<?php
/** DomFramework
  * @package domframework
  * @author Dominique Fournier <dominique@fournier38.fr>
  */

require_once ("domframework/jwt.php");

/** User authentication against JSON Web Token
  * To use it, the $serverKey must be defined. It can be created by example,
  * by using $serverKey = sha1 (microtime (true));
  */
class authjwt extends auth
{
  // PROPERTIES SET BY AUTH
  /** The JSON Web Token Server key if used
    */
  public $serverKey = null;

  /** The cipher key to decrypt the token
    */
  public $cipherKey = null;

  /** The allowed algorithms in array format
    * If null, all the algorithms are allowed
    * allowed : ['HS256', 'HS512', 'HS384']
    */
  public $allowedAlg = null;

  // INTERNAL PROPERTIES
  /** If the user is valid, return the payload in details
    */
  private $payload = null;

  /** Save the token
    */
  private $token = null;

  /** No connection to JWT */
  public function connect ()
  // {{{
  {
    return TRUE;
  }
  // }}}

  /** Try to authenticate the email/password of the user
    * If the token is valid, return all the data available in payload. Can
    * return a value without email attribute !
    * @param string $email Email not used (wait for Bearer)
    * @param string $password Password not used (wait for Bearer)
    */
  public function authentication ($email, $password)
  {
    if (! isset ($_SERVER["HTTP_AUTHENTICATION"]))
      throw new \Exception ("No Authentication available", 401);
    if (substr ($_SERVER["HTTP_AUTHENTICATION"], 0, 7) !== "Bearer ")
      throw new \Exception ("No Bearer Authentication available", 401);
    $token = substr ($_SERVER["HTTP_AUTHENTICATION"], 7);
    $jwt = new jwt ();
    $payload = $jwt->decode ($token, $this->serverKey, $this->allowedAlg,
      $this->cipherKey);
    // The JWT was tested in authparams. End of process
    if (! empty ($payload))
    {
      $this->payload = (array)$payload;
      $this->payload["bearer"] = substr ($_SERVER["HTTP_AUTHENTICATION"], 7);
    }
    else
    {
      $this->payload = array ("lastname"  => "anonymous",
                              "firstname" => "",
                              "email"     => "anonymous");
      throw new \Exception ("No email available in Bearer", 403);
    }
  }

  /** Return all the parameters recorded for the authenticate user
    */
  public function getdetails ()
  {
    if ($this->payload["email"] === "anonymous")
      return array ("lastname"  => "anonymous",
                    "firstname" => "",
                    "email"     => "anonymous");
    return $this->payload;
  }

  /** Method to change the password : unavailable in SESSION auth
    * @param string $oldpassword The old password (to check if the user have the
    *    rights to change the password)
    * @param string $newpassword The new password to be recorded
    */
  public function changepassword ($oldpassword, $newpassword)
  {
    throw new \Exception (dgettext ("domframework",
    "The password can't be change for JWT users"), 405);
  }

  /** Method to overwrite the password (without oldpassword check)
    * Must be reserved to the administrators. For the users, use changepassword
    * method
    * @param string $email the user identifier to select
    * @param string $newpassword The new password to be recorded
    */
  public function overwritepassword ($email, $newpassword)
  {
    throw new \Exception (dgettext ("domframework",
    "The password can't be overwrite for JWT users"), 405);
  }

  /** Remove the information from the session */
  public function logout ()
  {
    throw new \Exception (dgettext ("domframework",
    "The logout is not available for JWT users"), 405);
  }
}