tuupola / branca-php Goto Github PK

Dear Tuupola,

First of all, thank you for all your great work. I'm currently implementing a REST api using branca-middleware. I haven't touched my code since one month and I experienced an issue with sodium_compat library. I assume it's not an issue with Branca library but I'm just curious about this change.

Apparently, we need a 64 bit version of php to encode payload. Here is the error message than occur when I try to encode payload :

pack(): 64-bit format codes are not available for 32-bit versions of PHP

E:\Utilisateurs\Dropbox\brancatest\vendor\paragonie\sodium_compat\src\Core\Util.php:656
E:\Utilisateurs\Dropbox\brancatest\vendor\paragonie\sodium_compat\src\Crypto32.php:298
E:\Utilisateurs\Dropbox\brancatest\vendor\paragonie\sodium_compat\src\Crypto32.php:362
E:\Utilisateurs\Dropbox\brancatest\vendor\paragonie\sodium_compat\src\Compat.php:732
E:\Utilisateurs\Dropbox\brancatest\vendor\tuupola\branca\src\Branca.php:55

I have build a minimalistic test to reproduce this issue/change :
Error test

I'm currently learning php, so I probably miss something relevant.

64-bit versions of PHP is now required to work with Branca ?

Is timestamp a security risk? Ie. should there be another version without timestamp in header. Currently it is possible to opt out by passing a 0 or false as timestamp. This still wastes a few bytes per request.

First of all, nice job with Branca-php lib, now the "issue".

1. Branca-php uses error messages which cannot be translated. I cannot wrap them to translation function because they are hardcoded.
2. In my CMS, I set custom exception_handler [When exception is thrown, user only see message "Please report error with IDxxxxx" and the error is saved to DB]. In case of Branca's decipherer failure I want to display some better message to user, which I cannot thanks to my custom exception_handler.

This is the question:

Can you add config which disables RuntimeExceptions and just returns 'false' when decipherer operation fails? Something like:

$branca = new Branca( "supersecretkeyyoushouldnotcommit", false );

This solves both points.

These are 9 error logs within 3 weeks:

ErrorException: unpack(): Type N: not enough input values, need 4 values but only 0 were provided in /var/www/example/com/vendor/tuupola/branca/src/Branca.php:131

Error is caused by bots sniffing around the website.

The line is:

 $parts = unpack("Cversion/Ntime", $header);

Maybe @unpack will help.