185 lines
5.6 KiB
PHP
185 lines
5.6 KiB
PHP
<?php
|
|
/** DomFramework
|
|
* @package domframework
|
|
* @author Dominique Fournier <dominique@fournier38.fr>
|
|
* @license BSD
|
|
*/
|
|
|
|
namespace Domframework;
|
|
|
|
/*
|
|
* To use it, the $serverKey must be defined. It can be created by example,
|
|
* by using $serverKey = sha1 (microtime (true));
|
|
*/
|
|
class Authjwt extends Auth
|
|
{
|
|
// PROPERTIES SET BY AUTH
|
|
/** The JSON Web Token Server key if used
|
|
*/
|
|
public $serverKey = null;
|
|
|
|
/** The cipher key to decrypt the token
|
|
*/
|
|
public $cipherKey = null;
|
|
|
|
/** The allowed algorithms in array format
|
|
* If null, all the algorithms are allowed
|
|
* allowed : ['HS256', 'HS512', 'HS384']
|
|
*/
|
|
public $allowedAlg = null;
|
|
|
|
/** The algorithm to use, in $allowedAlg list
|
|
*/
|
|
public $algorithm = "HS256";
|
|
|
|
/** The directory to store the user credentials
|
|
*/
|
|
public $cacheDir = "data/jwtCache";
|
|
|
|
// INTERNAL PROPERTIES
|
|
/** If the user is valid, return the payload in details
|
|
*/
|
|
private $payload = null;
|
|
|
|
/** Save the token
|
|
*/
|
|
private $token = null;
|
|
|
|
/** No connection to JWT
|
|
*/
|
|
public function connect ()
|
|
// {{{
|
|
{
|
|
return TRUE;
|
|
}
|
|
// }}}
|
|
|
|
/** Try to authenticate the email/password of the user
|
|
* If the token is valid, return all the data available in payload. Can
|
|
* return a value without email attribute !
|
|
* @param string $email Email not used (wait for Bearer)
|
|
* @param string $password Password not used (wait for Bearer)
|
|
*/
|
|
public function authentication ($email, $password)
|
|
// {{{
|
|
{
|
|
if (! isset ($_SERVER["HTTP_AUTHENTICATION"]))
|
|
throw new \Exception (dgettext ("domframework",
|
|
"No Authentication available"), 401);
|
|
if (substr ($_SERVER["HTTP_AUTHENTICATION"], 0, 7) !== "Bearer ")
|
|
throw new \Exception (dgettext ("domframework",
|
|
"No Bearer Authentication available"), 401);
|
|
$token = substr ($_SERVER["HTTP_AUTHENTICATION"], 7);
|
|
$jwt = new Jwt ();
|
|
$uuid = $jwt->decode ($token, $this->serverKey, $this->allowedAlg,
|
|
$this->cipherKey);
|
|
$cachefile = new Cachefile ();
|
|
$cachefile->directory = $this->cacheDir;
|
|
$payload = $cachefile->read ((string)$uuid);
|
|
// The JWT was tested in authparams. End of process
|
|
if (empty ($uuid) || empty ($payload) || ! key_exists ("email", $payload))
|
|
{
|
|
return array ("lastname" => "anonymous",
|
|
"firstname" => "",
|
|
"email" => "anonymous");
|
|
}
|
|
$this->payload = $payload;
|
|
return $payload;
|
|
}
|
|
// }}}
|
|
|
|
/** Return all the parameters recorded for the authenticate user
|
|
*/
|
|
public function getdetails ()
|
|
// {{{
|
|
{
|
|
if (! is_array ($this->payload) ||
|
|
key_exists ("email", $this->payload) &&
|
|
$this->payload["email"] === "anonymous")
|
|
return array ("lastname" => "anonymous",
|
|
"firstname" => "",
|
|
"email" => "anonymous");
|
|
return $this->payload;
|
|
}
|
|
// }}}
|
|
|
|
/** Save the auth data in cache directory and return the JWT token
|
|
* Do not allow to store data if the $auth is anonymous
|
|
* @param array $auth The authentication to save
|
|
* @return string JWT token
|
|
*/
|
|
public function createJwtToken ($auth)
|
|
// {{{
|
|
{
|
|
if ($this->serverKey === null)
|
|
return "";
|
|
if (! key_exists ("email", $auth))
|
|
throw new \Exception (dgettext ("domframework",
|
|
"AuthJWT : No email available in auth"), 403);
|
|
if ($auth["email"] === "anonymous")
|
|
throw new \Exception (dgettext ("domframework",
|
|
"AuthJWT : can not create token for anonymous"), 403);
|
|
$uuid = Uuid::uuid4 ();
|
|
$cachefile = new Cachefile ();
|
|
$cachefile->directory = $this->cacheDir;
|
|
$cachefile->write ($uuid, $auth);
|
|
$jwt = new Jwt ();
|
|
return $jwt->encode ($uuid,
|
|
$this->serverKey, $this->algorithm, $this->cipherKey);
|
|
}
|
|
// }}}
|
|
|
|
/** Method to change the password : unavailable in SESSION auth
|
|
* @param string $oldpassword The old password (to check if the user have the
|
|
* rights to change the password)
|
|
* @param string $newpassword The new password to be recorded
|
|
*/
|
|
public function changepassword ($oldpassword, $newpassword)
|
|
// {{{
|
|
{
|
|
throw new \Exception (dgettext ("domframework",
|
|
"The password can't be change for JWT users"), 405);
|
|
}
|
|
// }}}
|
|
|
|
/** Method to overwrite the password (without oldpassword check)
|
|
* Must be reserved to the administrators. For the users, use changepassword
|
|
* method
|
|
* @param string $email the user identifier to select
|
|
* @param string $newpassword The new password to be recorded
|
|
*/
|
|
public function overwritepassword ($email, $newpassword)
|
|
// {{{
|
|
{
|
|
throw new \Exception (dgettext ("domframework",
|
|
"The password can't be overwrite for JWT users"), 405);
|
|
}
|
|
// }}}
|
|
|
|
/** Remove the information from the session
|
|
*/
|
|
public function logout ()
|
|
// {{{
|
|
{
|
|
if (! isset ($_SERVER["HTTP_AUTHENTICATION"]))
|
|
throw new \Exception (dgettext ("domframework",
|
|
"No Authentication available"), 401);
|
|
if (substr ($_SERVER["HTTP_AUTHENTICATION"], 0, 7) !== "Bearer ")
|
|
throw new \Exception (dgettext ("domframework",
|
|
"No Bearer Authentication available"), 401);
|
|
$token = substr ($_SERVER["HTTP_AUTHENTICATION"], 7);
|
|
$jwt = new Jwt ();
|
|
$uuid = $jwt->decode ($token, $this->serverKey, $this->allowedAlg,
|
|
$this->cipherKey);
|
|
$cachefile = new Cachefile ();
|
|
$cachefile->directory = $this->cacheDir;
|
|
$payload = $cachefile->read ((string)$uuid);
|
|
if (empty ($uuid) || empty ($payload) || ! key_exists ("email", $payload))
|
|
throw new \Exception (dgettext ("domframework",
|
|
"Can not found the token : no logout"), 403);
|
|
$cachefile->delete ($uuid);
|
|
return true;
|
|
}
|
|
// }}}
|
|
}
|