framework icon indicating copy to clipboard operation
framework copied to clipboard

Published 20 hours ago verified publisher icon laravel

[11.x] Add support for previous apps keys in signed URL verification

Open Krisell opened this issue 9 months ago • 0 comments

Description

Laravel 11 introduced the ability to add app.previous_keys to migrate the app-key for encryption transparently, added in https://github.com/laravel/framework/pull/49962

This PR adds the same support for signed URLs, by allowing URLs generated under one of the previous keys (listed in app.previous_keys) to be considered as valid.

Implementation

The implementation iterates over the acceptable app keys, with the current app key first, and returns as soon as a valid hmac is found. Of course, signing a new URL always uses the current app key.

To support this, I updated the default $keyResolver in UrlGenerator (set in RoutingServiceProvider) to return an array of keys. I can't see this return value being typed anywhere, and I kept support for single keys being returned, in case anyone injects their own key resolver.

Inspiration

The idea for this PR comes from @valorin and the Securing Laravel newsletter, where the missing support for signed URLs was mentioned.

Krisell avatar Apr 26 '24 15:04 Krisell