PHPackages olipayne/guzzle-web-bot-auth-middleware - PHPackages - PHPackages [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register) 1. [Directory](/) 2. / 3. [HTTP & Networking](/categories/http) 4. / 5. olipayne/guzzle-web-bot-auth-middleware ActiveLibrary[HTTP & Networking](/categories/http) olipayne/guzzle-web-bot-auth-middleware ======================================= Guzzle middleware for HTTP Message Signatures (RFC9421) with web-bot-auth. v1.1.3(2mo ago)41.2k↓50%1[1 PRs](https://github.com/olipayne/guzzle-web-bot-auth-middleware/pulls)MITPHPPHP ^7.4 || ^8.0CI passing Since May 28Pushed 2mo agoCompare [ Source](https://github.com/olipayne/guzzle-web-bot-auth-middleware)[ Packagist](https://packagist.org/packages/olipayne/guzzle-web-bot-auth-middleware)[ RSS](/packages/olipayne-guzzle-web-bot-auth-middleware/feed)WikiDiscussions main Synced 1mo ago READMEChangelog (4)Dependencies (5)Versions (11)Used By (0) [![Latest Stable Version](https://camo.githubusercontent.com/40856e0202a104ad76bea3b7baecc266e420a6476ba5c118889062f8cb1e62df/68747470733a2f2f696d672e736869656c64732e696f2f7061636b61676973742f762f6f6c697061796e652f67757a7a6c652d7765622d626f742d617574682d6d6964646c65776172652e7376673f7374796c653d666c61742d737175617265)](https://packagist.org/packages/olipayne/guzzle-web-bot-auth-middleware)[![Total Downloads](https://camo.githubusercontent.com/66e1aace408643f68380dd3de575e78103e1cd95749a8b263974e4c1f8ea78aa/68747470733a2f2f696d672e736869656c64732e696f2f7061636b61676973742f64742f6f6c697061796e652f67757a7a6c652d7765622d626f742d617574682d6d6964646c65776172652e7376673f7374796c653d666c61742d737175617265)](https://packagist.org/packages/olipayne/guzzle-web-bot-auth-middleware)[![License](https://camo.githubusercontent.com/79d035236401f05c3f28684978a3033fbdcf7d4f8b95a4b4725551cdc9563c48/68747470733a2f2f696d672e736869656c64732e696f2f7061636b61676973742f6c2f6f6c697061796e652f67757a7a6c652d7765622d626f742d617574682d6d6964646c65776172652e7376673f7374796c653d666c61742d737175617265)](https://packagist.org/packages/olipayne/guzzle-web-bot-auth-middleware)[![GitHub Actions Workflow Status](https://camo.githubusercontent.com/8a21d5c4dc0efbeb04bdd8476729c5c17cbefc244d23ce82b83fd608ae0c0cab/68747470733a2f2f696d672e736869656c64732e696f2f6769746875622f616374696f6e732f776f726b666c6f772f7374617475732f6f6c697061796e652f67757a7a6c652d7765622d626f742d617574682d6d6964646c65776172652f63692e796d6c3f6272616e63683d6d61696e267374796c653d666c61742d737175617265)](https://github.com/olipayne/guzzle-web-bot-auth-middleware/actions) Guzzle Web Bot Auth Middleware (Ed25519 Edition) ================================================ [](#guzzle-web-bot-auth-middleware-ed25519-edition) A PHP Guzzle middleware for signing HTTP requests using HTTP Message Signatures (RFC 9421), specifically tailored for the `web-bot-auth` profile as discussed by [Cloudflare](https://blog.cloudflare.com/web-bot-auth/). This version uses Ed25519 signatures via the `libsodium` PHP extension. Requirements ------------ [](#requirements) - PHP 7.4+ (libsodium is bundled with PHP 7.2+, but this package uses features from 7.4+) - The `sodium` PHP extension must be enabled. - GuzzleHTTP 7.0+ Installation ------------ [](#installation) Install the package via Composer: ``` composer require olipayne/guzzle-web-bot-auth-middleware ``` Prerequisites & Setup (Ed25519) ----------------------------------- [](#prerequisites--setup-ed25519) To use this middleware, you need an Ed25519 private key, its corresponding public key (in JWK format hosted publicly), and a `keyid` (JWK Thumbprint of the public key). The middleware uses `alg: "ed25519"` in the `Signature-Input` header. ### Easiest Setup: All-in-One Ed25519 Key Generation Script [](#easiest-setup-all-in-one-ed25519-key-generation-script) This package includes a utility script to generate everything you need for Ed25519: 1. **Make the script executable** (if you haven't already): ``` chmod +x vendor/olipayne/guzzle-web-bot-auth-middleware/bin/generate-keys.php ``` 2. **Run the script** from your project's root directory (or any directory where you want the key files to be saved): ``` php vendor/olipayne/guzzle-web-bot-auth-middleware/bin/generate-keys.php ``` (Path might vary based on your setup. If installed as a library, it's in `vendor/olipayne/guzzle-web-bot-auth-middleware/bin/`.) The script will: - Create `ed25519_private.key` (containing the base64 encoded Ed25519 private key - **KEEP THIS SAFE AND SECRET!**). - Create `ed25519_public.key` (containing the base64 encoded Ed25519 public key, for your reference). - Output the **Base64 Encoded Ed25519 Private Key**: You'll pass this (or the path to `ed25519_private.key`) to the middleware. - Output the **JWK Thumbprint (kid)**: This is the `keyid` for the middleware. - Output the **Full Ed25519 JWK**: This is the JSON structure of your public key to host publicly. Example output snippet: ``` Base64 encoded Ed25519 private key saved to: ed25519_private.key (Used by the middleware) Base64 encoded Ed25519 public key saved to: ed25519_public.key (For reference or other uses) --- Configuration for WebBotAuthMiddleware (Ed25519) --- Base64 Encoded Ed25519 Private Key (content of 'ed25519_private.key', for middleware constructor): YOUR_BASE64_ENCODED_ED25519_PRIVATE_KEY JWK Thumbprint (use as 'keyId'): YOUR_GENERATED_ED25519_KEY_ID Full Ed25519 JWK (host this at your 'signatureAgent' URL, typically in a JWKSet): { "kty": "OKP", "crv": "Ed25519", "x": "...base64url_encoded_public_key...", "kid": "YOUR_GENERATED_ED25519_KEY_ID", "alg": "Ed25519", "use": "sig" } ... ``` 3. **Host Your Public Key Data for Signature-Agent**The `Signature-Agent` header in your requests points to metadata that allows a verifier to discover your signing key. A common path in existing deployments is `https://your-bot.example.com/.well-known/jwks.json`. The current HTTP Message Signatures directory draft recommends `https://your-bot.example.com/.well-known/http-message-signatures-directory`. If you expose a direct JWKSet URL, the content should be: ``` { "keys": [ // The "Full Ed25519 JWK" output from the script goes here { "kty": "OKP", "crv": "Ed25519", "x": "...base64url_encoded_public_key...", "kid": "YOUR_GENERATED_ED25519_KEY_ID", "alg": "Ed25519", "use": "sig" } ] } ``` Ensure this URL is publicly accessible. ### Using an Existing Ed25519 Public Key [](#using-an-existing-ed25519-public-key) If you already have a base64 encoded Ed25519 public key and need its JWK and `kid`: 1. Make the `generate-jwk.php` script executable: ``` chmod +x vendor/olipayne/guzzle-web-bot-auth-middleware/bin/generate-jwk.php ``` 2. Run it with your base64 encoded Ed25519 public key string or the path to a file containing it: ``` # Using a string php vendor/olipayne/guzzle-web-bot-auth-middleware/bin/generate-jwk.php YOUR_BASE64_PUBLIC_KEY_STRING # Using a file php vendor/olipayne/guzzle-web-bot-auth-middleware/bin/generate-jwk.php path/to/your/ed25519_public.key ``` This will output the `kid` and the full JWK for your existing public key. 3. You will need your corresponding Ed25519 private key (base64 encoded) to configure the middleware. 4. Host the public JWK as described in Step 3 of the "Easiest Setup". Usage ----- [](#usage) Provide the base64 encoded Ed25519 private key (or the path to the file like `ed25519_private.key`), your `keyid`, and your `signatureAgent` URL to the middleware. ```