Add authentication by JSON Web Token
git-svn-id: https://svn.fournier38.fr/svn/ProgSVN/trunk@5287 bf3deb0d-5f1a-0410-827f-c0cc1f45334c
This commit is contained in:
@@ -28,12 +28,14 @@ class authentication
|
||||
/** Directory to store the ratelimit files */
|
||||
public $ratelimitDir = "/tmp/ratelimit/";
|
||||
|
||||
/** The rest authentication methods. Can be http, session, post.
|
||||
/** The rest authentication methods. Can be post, session, http, shibboleth,
|
||||
* jwt
|
||||
* Attention : session case = CSRF !
|
||||
*/
|
||||
public $restMethods = array ("http");
|
||||
public $restMethods = array ("http", "jwt");
|
||||
|
||||
/** The html authentication methods. Can be http, session, post
|
||||
/** The html authentication methods. Can be : post, session, http, shibboleth,
|
||||
* jwt
|
||||
* The "post" is already used when using verifAuthLoginPage method (usually
|
||||
* only in authentication page)
|
||||
*/
|
||||
@@ -42,15 +44,21 @@ class authentication
|
||||
/** The authentication methods. Can be ldap, sympa...*/
|
||||
public $authMethods = array ();
|
||||
|
||||
/** Add the server key used to create the JSON Web Token.
|
||||
* Without it, the JWT is not added to the valid authentication page
|
||||
*/
|
||||
public $jwtServerKey = null;
|
||||
|
||||
/** The name of the JSON Web Token set in localStorage of the client browser
|
||||
* if the authentication is valid. Will be used later by JS on client with
|
||||
* Bearer authentication for REST API.
|
||||
*/
|
||||
public $jwtName = null;
|
||||
public $jwtName = "DFKJWT";
|
||||
|
||||
/** Add the server key used to create the JSON Web Token
|
||||
/** The JST Algorithm used to sign the JWT
|
||||
* Allowed algorithms : HS256, HS512, HS384
|
||||
*/
|
||||
public $jwtServerKey = null;
|
||||
public $jwtAlgorithm = "HS256";
|
||||
|
||||
/** The authentication servers configuration
|
||||
* array ("authXXXX" => array (
|
||||
@@ -140,15 +148,16 @@ class authentication
|
||||
if (session_id () === "")
|
||||
session_start ();
|
||||
$auth = new auth ();
|
||||
$pre = new authparams (array ("session"));
|
||||
$authparams = new authparams (array ("session"));
|
||||
$authparams->jwtServerKey = $this->jwtServerKey;
|
||||
if (isset ($_SESSION["domframework"]["authentication"]["message"]))
|
||||
$message = $_SESSION["domframework"]["authentication"]["message"];
|
||||
else
|
||||
$message = "";
|
||||
unset ($_SESSION["domframework"]["authentication"]["message"]);
|
||||
$alreadyAuth = false;
|
||||
if ($pre->email !== "anonymous")
|
||||
$alreadyAuth = $pre->email;
|
||||
if ($authparams->email !== "anonymous")
|
||||
$alreadyAuth = $authparams->email;
|
||||
if ($this->appName !== null)
|
||||
$auth->appName = $this->appName;
|
||||
@header ('X-Frame-Options: SAMEORIGIN');
|
||||
@@ -229,16 +238,16 @@ class authentication
|
||||
$session = new authsession ();
|
||||
$session->savedata ($authparams->email, $authparams->password,
|
||||
$res["lastname"], $res["firstname"]);
|
||||
if ($this->jwtName !== null)
|
||||
if ($this->jwtServerKey !== null)
|
||||
{
|
||||
// Set the JSON Web Token as the authentication is valid
|
||||
if ($this->jwtServerKey === null)
|
||||
throw new \Exception ("No authentication::jwtServerKey provided", 500);
|
||||
require_once ("domframework/jwt.php");
|
||||
$payloadArray = array();
|
||||
$payloadArray['nbf'] = date ("Y-m-d H:i:s");
|
||||
$payloadArray['exp'] = date ("Y-m-d H:i:s", time () + 86400);
|
||||
$token = jwt::encode ($payloadArray, $this->jwtServerKey);
|
||||
$payloadArray['nbf'] = gmdate ("Y-m-d H:i:s");
|
||||
$payloadArray["email"] = $authparams->email;
|
||||
$jwt = new jwt ();
|
||||
$token = $jwt->encode ($payloadArray, $this->jwtServerKey,
|
||||
$this->jwtAlgorithm);
|
||||
if ($this->route->debug)
|
||||
echo "<tt>Set the JSON Web Token '$this->jwtName' with value '$token'".
|
||||
"</tt><br/>\n";
|
||||
@@ -261,6 +270,7 @@ class authentication
|
||||
echo "=== entering verifAuthREST (restMethods=".
|
||||
print_r ($this->restMethods, true).")\n";
|
||||
$authparams = new authparams ($this->restMethods);
|
||||
$authparams->jwtServerKey = $this->jwtServerKey;
|
||||
$res = array ("email"=>"anonymous", "password"=>"anonymous");
|
||||
if ($authparams->email !== "anonymous" &&
|
||||
$authparams->password !== "anonymous")
|
||||
@@ -291,6 +301,7 @@ class authentication
|
||||
echo "=== entering verifAuthHTML (htmlMethods=".
|
||||
print_r ($this->htmlMethods, true).")\n";
|
||||
$authparams = new authparams ($this->htmlMethods);
|
||||
$authparams->jwtServerKey = $this->jwtServerKey;
|
||||
// Don't ask to the provider if anonymous is known
|
||||
if ($authparams->email === "anonymous" || $authparams->email === null)
|
||||
{
|
||||
|
||||
77
authjwt.php
Normal file
77
authjwt.php
Normal file
@@ -0,0 +1,77 @@
|
||||
<?php
|
||||
/** DomFramework
|
||||
* @package domframework
|
||||
* @author Dominique Fournier <dominique@fournier38.fr>
|
||||
*/
|
||||
|
||||
/** User authentication against JSON Web Token */
|
||||
class authjwt extends auth
|
||||
{
|
||||
/** If the user is valid, return the email in details
|
||||
*/
|
||||
private $email = null;
|
||||
/** No connection to JWT */
|
||||
public function connect ()
|
||||
// {{{
|
||||
{
|
||||
return TRUE;
|
||||
}
|
||||
// }}}
|
||||
|
||||
/** Try to authenticate the email/password of the user
|
||||
* @param string $email Email to authenticate
|
||||
* @param string $password Password to authenticate
|
||||
*/
|
||||
public function authentication ($email, $password)
|
||||
{
|
||||
if (! isset ($_SERVER["HTTP_AUTHENTICATION"]))
|
||||
throw new \Exception ("No Authentication available", 401);
|
||||
if (substr ($_SERVER["HTTP_AUTHENTICATION"], 0, 7) !== "Bearer")
|
||||
throw new \Exception ("No Bearer Authentication available", 401);
|
||||
// The JWT was tested in authparams. End of process
|
||||
$this->email = $email;
|
||||
}
|
||||
|
||||
/** Return all the parameters recorded for the authenticate user */
|
||||
public function getdetails ()
|
||||
{
|
||||
if ($email === null)
|
||||
return array ("lastname" => "anonymous",
|
||||
"firstname" => "",
|
||||
"email" => "anonymous");
|
||||
return array ("email" => $this->email);
|
||||
}
|
||||
|
||||
/** Method to change the password : unavailable in SESSION auth
|
||||
* @param string $oldpassword The old password (to check if the user have the
|
||||
* rights to change the password)
|
||||
* @param string $newpassword The new password to be recorded
|
||||
*/
|
||||
public function changepassword ($oldpassword, $newpassword)
|
||||
{
|
||||
throw new \Exception (dgettext ("domframework",
|
||||
"The password can't be change for JWT users"),
|
||||
405);
|
||||
}
|
||||
|
||||
/** Method to overwrite the password (without oldpassword check)
|
||||
* Must be reserved to the administrators. For the users, use changepassword
|
||||
* method
|
||||
* @param string $email the user identifier to select
|
||||
* @param string $newpassword The new password to be recorded
|
||||
*/
|
||||
public function overwritepassword ($email, $newpassword)
|
||||
{
|
||||
throw new \Exception (dgettext ("domframework",
|
||||
"The password can't be overwrite for JWT users"),
|
||||
405);
|
||||
}
|
||||
|
||||
/** Remove the information from the session */
|
||||
public function logout ()
|
||||
{
|
||||
throw new \Exception (dgettext ("domframework",
|
||||
"The logout is not available for JWT users"),
|
||||
405);
|
||||
}
|
||||
}
|
||||
Reference in New Issue
Block a user