Please, guys, pull this goodie off of the github. It is horribly insecure.

1. Once your secret is leaked, you are pwned... If you think your secret will never leak then think again.

2. It is not very hard to reverse engineer the secret anyway.

I used to do the stuff like this as well, but always gave me creeps. At last I resorted to generating random tokens and storing them in database along with their expiration, it was not that hard.

Could you be interested into a UrlSigner based on the CloudFront PHP SDK? I'll make one and I can do a PR if you like so. I'd then make a PR also on the laravel-url-signer to allow the choice between the two UrlSigners

Hi I just recently used this library, but I want to ask something, is it always needed to be instantiated or created new object just to use this?

What if we want to use the Signer in code A, and the validate in code B, repeat the code all the way?

And I have checked the Laravel URL Signer which have :: or static access object. why don't this URL-Signer has the same?

Thank You

I'm using Spatie Media Library for my images and am generating private and public URLs using Spatie URL Signer (Laravel package). This is working perfectly as long as everything is on the same server.

Recently I've started thinking about integrating a load balancer, which means I'll have to host my images on another server. Instead of using Amazon I've decided to go with DigitalOcean's block storage.

Now my problem: how do I validate a URL on server B that was generated on Server A?

Server B is my media server. To keep things light I'm working with the non-Laravel version of URL Signer on server B.

I've tried using the same keys on both servers (something really simple for testing), but that's not working.

SERVER A (Laravel)
config/laravel-url-signer.php
    'signatureKey' => '123123123',

SERVER B (PHP)
use Spatie\UrlSigner\MD5UrlSigner;
$urlSigner = new MD5UrlSigner('123123123');

No matter what I do the validation just keeps returning false. Is this possible?

hash_equals should be used to compare hashes instead of basic string comparison.

It is built into PHP since 5.6, as this project supports >=5.5.0 I added indigophp/hash-compat as a polyfill library.

All the tests still pass, I'm sorry not adding new ones but I didn't see how for this change.

The class expects child classes to define a createSignature method with the expected API, but it does not enforce that through an abstract method, which is the right way to enforce that.

The league/url package is deprecated in favor of league/uri. The latter requires php extensions to be installed which I'd rather avoid, so some refactoring would be required. Solutions: an alternative url package or a local implementation.

just stumbled over this lib yesterday and it feels interessting to me.

I am wondering why there is only a md5 based signature and whether this fact is "good enough" to protect a url from beeing fake-signed or similar?

would it make sense to use a 'more modern' crypto algo to sign the urls?

Currently, the signer requires using either an integer or a DateTime for the expiration. Is there any reason not to support using a DateTimeImmutable for the date ?

Use the newly tagged version (https://github.com/thephpleague/uri-components/releases/tag/2.3.0) of league/uri-components which supports PHP-8, instead of using the dev-master dependency. Using the dev-master dependency was giving conflicts when the minimum-stability does not allow this.

league/url has been abandoned since 2015-09-23 and this PR replaces it with its successor: league/uri and its components package league/uri-components.

The package change requires the minimum PHP version to be set to 7.2. PHPUnit was also updated to the last version that supports PHP7.2.

I know there was concern about requiring new extensions (https://github.com/spatie/url-signer/issues/1) by making the switch, however these are not hard dependencies. If you don't use the league/uri i18n URI processing feature (ext-intl) or don't want to create a data URI from a filepath (ext-fileinfo) then there are no issues – an exception is thrown should you use one of these features and don't have the required extension.

All existing unit tests pass without any modification.

Please let me know if you require any changes to get this PR merged.

Thanks!