autjwt : manage correctely if the authentication is invalid with a reject

git-svn-id: https://svn.fournier38.fr/svn/ProgSVN/trunk@5787 bf3deb0d-5f1a-0410-827f-c0cc1f45334c

authjwt.php

@@ -12,13 +12,25 @@ require_once ("domframework/jwt.php");
   */
 class authjwt extends auth
 {
+  // PROPERTIES SET BY AUTH
   /** The JSON Web Token Server key if used
     */
   public $serverKey = null;
 
-  /** If the user is valid, return the email in details
+  /** The cipher key to decrypt the token
     */
-  private $email = null;
+  public $cipherKey = null;
+
+  /** The allowed algorithms in array format
+    * If null, all the algorithms are allowed
+    * allowed : ['HS256', 'HS512', 'HS384']
+    */
+  public $allowedAlg = null;
+
+  // INTERNAL PROPERTIES
+  /** If the user is valid, return the payload in details
+    */
+  private $payload = null;
 
   /** Save the token
     */
@@ -44,23 +56,26 @@ class authjwt extends auth
       throw new \Exception ("No Bearer Authentication available", 401);
     $token = substr ($_SERVER["HTTP_AUTHENTICATION"], 7);
     $jwt = new jwt ();
-    $payload = $jwt->decode ($token, $this->serverKey);
+    $payload = $jwt->decode ($token, $this->serverKey, $this->allowedAlg,
-    if (! key_exists ("email", $payload))
+      $this->cipherKey);
-      return null;
     // The JWT was tested in authparams. End of process
-    $this->email = $payload->email;
+    if (! empty ($payload))
-    $this->token = substr ($_SERVER["HTTP_AUTHENTICATION"], 7);
+    {
+      $this->payload = $payload;
+      $this->payload["bearer"] = substr ($_SERVER["HTTP_AUTHENTICATION"], 7);
+    }
+    if (! key_exists ("email", $this->payload))
+      throw new \Exception ("No email available in Bearer", 403);
   }
 
   /** Return all the parameters recorded for the authenticate user */
   public function getdetails ()
   {
-    if ($this->email === null)
+    if ($this->payload === null)
       return array ("lastname"  => "anonymous",
                     "firstname" => "",
                     "email"     => "anonymous");
-    return array ("email"  => $this->email,
+    return $this->payload;
-                  "bearer" => $this->token);
   }
 
   /** Method to change the password : unavailable in SESSION auth
@@ -71,8 +86,7 @@ class authjwt extends auth
   public function changepassword ($oldpassword, $newpassword)
   {
     throw new \Exception (dgettext ("domframework",
-                         "The password can't be change for JWT users"),
+    "The password can't be change for JWT users"), 405);
-                         405);
   }
 
   /** Method to overwrite the password (without oldpassword check)
@@ -84,15 +98,13 @@ class authjwt extends auth
   public function overwritepassword ($email, $newpassword)
   {
     throw new \Exception (dgettext ("domframework",
-                         "The password can't be overwrite for JWT users"),
+    "The password can't be overwrite for JWT users"), 405);
-                         405);
   }
 
   /** Remove the information from the session */
   public function logout ()
   {
     throw new \Exception (dgettext ("domframework",
-                         "The logout is not available for JWT users"),
+    "The logout is not available for JWT users"), 405);
-                         405);
   }
 }