0

I need to use jwe in my code. I found a couple of jwe libraries (here and here) that also requires phpseclib to be installed. However, we are not allowed to install composer in our area of work.

How do i reference the jwe and phpseclib libraries without composer? Thanks.

neubert
  • 15,947
  • 24
  • 120
  • 212
Spiral1ng
  • 313
  • 1
  • 7
  • 16
  • 1
    Download the files, put them all in some specific folder (something like vendor, like Composer usually do) and create your own PSR-4-autoloader (You can use [PHP-FIG's example](https://www.php-fig.org/psr/psr-4/examples/)). You'll get the same functionality as Composer but without actually using it. I have to ask though, why aren't you allowed to install composer? That just seems... silly. – M. Eriksson Apr 24 '18 at 04:45
  • Security concerns that Composer might be loading other files behind the scenes. I am equally as helpless as majority of the codes on git are using Composer. – Spiral1ng Apr 24 '18 at 04:52
  • 2
    That's crazy! I feel for you. It can't be a real developer that made that rule up. :-p. (since Composer is pretty transparent about what it does) Well, you can mimic the functionality with your own PSR-4 loader if you want. You would still need to download all the packages and dependencies manually though, so you're still in for a lot of work. – M. Eriksson Apr 24 '18 at 05:00
  • I feel for you too! How can we consider that Composer will create security issues? It is easy to know what have been downloaded and installed and it offers great features related to security topics (shows unmaintained/outdated deps, semantic versioning and so on). By the way please note that I will abandon spomky-labs/jose by the eand of the year. Please use https://github.com/web-token instead (does not requires phpseclib anymore). – Spomky-Labs Apr 24 '18 at 14:21
  • @FlorentMorselli - I don't think phpseclib is the problem per say. The problem, as I understand it, is any PHP library that's in the require section of his composer.json and although https://github.com/web-token drops phpseclib as a dependency it adds several other dependencies. – neubert Apr 24 '18 at 14:58
  • @neubert I agree with you. That was the idea of my comment (sorry if it wasn't clear enough). – Spomky-Labs Apr 24 '18 at 17:41

1 Answers1

1

You could use Composer's autoloader without using the full Composer. eg.

<?php
include 'autoload.php';

$loader = new \Composer\Autoload\ClassLoader();
$loader->addPsr4('phpseclib\\', __DIR__ . '/path/to/phpseclib2.0');
$loader->register();

// insert your code here

Where autoload.php is this:

https://raw.githubusercontent.com/composer/composer/master/src/Composer/Autoload/ClassLoader.php

So at that point instead of having to code review the whole of Composer you just code review that one file.

You could also use the auto-loader by PHP-FIG:

https://github.com/php-fig/fig-standards/blob/master/accepted/PSR-4-autoloader-examples.md

<?php
include('autoloader.php');

$loader = new \Example\Psr4AutoloaderClass;
$loader->register();
$loader->addNamespace('phpseclib',  __DIR__.'/phpseclib');

That said, I do think your companies policies are silly. If you're not going to trust Composer than why would you trust any third-party PHP library? So it's causing you problems with phpseclib today. What other libraries might you want to use in the future that this policy will also cause you problems?

neubert
  • 15,947
  • 24
  • 120
  • 212