symfony · BenMorel · Apr 30, 2025 · May 20, 2025 · May 20, 2025
@@ -11,6 +11,7 @@ CHANGELOG
  * Add ability for voters to explain their vote
  * Add support for voting on closures
  * Add `OAuth2User` with OAuth2 Access Token Introspection support for `OAuth2TokenHandler`
+ * Add support for backed enums in `SignatureHasher::computeSignatureHash()`
 
 7.2
 ---

@@ -0,0 +1,32 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien@symfony.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+declare(strict_types=1);
+
+namespace Symfony\Component\Security\Core\Signature;
+
+final readonly class HashContext implements HashContextInterface
+{
+    public function __construct(
+        private \HashContext $hashContext,
+    ) {
+    }
+
+    public function update(string $data): void
+    {
+        hash_update($this->hashContext, ':' . base64_encode($data));
+    }
+
+    public function final(): string
+    {
+        return strtr(base64_encode(hash_final($this->hashContext, true)), '+/=', '-_~');
+    }
+}
@@ -0,0 +1,21 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien@symfony.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+declare(strict_types=1);
+
+namespace Symfony\Component\Security\Core\Signature;
+
+interface HashContextInterface
+{
+    public function update(string $data): void;
+
+    public function final(): string;
+}
@@ -0,0 +1,29 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien@symfony.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+declare(strict_types=1);
+
+namespace Symfony\Component\Security\Core\Signature;
+
+final readonly class Hasher implements HasherInterface
+{
+    private const ALGO = 'sha256';
+
+    public function init(): HashContextInterface
+    {
+        return new HashContext(hash_init(self::ALGO));
+    }
+
+    public function hmac(string $data, string $key): string
+    {
+        return strtr(base64_encode(hash_hmac(self::ALGO, $data, $key, true)), '+/=', '-_~');
+    }
+}
@@ -0,0 +1,21 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien@symfony.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+declare(strict_types=1);
+
+namespace Symfony\Component\Security\Core\Signature;
+
+interface HasherInterface
+{
+    public function init(): HashContextInterface;
+
+    public function hmac(string $data, string $key): string;
+}
@@ -36,6 +36,7 @@ public function __construct(
         #[\SensitiveParameter] private string $secret,
         private ?ExpiredSignatureStorage $expiredSignaturesStorage = null,
         private ?int $maxUses = null,
+        private HasherInterface $hasher = new Hasher(),
     ) {
         if (!$secret) {
             throw new InvalidArgumentException('A non-empty secret is required.');
@@ -102,27 +103,29 @@ public function verifySignatureHash(UserInterface $user, int $expires, string $h
     public function computeSignatureHash(UserInterface $user, int $expires): string
     {
         $userIdentifier = $user->getUserIdentifier();
-        $fieldsHash = hash_init('sha256');
+        $fieldsHashContext = $this->hasher->init();
 
         foreach ($this->signatureProperties as $property) {
             $value = $this->propertyAccessor->getValue($user, $property) ?? '';
+
             if ($value instanceof \DateTimeInterface) {
                 $value = $value->format('c');
-            }
-
-            if (!\is_scalar($value) && !$value instanceof \Stringable) {
+            } elseif ($value instanceof \BackedEnum) {
+                $value = $value->value;
+            } elseif (!\is_scalar($value) && !$value instanceof \Stringable) {
                 throw new \InvalidArgumentException(\sprintf('The property path "%s" on the user object "%s" must return a value that can be cast to a string, but "%s" was returned.', $property, $user::class, get_debug_type($value)));
             }
-            hash_update($fieldsHash, ':'.base64_encode($value));
+
+            $fieldsHashContext->update($value);
         }
 
-        $fieldsHash = strtr(base64_encode(hash_final($fieldsHash, true)), '+/=', '-_~');
+        $fieldsHash = $fieldsHashContext->final();
 
         return $this->generateHash($fieldsHash.':'.$expires.':'.$userIdentifier).$fieldsHash;
     }
 
     private function generateHash(string $tokenValue): string
     {
-        return strtr(base64_encode(hash_hmac('sha256', $tokenValue, $this->secret, true)), '+/=', '-_~');
+        return $this->hasher->hmac($tokenValue, $this->secret);
     }
 }
@@ -0,0 +1,31 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien@symfony.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+declare(strict_types=1);
+
+namespace Symfony\Component\Security\Core\Tests\Fixtures;
+
+use Symfony\Component\Security\Core\Signature\HashContextInterface;
+
+class DummyHashContext implements HashContextInterface
+{
+    private string $data = '';
+
+    public function update(string $data): void
+    {
+        $this->data .= ':' . $data;
+    }
+
+    public function final(): string
+    {
+        return sprintf('HASH(%s)', $this->data);
+    }
+}
@@ -0,0 +1,30 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien@symfony.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+declare(strict_types=1);
+
+namespace Symfony\Component\Security\Core\Tests\Fixtures;
+
+use Symfony\Component\Security\Core\Signature\HashContextInterface;
+use Symfony\Component\Security\Core\Signature\HasherInterface;
+
+class DummyHasher implements HasherInterface
+{
+    public function init(): HashContextInterface
+    {
+        return new DummyHashContext();
+    }
+
+    public function hmac(string $data, string $key): string
+    {
+        return sprintf('HMAC(%s,%s)', $data, $key);
+    }
+}
@@ -0,0 +1,39 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien@symfony.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+declare(strict_types=1);
+
+namespace Symfony\Component\Security\Core\Tests\Fixtures;
+
+use Symfony\Component\Security\Core\User\UserInterface;
+
+final class DummyUserWithProperties implements UserInterface
+{
+    public function __construct(
+        public string $identifier,
+        public mixed $arbitraryValue,
+    ) {
+    }
+
+    public function getUserIdentifier(): string
+    {
+        return $this->identifier;
+    }
+
+    public function getRoles(): array
+    {
+        return [];
+    }
+
+    public function eraseCredentials(): void
+    {
+    }
+}
@@ -0,0 +1,20 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien@symfony.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+declare(strict_types=1);
+
+namespace Symfony\Component\Security\Core\Tests\Fixtures\Enum;
+
+enum IntBackedEnum: int
+{
+    case FOO = 0;
+    case BAR = 1;
+}
@@ -0,0 +1,20 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien@symfony.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+declare(strict_types=1);
+
+namespace Symfony\Component\Security\Core\Tests\Fixtures\Enum;
+
+enum NonBackedEnum
+{
+    case FOO;
+    case BAR;
+}
@@ -0,0 +1,20 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien@symfony.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+declare(strict_types=1);
+
+namespace Symfony\Component\Security\Core\Tests\Fixtures\Enum;
+
+enum StringBackedEnum: string
+{
+    case FOO = 'Foo';
+    case BAR = 'Bar';
+}