diff --git a/authparams.php b/authparams.php index 620fc27..5825fc7 100644 --- a/authparams.php +++ b/authparams.php @@ -11,6 +11,8 @@ class authparams public $email = null; /** The password of the user when provided */ public $password = null; + /** The JSON Web Token Server key if used */ + public $jwtServerKey = null; /** Parse the different authentication processes to found the email/password * of the user. @@ -18,6 +20,7 @@ class authparams * @param array|null $authprocesses The authentication process to use */ public function __construct ($authprocesses = array ("session", "post")) + // {{{ { if (php_sapi_name () === "cli") { @@ -43,30 +46,39 @@ class authparams } } } + // }}} - /** Get information from $POST variables */ - public function post() + /** Get information from $POST variables + */ + public function post () + // {{{ { if (!isset ($_POST["email"]) || !isset ($_POST["password"])) - throw new \Exception ("No POST provided", 401); + throw new \Exception ("No POST provided", 403); return array ("email"=>trim ($_POST["email"]), "password"=>$_POST["password"]); } + // }}} - /** Get information from previous recorded session */ - public function session() + /** Get information from previous recorded session + */ + public function session () + // {{{ { if (!isset ($_SESSION)) - throw new \Exception ("No session previously opened", 401); + throw new \Exception ("No session previously opened", 403); if (!isset ($_SESSION["domframework"]["auth"]["email"]) || !isset ($_SESSION["domframework"]["auth"]["password"])) - throw new \Exception ("No previous email in session", 401); + throw new \Exception ("No previous email in session", 403); return array ("email"=>$_SESSION["domframework"]["auth"]["email"], "password"=>$_SESSION["domframework"]["auth"]["password"]); } + // }}} - /** Get information from a HTTP authentication */ - public function http() + /** Get information from a HTTP authentication + */ + public function http () + // {{{ { $realm = dgettext ("domframework", "Restricted access"); @@ -85,15 +97,41 @@ class authparams "password"=>$_SERVER["PHP_AUTH_PW"]); } } + // }}} - /** Get the information from a shibboleth provider */ + /** Get the information from a shibboleth provider + */ public function shibboleth () + // {{{ { if (! isset ($_SERVER["Shib-Session-ID"])) - throw new \Exception ("No Shibboleth information available", 401); + throw new \Exception ("No Shibboleth information available", 403); if (! isset ($_SERVER["mail"])) - throw new \Exception ("No Shibboleth email provided", 401); + throw new \Exception ("No Shibboleth email provided", 403); return array ("email"=>$_SERVER["mail"], "password"=>"NONE IN SHIBBOLETH"); } + // }}} + + /** Get the information from a JSON Web Token + * The token MUST be set in HTTP Header : + * Authorization: Bearer + */ + public function jwt () + // {{{ + { + if (! isset ($_SERVER["HTTP_AUTHENTICATION"])) + throw new \Exception ("No Authentication available", 401); + if (substr ($_SERVER["HTTP_AUTHENTICATION"], 0, 7) !== "Bearer") + throw new \Exception ("No Bearer Authentication available", 401); + $token = substr ($_SERVER["HTTP_AUTHENTICATION"], 7); + require_once ("domframework/jwt.php"); + $jwt = new jwt (); + $payload = decode ($token, $this->jwtServerKey); + if (! key_exists ("email", $payload)) + throw new \Exception ("Invalid JSON Web Token : no email provided", 403); + return array ("email" => $payload["email"], + "password" => "NONE IN JWT"); + } + // }}} }