A PHP library for signing URLs and verify their validity.
It works by appending a computed signature and an expiring timestamp to an URL. The generated URL is valid if its data is not altered in any way and until the specified expiring time.
A signed URL possession, provides limited time to perform a request, and can transport publicly visible query parameters, for example tokens and other not sensitive data, without the need to store them in a backend storage like session or cache.
Some use cases:
- Login links
- Password reset links
- Email confirmation links
- etc.
Install via Composer:
composer require coppolafab/php-url-signeruse coppolafab\UrlSigner\HashHmacUrlSigner;
use DateTimeImmutable;
$urlSigner = new HashHmacUrlSigner('valid' /** signature key */);
// valid until 2020-09-13T12:26:40+00:00
$expirationDate = (new DateTimeImmutable())->setTimestamp(1600000000);
$signedUrl = $urlSigner->sign('https://example.com/', $expirationDate);
// 'https://example.com/?url_expires_at=1600000000&signature=d6ebe19e590813d94d1b58fe9f9e204a3c5f074ac791dbf0fc2bc3631091f2f1'
$isValid = $urlSigner->verify($signedUrl);
// true, if verified before $expirationDate- Coding Style:
$ vendor/bin/phpcs - Unit tests:
$ vendor/bin/phpunit - Static analysis - PHPStan:
$ vendor/bin/phpstan analyse - Static analysis - Psalm:
$ vendor/bin/psalm - Mutation Testing - Infection:
vendor/bin/infection
A docker-compose.yml file is included, with a pre-configured image that builds PHP8 and pcov.
# build image
docker-compose build
# install dependencies
docker-compose run --rm php-url-signer composer install
# run tests
docker-compose run --rm php-url-signer vendor/bin/phpunit
docker-compose run --rm php-url-signer ...