Merge pull request #16 from ginkelsoft-development/fix/validate-pepper-configuration

ginkelsoft-development · web-flow · commit 052f6ec08950 · 2025-10-13T11:15:45.000+02:00
fix: validate SEARCH_PEPPER configuration before token generation
diff --git a/src/Support/Tokens.php b/src/Support/Tokens.php
@@ -46,9 +46,18 @@ class Tokens
      *
      * @return string
      *     Hex-encoded SHA-256 hash (64 characters).
+     *
+     * @throws \RuntimeException if pepper is empty
      */
     public static function exact(string $normalized, string $pepper): string
     {
+        if (empty($pepper)) {
+            throw new \RuntimeException(
+                'SEARCH_PEPPER is not configured. Set it in your .env file for security. ' .
+                'Generate a random string: openssl rand -base64 32'
+            );
+        }
+
         return hash('sha256', $normalized . $pepper);
     }
 
@@ -71,9 +80,18 @@ public static function exact(string $normalized, string $pepper): string
      *
      * @return string[]
      *     An array of hex-encoded SHA-256 prefix tokens.
+     *
+     * @throws \RuntimeException if pepper is empty
      */
     public static function prefixes(string $normalized, int $maxDepth, string $pepper): array
     {
+        if (empty($pepper)) {
+            throw new \RuntimeException(
+                'SEARCH_PEPPER is not configured. Set it in your .env file for security. ' .
+                'Generate a random string: openssl rand -base64 32'
+            );
+        }
+
         $out = [];
         $len = mb_strlen($normalized, 'UTF-8');
         $depth = min($maxDepth, $len);
