sendgrid-php icon indicating copy to clipboard operation
sendgrid-php copied to clipboard
verified publisher icon sendgrid

Deprecated Property Warnings in EventWebhook Signature Verification with PHP 8.2

Open supercrocman opened this issue 1 year ago • 2 comments

Issue Summary

The issue involves using the convertPublicKeyToECDSA and verifySignature functions in the SendGrid PHP client library. When executing these functions, deprecated warnings are logged.

Steps to Reproduce

  1. Call the convertPublicKeyToECDSA function with the SendGrid webhook public key.
  2. Use the output of the first function as input to the verifySignature function along with the request content and headers.

Code Snippet

$eventWebhook = new EventWebhook();
$ecPublicKey = $eventWebhook->convertPublicKeyToECDSA($_ENV['SENDGRID_WEBHOOK_PUBLIC_KEY']);
return $eventWebhook->verifySignature(
            $ecPublicKey,
            $request->getContent(),
            $request->headers->get(EventWebhookHeader::SIGNATURE),
            $request->headers->get(EventWebhookHeader::TIMESTAMP)
        );

Exception/Log

Deprecated: Creation of dynamic property EllipticCurve\PublicKey::$pem is deprecated
Deprecated: Creation of dynamic property EllipticCurve\Signature::$der is deprecated

Technical details:

  • sendgrid-php version: 8.1.1
  • php version: 8.2.19

supercrocman avatar May 29 '24 08:05 supercrocman

We are also waiting for this. I opened a SendGrid support ticket and after some struggles they agreed to "submit a JIRA" on the 16th May 2024. Its been almost a month now and still no change.

The EllipticCurve deprecations come from starkbank/ecdsa which is set to version 0.* in composer.json. There is a new version 2.1 https://github.com/starkbank/ecdsa-php which likely fixes the issue.

On a related note sendgrid/sendgrid-php prerequisites requires

PHP version 7.3, 7.4, 8.0, or 8.1

These versions are all outside of active support, and only 8.1 is still in security support. Could we please get official PHP 8.2/8.3 support!

cjhewett avatar Jun 11 '24 14:06 cjhewett

Well Sendgrid closed my support ticket in relation to this issue as "fixed" today 😒

I am getting the distinct feeling that SendGrid is just being left to decay by Twillo with some minimal outsourcing to keep the lights on...

cjhewett avatar Jul 30 '24 08:07 cjhewett

Dear Sendgrid, you will be pleased to learn that PHP 8.4 has been released today...

Its now been 1 year 11 months and 13 days since your library stopped explicitly supporting the latest active PHP versions. Others are starting to notice and ask about it too https://github.com/sendgrid/sendgrid-php/issues/1114

@thinkingserious I see you were a major contributor to this library in the past and still work at Twilio, Inc. Any chance you could ask the right people why this library isn't being updated anymore?

cjhewett avatar Nov 21 '24 14:11 cjhewett

The PR has been merged. This will be available in the release on coming Thursday!

tiwarishubham635 avatar Nov 25 '24 06:11 tiwarishubham635