From de907bcd3a49826e97ee383baf28c04753a58ad3 Mon Sep 17 00:00:00 2001
From: Wietse van Ginkel <info@ginkelsoft.com>
Date: Mon, 13 Oct 2025 11:15:08 +0200
Subject: [PATCH] fix: validate SEARCH_PEPPER configuration before token
 generation

Added validation to ensure SEARCH_PEPPER is not empty before generating
tokens. This prevents a security vulnerability where tokens would be
generated without a pepper, making them vulnerable to rainbow table attacks.

Changes:
- Added empty pepper validation in Tokens::exact()
- Added empty pepper validation in Tokens::prefixes()
- Throw RuntimeException with helpful error message and setup instructions
- Updated PHPDoc to document the exception

The error message now guides developers to configure the pepper properly
with a suggested command: openssl rand -base64 32
---
 src/Support/Tokens.php | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/src/Support/Tokens.php b/src/Support/Tokens.php
index c95ad78..06a7315 100644
--- a/src/Support/Tokens.php
+++ b/src/Support/Tokens.php
@@ -46,9 +46,18 @@ class Tokens
      *
      * @return string
      *     Hex-encoded SHA-256 hash (64 characters).
+     *
+     * @throws \RuntimeException if pepper is empty
      */
     public static function exact(string $normalized, string $pepper): string
     {
+        if (empty($pepper)) {
+            throw new \RuntimeException(
+                'SEARCH_PEPPER is not configured. Set it in your .env file for security. ' .
+                'Generate a random string: openssl rand -base64 32'
+            );
+        }
+
         return hash('sha256', $normalized . $pepper);
     }
 
@@ -71,9 +80,18 @@ public static function exact(string $normalized, string $pepper): string
      *
      * @return string[]
      *     An array of hex-encoded SHA-256 prefix tokens.
+     *
+     * @throws \RuntimeException if pepper is empty
      */
     public static function prefixes(string $normalized, int $maxDepth, string $pepper): array
     {
+        if (empty($pepper)) {
+            throw new \RuntimeException(
+                'SEARCH_PEPPER is not configured. Set it in your .env file for security. ' .
+                'Generate a random string: openssl rand -base64 32'
+            );
+        }
+
         $out = [];
         $len = mb_strlen($normalized, 'UTF-8');
         $depth = min($maxDepth, $len);