|
- <?php
-
- namespace dokuwiki;
-
- /**
- * Minimal JWT implementation
- */
- class JWT
- {
- protected $user;
- protected $issued;
- protected $secret;
-
- /**
- * Create a new JWT object
- *
- * Use validate() or create() to create a new instance
- *
- * @param string $user
- * @param int $issued
- */
- protected function __construct($user, $issued)
- {
- $this->user = $user;
- $this->issued = $issued;
- }
-
- /**
- * Load the cookiesalt as secret
- *
- * @return string
- */
- protected static function getSecret()
- {
- return auth_cookiesalt(false, true);
- }
-
- /**
- * Create a new instance from a token
- *
- * @param $token
- * @return self
- * @throws \Exception
- */
- public static function validate($token)
- {
- [$header, $payload, $signature] = sexplode('.', $token, 3, '');
- $signature = base64_decode($signature);
-
- if (!hash_equals($signature, hash_hmac('sha256', "$header.$payload", self::getSecret(), true))) {
- throw new \Exception('Invalid JWT signature');
- }
-
- try {
- $header = json_decode(base64_decode($header), true, 512, JSON_THROW_ON_ERROR);
- $payload = json_decode(base64_decode($payload), true, 512, JSON_THROW_ON_ERROR);
- } catch (\Exception $e) {
- throw new \Exception('Invalid JWT', $e->getCode(), $e);
- }
-
- if (!$header || !$payload || !$signature) {
- throw new \Exception('Invalid JWT');
- }
-
- if ($header['alg'] !== 'HS256') {
- throw new \Exception('Unsupported JWT algorithm');
- }
- if ($header['typ'] !== 'JWT') {
- throw new \Exception('Unsupported JWT type');
- }
- if ($payload['iss'] !== 'dokuwiki') {
- throw new \Exception('Unsupported JWT issuer');
- }
- if (isset($payload['exp']) && $payload['exp'] < time()) {
- throw new \Exception('JWT expired');
- }
-
- $user = $payload['sub'];
- $file = self::getStorageFile($user);
- if (!file_exists($file)) {
- throw new \Exception('JWT not found, maybe it expired?');
- }
-
- if (file_get_contents($file) !== $token) {
- throw new \Exception('JWT invalid, maybe it expired?');
- }
-
- return new self($user, $payload['iat']);
- }
-
- /**
- * Create a new instance from a user
- *
- * Loads an existing token if available
- *
- * @param $user
- * @return self
- */
- public static function fromUser($user)
- {
- $file = self::getStorageFile($user);
-
- if (file_exists($file)) {
- try {
- return self::validate(io_readFile($file));
- } catch (\Exception $ignored) {
- }
- }
-
- $token = new self($user, time());
- $token->save();
- return $token;
- }
-
-
- /**
- * Get the JWT token for this instance
- *
- * @return string
- */
- public function getToken()
- {
- $header = [
- 'alg' => 'HS256',
- 'typ' => 'JWT',
- ];
- $header = base64_encode(json_encode($header));
-
- $payload = [
- 'iss' => 'dokuwiki',
- 'sub' => $this->user,
- 'iat' => $this->issued,
- ];
- $payload = base64_encode(json_encode($payload, JSON_THROW_ON_ERROR));
-
- $signature = hash_hmac('sha256', "$header.$payload", self::getSecret(), true);
- $signature = base64_encode($signature);
- return "$header.$payload.$signature";
- }
-
- /**
- * Save the token for the user
- *
- * Resets the issued timestamp
- */
- public function save()
- {
- $this->issued = time();
- io_saveFile(self::getStorageFile($this->user), $this->getToken());
- }
-
- /**
- * Get the user of this token
- *
- * @return string
- */
- public function getUser()
- {
- return $this->user;
- }
-
- /**
- * Get the issued timestamp of this token
- *
- * @return int
- */
- public function getIssued()
- {
- return $this->issued;
- }
-
- /**
- * Get the storage file for this token
- *
- * Tokens are stored to be able to invalidate them
- *
- * @param string $user The user the token is for
- * @return string
- */
- public static function getStorageFile($user)
- {
- return getCacheName($user, '.token');
- }
- }
|
