Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:119250 Return-Path: Delivered-To: mailing list internals@lists.php.net Received: (qmail 15038 invoked from network); 9 Jan 2023 21:56:27 -0000 Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5) by pb1.pair.com with SMTP; 9 Jan 2023 21:56:27 -0000 Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id E23FD180505 for ; Mon, 9 Jan 2023 13:56:25 -0800 (PST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,HTML_MESSAGE, RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS, T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.2 X-Spam-ASN: AS15169 209.85.128.0/17 X-Spam-Virus: No X-Envelope-From: Received: from mail-oa1-f44.google.com (mail-oa1-f44.google.com [209.85.160.44]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS for ; Mon, 9 Jan 2023 13:56:25 -0800 (PST) Received: by mail-oa1-f44.google.com with SMTP id 586e51a60fabf-150b06cb1aeso10232779fac.11 for ; Mon, 09 Jan 2023 13:56:25 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=yPtDroJpbp1tyM27a4nFXG1ZYbSmi5qn7HfrNxUGom8=; b=FRxEjBC1tcWFYbgNvBgs2lTCjomfSOZ8Mf+SxCZLM5Ij8bSt9R1tLITPn0J33+Hwvs 1Dp/KlBjzBxsi17LYWGDvEQr6XFdk4FAukys0t57q+s+Jm3EHBtlEQGEpDu5zN+jYzxC xzmOdFai4E/0qfpONxwnOZDZKoZ3UDZK9bJVSP/1EoY1d1Hr/QMRalXbFdtHHZkiQs8i VnkjQTGd3LuO9UafxhBnQPrmPl+ch0IbunN/8boJ52nUsvHLSu1WyJfwvWSFZ0itMIoX xQ66r4eZS4akVKQJV+fJEEhngjP9cm708GBc1EbgiqhihnL8wo8oP6HhGrce6C1IUh6s jpWg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=yPtDroJpbp1tyM27a4nFXG1ZYbSmi5qn7HfrNxUGom8=; b=Gqv87zaKGh8cxE4XMa6+NQ/W656qzJ2zmZRMtyD4kV+j3yhwJt0GyGv1UYIySG3hOo Q+Hf8hBIcq+9l4Ydon3RsS2nRxHxlkPGzO0grgoE9lAnUfS57IVLWIoOLNdU9lto7paV AEu8WOykH12NtS9ETTeGrdyCiQJCtP2YDsMl9k9ASeis9a2Jhx/hv8bm/OJARinWNSNk Q3CjAGMJpTrtVFbsrLVruBslk+iXb3+PhVywa25+g91mwOH5V3DNz97i3tUE+jkyu1ij qVDVJpQMpjMU0VTT19ZRllXnXZY+b1U60Ea4h07yDav3uIM7Cgwc+FhzQ93PVW3Vjftr PbJw== X-Gm-Message-State: AFqh2kqiRCCgAKnhX9ihzKfvBfcAQ8TeAJi9mFtes0DEHVSdSxmJfT8t xdFrBWo7pnP8RgS2fF4UvsJvd/X/92y1lKxiKdwOBCq/ X-Google-Smtp-Source: AMrXdXvmYiF2shguYeAylE83sBqerNHpu96yStL8fAqcuMDSk7GeeLPuaZrVM7g2K/qknATTIJMw8U9TflHDg4/J1PA= X-Received: by 2002:a05:6870:332a:b0:144:87fd:a85c with SMTP id x42-20020a056870332a00b0014487fda85cmr3505746oae.97.1673301384819; Mon, 09 Jan 2023 13:56:24 -0800 (PST) MIME-Version: 1.0 References: In-Reply-To: Date: Mon, 9 Jan 2023 21:56:15 +0000 Message-ID: To: Derick Rethans Cc: Sara Golemon , PHP internals Content-Type: multipart/alternative; boundary="000000000000a4f9ad05f1dbd66a" Subject: Re: [PHP-DEV] base64url format From: davidgebler@gmail.com (David Gebler) --000000000000a4f9ad05f1dbd66a Content-Type: text/plain; charset="UTF-8" On Mon, Jan 9, 2023 at 9:42 PM Derick Rethans wrote: > On 9 January 2023 18:49:28 GMT, Sara Golemon wrote: > >I've been working with JWTs lately and that means working with Base64URL > >format. (Ref: https://www.rfc-editor.org/rfc/rfc4648#section-5 ) > >This is essentially the same thing as normal Base64, but instead of '+' > and > >'/', it uses '-' and '_', respectively. It also allows leaving off the > >training '=' padding characters. > > > >So far, I've just been including polyfills like this: > > > >function base64url_decode(string $str): string { > > return base64_decode(str_pad(strtr($str, '-_', '+/'), (4 - > >(strlen($str) % 4)) % 4, '=')); > >} > > > >function base64_encode(string $str): string { > > return rtrim(strtr(base64_encode($str), '+/', '-_'), '='); > >} > > > >These work fine, but they create a LOT of string copies along the way > which > >shouldn't be necessary. > >Would anyone mind if skipped RFC and just added `base64url_encode()` and > >`base64url_decode()` to PHP 8.3? > > Should these be new functions, or options to base64_encode instead? I'd > guess base64_decode could just accept both? I think from a UX/DX perspective, separate functions would be my preference, base64_url_encode and base64_url_decode (extra underscore which I feel is more consistent with PHP stock library). One consideration though is that base64_urlencode or base64_url_encode are function names which are likely already defined by a number of userland projects or libraries, since it's a very common thing to do with the prevalence of JWTs, so if the RFC process is being bypassed in this case, a new optional parameter to base64_encode might be better. But I think it would be weird to have base64_encode(bool $urlEncode = false) or something, which is presumably what it would look like. Dare I float the suggestion of a Base64 class, making base64_encode and base64_decode functions aliases for Base64::encode() and Base64::decode() respectively, then new Base64::urlEncode() and urlDecode() methods? --000000000000a4f9ad05f1dbd66a--