplication

Total Lines	31
Duplicated Lines	0 %

Test Coverage

Coverage

100%

Importance

Changes	1
Bugs	0	Features	0

2 Methods

Rating	Name	Duplication	Size	Complexity
A	unmask()	0	10	2
A	mask()	0	5	1

<?php declare(strict_types=1);

namespace Yiisoft\Security;

use Yiisoft\Strings\StringHelper;

/**
 * TokenMask helps to mitigate BREACH attack by randomizing how token is outputted on each request.
 * A random mask is applied to the token making the string always unique.
 */
final class TokenMasker
{
    /**
     * Masks a token to make it uncompressible.
     * Applies a random mask to the token and prepends the mask used to the result making the string always unique.
     * @param string $token An unmasked token.
     * @return string A masked token.
     * @throws \Exception if unable to securely generate random bytes
     */
    public static function mask(string $token): string
    {
        // The number of bytes in a mask is always equal to the number of bytes in a token.
        $mask = random_bytes(StringHelper::byteLength($token));
        return StringHelper::base64UrlEncode($mask . ($mask ^ $token));
    }

    /**
     * Unmasks a token previously masked by `mask`.
     * @param string $maskedToken A masked token.
     * @return string An unmasked token, or an empty string in case of token format is invalid.
     */
    public static function unmask(string $maskedToken): string
    {
        $decoded = StringHelper::base64UrlDecode($maskedToken);
        $length = StringHelper::byteLength($decoded) / 2;
        // Check if the masked token has an even length.
        if (!is_int($length)) {

The condition is_int($length) is always true.

            return '';
        }

        return StringHelper::byteSubstr($decoded, $length, $length) ^ StringHelper::byteSubstr($decoded, 0, $length);
    }
}