This project provides a a CRUD REST API for securely storing strings. It uses Halite which is based on Sodium. The algorithm of encryption is xsalsa20, see \ParagonIE\Halite\Symmetric\Crypto::encrypt.

The principles of security are as follows:

• The only places where the sensitive data (Item::$data) is unencrypted is in the entry points - where we receive it from the user, and when we return it to the user;
• Sensitive data is stored encrypted;
• We never pass around sensitive (Item::$data) in plain-text form (as a string);
• We wrap it in a special class HiddenString which overrides PHP magic methods such as __toString, so that the sensitive property is not exposed in the event of the class being dumped, in exception stack traces, etc.

POST /login

Request JSON:

{
    "username": "john",
    "password": "maxsecure"
}

Response:

{
    "username": "john",
    "roles": [
        "ROLE_USER"
    ]
}

To further use the API, pass the PHPSESSID cookie received in the response.

This endpoint received an item in plain text, encrypts it and stores the encrypted version in the database.

POST /item

Request JSON:

{"data" : "secret"}

Response JSON:

{
    "id": 4,
    "data": "faasdasd",
    "created_at": {
        "date": "2021-04-18 18:16:11.711750",
        "timezone_type": 3,
        "timezone": "UTC"
    },
    "updated_at": {
        "date": "2021-04-18 18:16:11.712207",
        "timezone_type": 3,
        "timezone": "UTC"
    }
}

The item in the database:

GET /item

Response:

[
    {
        "id": 2,
        "data": "faasdasd",
        "created_at": {
            "date": "2021-04-18 15:44:59.000000",
            "timezone_type": 3,
            "timezone": "UTC"
        },
        "updated_at": {
            "date": "2021-04-18 15:44:59.000000",
            "timezone_type": 3,
            "timezone": "UTC"
        }
    },
    {
        "id": 4,
        "data": "faasdasd",
        "created_at": {
            "date": "2021-04-18 18:16:11.000000",
            "timezone_type": 3,
            "timezone": "UTC"
        },
        "updated_at": {
            "date": "2021-04-18 18:16:11.000000",
            "timezone_type": 3,
            "timezone": "UTC"
        }
    }
]

POST /item/<itemid>

Request is in form-data form and the response is the Item JSON object.

PUT /item

This method uses form-data, not JSON.

POST /logout

No custom response is made - you will see the default Symfony welcome HTML page.

• Install docker
• Install docker-compose
• Add your user to the "docker" group

• Add secure-storage.localhost to /etc/hosts: 127.0.0.1 secure-storage.localhost
• Run make init to initialize the project

make tests

See postman_collection.json