[Summary view] [Print] [Text view]

   1  <?php
   2  
   3  namespace dokuwiki;
   4  
   5  /**
   6   * Minimal JWT implementation
   7   */
   8  class JWT
   9  {
  10      protected $user;
  11      protected $issued;
  12      protected $secret;
  13  
  14      /**
  15       * Create a new JWT object
  16       *
  17       * Use validate() or create() to create a new instance
  18       *
  19       * @param string $user
  20       * @param int $issued
  21       */
  22      protected function __construct($user, $issued)
  23      {
  24          $this->user = $user;
  25          $this->issued = $issued;
  26      }
  27  
  28      /**
  29       * Load the cookiesalt as secret
  30       *
  31       * @return string
  32       */
  33      protected static function getSecret()
  34      {
  35          return auth_cookiesalt(false, true);
  36      }
  37  
  38      /**
  39       * Create a new instance from a token
  40       *
  41       * @param $token
  42       * @return self
  43       * @throws \Exception
  44       */
  45      public static function validate($token)
  46      {
  47          [$header, $payload, $signature] = sexplode('.', $token, 3, '');
  48          $signature = base64_decode($signature);
  49  
  50          if (!hash_equals($signature, hash_hmac('sha256', "$header.$payload", self::getSecret(), true))) {
  51              throw new \Exception('Invalid JWT signature');
  52          }
  53  
  54          try {
  55              $header = json_decode(base64_decode($header), true, 512, JSON_THROW_ON_ERROR);
  56              $payload = json_decode(base64_decode($payload), true, 512, JSON_THROW_ON_ERROR);
  57          } catch (\Exception $e) {
  58              throw new \Exception('Invalid JWT', $e->getCode(), $e);
  59          }
  60  
  61          if (!$header || !$payload || !$signature) {
  62              throw new \Exception('Invalid JWT');
  63          }
  64  
  65          if ($header['alg'] !== 'HS256') {
  66              throw new \Exception('Unsupported JWT algorithm');
  67          }
  68          if ($header['typ'] !== 'JWT') {
  69              throw new \Exception('Unsupported JWT type');
  70          }
  71          if ($payload['iss'] !== 'dokuwiki') {
  72              throw new \Exception('Unsupported JWT issuer');
  73          }
  74          if (isset($payload['exp']) && $payload['exp'] < time()) {
  75              throw new \Exception('JWT expired');
  76          }
  77  
  78          $user = $payload['sub'];
  79          $file = self::getStorageFile($user);
  80          if (!file_exists($file)) {
  81              throw new \Exception('JWT not found, maybe it expired?');
  82          }
  83  
  84          if (file_get_contents($file) !== $token) {
  85              throw new \Exception('JWT invalid, maybe it expired?');
  86          }
  87  
  88          return new self($user, $payload['iat']);
  89      }
  90  
  91      /**
  92       * Create a new instance from a user
  93       *
  94       * Loads an existing token if available
  95       *
  96       * @param $user
  97       * @return self
  98       */
  99      public static function fromUser($user)
 100      {
 101          $file = self::getStorageFile($user);
 102  
 103          if (file_exists($file)) {
 104              try {
 105                  return self::validate(io_readFile($file));
 106              } catch (\Exception $ignored) {
 107              }
 108          }
 109  
 110          $token = new self($user, time());
 111          $token->save();
 112          return $token;
 113      }
 114  
 115  
 116      /**
 117       * Get the JWT token for this instance
 118       *
 119       * @return string
 120       */
 121      public function getToken()
 122      {
 123          $header = [
 124              'alg' => 'HS256',
 125              'typ' => 'JWT',
 126          ];
 127          $header = base64_encode(json_encode($header));
 128  
 129          $payload = [
 130              'iss' => 'dokuwiki',
 131              'sub' => $this->user,
 132              'iat' => $this->issued,
 133          ];
 134          $payload = base64_encode(json_encode($payload, JSON_THROW_ON_ERROR));
 135  
 136          $signature = hash_hmac('sha256', "$header.$payload", self::getSecret(), true);
 137          $signature = base64_encode($signature);
 138          return "$header.$payload.$signature";
 139      }
 140  
 141      /**
 142       * Save the token for the user
 143       *
 144       * Resets the issued timestamp
 145       */
 146      public function save()
 147      {
 148          $this->issued = time();
 149          io_saveFile(self::getStorageFile($this->user), $this->getToken());
 150      }
 151  
 152      /**
 153       * Get the user of this token
 154       *
 155       * @return string
 156       */
 157      public function getUser()
 158      {
 159          return $this->user;
 160      }
 161  
 162      /**
 163       * Get the issued timestamp of this token
 164       *
 165       * @return int
 166       */
 167      public function getIssued()
 168      {
 169          return $this->issued;
 170      }
 171  
 172      /**
 173       * Get the storage file for this token
 174       *
 175       * Tokens are stored to be able to invalidate them
 176       *
 177       * @param string $user The user the token is for
 178       * @return string
 179       */
 180      public static function getStorageFile($user)
 181      {
 182          return getCacheName($user, '.token');
 183      }
 184  }