feat: add key size validation

[bshaffer]

fixes #605

Slightly different implementation for #609

[ejunker]

thank you @bshaffer for getting this fix in. Does someone need to contact Mitre and get the CVE updated to show that there is a fixed version?

[ro0NL]

@bshaffer should there be a way to opt-out? IIUC currently we need to request new secrets from trusted external partners on our side now :/

[bshaffer]

It's protected in a major version of the library so the way to opt out is to not upgrade to the major version until the keys are of sufficient length.

I do recommend contacting your partners if their keys do not reach the minimum length security requirements, however

[ro0NL]

fair; i was wondering how bad a short key really is in case of internal api calls, to a trusted partner. Unpractical at least :')

[bshaffer]

@ro0NL I don't know, I just wanted the big red flags that said my library was insecure to go away

[ro0NL]

our partner cannot generate new tokens, so we're stuck at v6, which is an issue.

[ro0NL]

@bshaffer would you consider something like passing new InsecureKey($secret) for a key?

[bshaffer]

@ro0NL feel free to submit a PR and I'm happy to review it!

I wouldn't expect you to have any problems staying on v6 for the near future. It also seems strange to me that a partner would not be able to generate new tokens. You could consider padding your existing tokens to reach the minimum key length.

[ro0NL]

@bshaffer thanks for the hint about padding, this seems a reasonable workaround 👍

$secret = str_pad($secret, 32, "\0"); works as-is with v7 👼