improved security
Some checks failed
PHPUnit / test (push) Has been cancelled

This commit is contained in:
2026-06-24 09:37:08 +02:00
parent 623fe0f464
commit b02f264b23
5 changed files with 65 additions and 7 deletions

View File

@ -18,7 +18,7 @@ final class SecurityPathsTest extends QdbTestCase
'INSERT INTO session (token, userID, role, entityID, createdAt, expiresAt, temp)
VALUES (:t, :uid, :role, :eid, :ca, :ea, 0)'
)->execute([
':t' => $token,
':t' => token_storage_key($token),
':uid' => $f->adminUserId,
':role' => 'admin',
':eid' => 'ent',

View File

@ -20,6 +20,11 @@ final class TokenTest extends QdbTestCase
$rec = token_get_record($token);
$this->assertNotNull($rec);
$this->assertSame('admin', $rec['role']);
[$pdo, $tmpDb, $lockFp] = qdb_open(false);
$stored = $pdo->query('SELECT token FROM session LIMIT 1')->fetchColumn();
qdb_discard($tmpDb, $lockFp);
$this->assertSame(token_storage_key($token), $stored);
$this->assertNotSame($token, $stored);
token_revoke($token);
$this->assertNull(token_get_record($token));

View File

@ -16,10 +16,24 @@ final class EncryptedPayloadTest extends TestCase
$json = '{"clientCode":"X","answers":[]}';
$env = qdb_sensitive_envelope($json, $token);
$this->assertTrue($env['encrypted']);
$this->assertSame('A256GCM', $env['alg']);
$plain = qdb_decrypt_sensitive_envelope($env, $token);
$this->assertSame($json, $plain);
}
public function testLegacyCbcEnvelopeStillDecrypts(): void
{
require_once dirname(__DIR__, 2) . '/lib/encrypted_payload.php';
$token = bin2hex(random_bytes(32));
$json = '{"legacy":true}';
$key = hkdf_session_key_from_token($token);
$env = [
'encrypted' => true,
'payload' => base64_encode(aes256_cbc_encrypt_bytes($json, $key)),
];
$this->assertSame($json, qdb_decrypt_sensitive_envelope($env, $token));
}
public function testWrongTokenFailsDecrypt(): void
{
require_once dirname(__DIR__, 2) . '/lib/encrypted_payload.php';