feat : add TokenEncryptor service with sodium encryption

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

src/Service/TokenEncryptor.php

@@ -0,0 +1,52 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Service;
+
+use InvalidArgumentException;
+use RuntimeException;
+use Symfony\Component\DependencyInjection\Attribute\Autowire;
+
+final readonly class TokenEncryptor
+{
+    private string $key;
+
+    public function __construct(
+        #[Autowire('%env(GITEA_ENCRYPTION_KEY)%')]
+        string $encryptionKey,
+    ) {
+        if ('' === $encryptionKey) {
+            throw new InvalidArgumentException('GITEA_ENCRYPTION_KEY environment variable must be set.');
+        }
+
+        $this->key = sodium_hex2bin($encryptionKey);
+
+        if (SODIUM_CRYPTO_SECRETBOX_KEYBYTES !== mb_strlen($this->key, '8bit')) {
+            throw new InvalidArgumentException('GITEA_ENCRYPTION_KEY must be a valid sodium secret box key.');
+        }
+    }
+
+    public function encrypt(string $plaintext): string
+    {
+        $nonce      = random_bytes(SODIUM_CRYPTO_SECRETBOX_NONCEBYTES);
+        $ciphertext = sodium_crypto_secretbox($plaintext, $nonce, $this->key);
+
+        return sodium_bin2hex($nonce.$ciphertext);
+    }
+
+    public function decrypt(string $encrypted): string
+    {
+        $decoded    = sodium_hex2bin($encrypted);
+        $nonce      = mb_substr($decoded, 0, SODIUM_CRYPTO_SECRETBOX_NONCEBYTES, '8bit');
+        $ciphertext = mb_substr($decoded, SODIUM_CRYPTO_SECRETBOX_NONCEBYTES, null, '8bit');
+
+        $plaintext = sodium_crypto_secretbox_open($ciphertext, $nonce, $this->key);
+
+        if (false === $plaintext) {
+            throw new RuntimeException('Failed to decrypt token.');
+        }
+
+        return $plaintext;
+    }
+}