Merge main into user_management

src/Util/StatelessTokenUtil.php

@@ -4,7 +4,6 @@
 
 namespace AnzuSystems\AuthBundle\Util;
 
-use AnzuSystems\CommonBundle\Helper\PasswordHelper;
 use Symfony\Component\HttpFoundation\Request;
 
 final class StatelessTokenUtil
@@ -16,19 +15,20 @@ public function __construct(
 
     public function createForRequest(Request $request): string
     {
-        return urldecode(base64_encode(PasswordHelper::passwordHash(
-            $this->createPlainForRequest($request)
-        )));
+        return urldecode(base64_encode(
+            $this->createHashForRequest($request)
+        ));
     }
 
     /**
      * @param non-empty-string $hash
      */
     public function isValidForRequest(Request $request, string $hash): bool
     {
-        $token = $this->createPlainForRequest($request);
-
-        return password_verify($token, urldecode(base64_decode($hash, strict: true)));
+        return hash_equals(
+            known_string: $this->createHashForRequest($request),
+            user_string: urldecode(base64_decode($hash, strict: true)),
+        );
     }
 
     /**
@@ -39,8 +39,12 @@ public function isNotValidForRequest(Request $request, string $hash): bool
         return false === $this->isValidForRequest($request, $hash);
     }
 
-    private function createPlainForRequest(Request $request): string
+    private function createHashForRequest(Request $request): string
     {
-        return $request->headers->get('User-Agent') . $request->getClientIp() . $this->statelessTokenSalt;
+        return hash_hmac(
+            algo: 'sha256',
+            data: $request->headers->get('User-Agent') . $request->getClientIp(),
+            key: $this->statelessTokenSalt,
+        );
     }
 }