nas
/
todo_api
Watch 2
Star 1
Fork 0
Code Issues 1 Pull Requests 0 Releases 0 Wiki Activity
Browse Source

Add optional claim verification

Maurits van der Schee 6 years ago
parent
7a230fa592
commit
8cc997daff
2 changed files with 22 additions and 2 deletions
Split View Show Diff Stats
  1. 3
    0
      README.md
  2. 19
    2
      src/Tqdev/PhpCrudApi/Middleware/JwtAuthMiddleware.php

+ 3
- 0
README.md View File 

@@ -165,6 +165,9 @@ You can tune the middleware behavior using middleware specific configuration par
165 165 
 - "jwtAuth.leeway": The acceptable number of seconds of clock skew ("5")
166 166 
 - "jwtAuth.ttl": The number of seconds the token is valid ("30")
167 167 
 - "jwtAuth.secret": The shared secret used to sign the JWT token with ("")
168 
+- "jwtAuth.algorithms": The algorithms that are allowed, empty means 'all' ("")
169 
+- "jwtAuth.audiences": The audiences that are allowed, empty means 'all' ("")
170 
+- "jwtAuth.issuers": The issuers that are allowed, empty means 'all' ("")
168 171 
 - "basicAuth.mode": Set to "optional" if you want to allow anonymous access ("required")
169 172 
 - "basicAuth.realm": Text to prompt when showing login ("Username and password required")
170 173 
 - "basicAuth.passwordFile": The file to read for username/password combinations (".htpasswd")

+ 19
- 2
src/Tqdev/PhpCrudApi/Middleware/JwtAuthMiddleware.php View File 

@@ -9,7 +9,7 @@ use Tqdev\PhpCrudApi\Response;
9 9
10 10 
 class JwtAuthMiddleware extends Middleware
11 11 
 {
12 
-    private function getVerifiedClaims(String $token, int $time, int $leeway, int $ttl, String $secret): array
12 
+    private function getVerifiedClaims(String $token, int $time, int $leeway, int $ttl, String $secret, array $requirements): array
13 13 
     {
14 14 
         $algorithms = array('HS256' => 'sha256', 'HS384' => 'sha384', 'HS512' => 'sha512');
15 15 
         $token = explode('.', $token);
 
@@ -36,6 +36,13 @@ class JwtAuthMiddleware extends Middleware
36 36 
         if (!$claims) {
37 37 
             return array();
38 38 
         }
39 
+        foreach ($requirements as $field => $values) {
40 
+            if (!empty($values)) {
41 
+                if (!isset($claims[$field]) || !in_array($claims[$field], $values)) {
42 
+                    return array();
43 
+                }
44 
+            }
45 
+        }
39 46 
         if (isset($claims['nbf']) && $time + $leeway < $claims['nbf']) {
40 47 
             return array();
41 48 
         }
 
@@ -53,16 +60,26 @@ class JwtAuthMiddleware extends Middleware
53 60 
         return $claims;
54 61 
     }
55 62
63 
+    private function getArrayProperty(String $property, String $default): array
64 
+    {
65 
+        return array_filter(array_map('trim', explode(',', $this->getProperty($property, $default))));
66 
+    }
67 
+
56 68 
     private function getClaims(String $token): array
57 69 
     {
58 70 
         $time = (int) $this->getProperty('time', time());
59 71 
         $leeway = (int) $this->getProperty('leeway', '5');
60 72 
         $ttl = (int) $this->getProperty('ttl', '30');
61 73 
         $secret = $this->getProperty('secret', '');
74 
+        $requirements = array(
75 
+            'alg' => $this->getArrayProperty('algorithms', ''),
76 
+            'aud' => $this->getArrayProperty('audiences', ''),
77 
+            'iss' => $this->getArrayProperty('issuers', ''),
78 
+        );
62 79 
         if (!$secret) {
63 80 
             return array();
64 81 
         }
65 
-        return $this->getVerifiedClaims($token, $time, $leeway, $ttl, $secret);
82 
+        return $this->getVerifiedClaims($token, $time, $leeway, $ttl, $secret, $requirements);
66 83 
     }
67 84
68 85 
     private function getAuthorizationToken(Request $request): String

Write Preview
Loading…
Cancel
Save