Steps to reproduce:
1. Install the module per documentation.
2. Setup your application/consumer
3. Make sure that you have setup hash_salt in settings.php or settings local and that it is less then 32 in length
4. Try to request token for your consumer on oauth/token

You'll get issue like below in recent log messages:

Defuse\Crypto\Exception\EnvironmentIsBrokenException: Your version of PHP has bug #66797. Its implementation of mb_substr() is incorrect. See the details here: https://bugs.php.net/bug.php?id=66797 in Defuse\Crypto\Core::ourSubstr() (line 335 of /var/www/html/vendor/defuse/php-encryption/src/Core.php).

This is because Oauth2GrantManager has 32 as length passed to ourSubstr and it then function compares length of 32 to your salt which doesn't have to be 32 in length and then it fails with error which falsely represents the issue here.

Proposed solution

Since this is not something the module can fix for you, we should fail with a clear error message if the the salt is shorter than 32 characters.

CommentFileSizeAuthor
#8 simple_oauth-hash-salt-2935122-8.patch681 bytesBerdir
#2 2935122-2.patch588 bytesxSDx
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

xSDx created an issue. See original summary.

xSDx’s picture

xSDx CreditAttribution: xSDx at Websolutions Agency commented
FileSize
2935122-2.patch588 bytes

Attaching patch

xSDx’s picture

xSDx CreditAttribution: xSDx at Websolutions Agency commented
Title: Issue with oauth/token if you have setup hash_salt other then 32 in length » Issue with oauth/token if you have setup hash_salt less then 32 in length
xSDx’s picture

xSDx CreditAttribution: xSDx at Websolutions Agency commented
Issue summary: View changes
Berdir’s picture

Berdir
Primary language German
Location Switzerland
CreditAttribution: Berdir at MD Systems GmbH commented

I noticed this too but the patch doesn't really help. The correct fix is IMHO to throw a clearer exception if the has is too short instead of the very confusing one about that mb_string bug, this is a developer problem that can not be fixed automatically, so we should just fail with a clear error.

e0ipso’s picture

e0ipso
Primary language Catalan
Location Can Picafort
CreditAttribution: e0ipso as a volunteer and at Lullabot commented

this is a developer problem that can not be fixed automatically, so we should just fail with a clear error.

I agree with this conclusion.

e0ipso’s picture

e0ipso
Primary language Catalan
Location Can Picafort
CreditAttribution: e0ipso as a volunteer and at Lullabot commented
Issue summary: View changes
Berdir’s picture

Berdir
Primary language German
Location Switzerland
CreditAttribution: Berdir at MD Systems GmbH commented
Status: Active » Needs review
FileSize
simple_oauth-hash-salt-2935122-8.patch681 bytes

Here's a fix, not sure if you want to have a test for this.

Berdir’s picture

Berdir
Primary language German
Location Switzerland
CreditAttribution: Berdir at MD Systems GmbH commented
Version: 8.x-3.3 » 8.x-3.x-dev
e0ipso’s picture

e0ipso
Primary language Catalan
Location Can Picafort
CreditAttribution: e0ipso as a volunteer and at Lullabot commented
Status: Needs review » Fixed

Merged.

Thank you for the patch @Berdir. Thank you for the report @xSDx.

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.