feat: add token purpose for fragmented security

Author: mychidarko

src/Auth.php

@@ -763,7 +763,7 @@ public function parseToken()
      * @param string $token The token to verify
      * @return User|null
      */
-    public function verifyToken(string $token)
+    public function verifyToken(string $token, ?string $purpose = null)
     {
         try {
             $decodedToken = (array) JWT::decode(
@@ -788,6 +788,11 @@ public function verifyToken(string $token)
                 return null;
             }
 
+            if ($purpose && (!isset($decodedToken['token.purpose']) || $decodedToken['token.purpose'] !== $purpose)) {
+                $this->errorsArray['token'] = 'Invalid token';
+                return null;
+            }
+
             return $user;
         } catch (\Throwable $th) {
             $this->errorsArray['token'] = $th->getMessage();

src/Auth/User.php

@@ -154,9 +154,10 @@ public function generateToken($tokenLifetime): string
     /**
      * Generate a verification token for the user
      * @param mixed $expiresIn Token expiration time
+     * @param string|null $purpose Purpose of the token
      * @return string
      */
-    public function generateVerificationToken($expiresIn = null): string
+    public function generateVerificationToken($expiresIn = null, ?string $purpose = null): string
     {
         $userIdKey = Config::get('id.key');
         $secretPhrase = Config::get('token.secret') . '-verification';
@@ -169,6 +170,10 @@ public function generateVerificationToken($expiresIn = null): string
             'iss' => $_SERVER['HTTP_HOST'] ?? 'localhost',
         ];
 
+        if ($purpose) {
+            $payload['token.purpose'] = $purpose;
+        }
+
         return JWT::encode($payload, $secretPhrase, 'HS256');
     }