Merge branch 'master' of github.com:mevdschee/php-crud-api

Author: mevdschee

README.md

@@ -162,9 +162,13 @@ You can tune the middleware behavior using middleware specific configuration par
 - "cors.allowCredentials": To allow credentials in the CORS request ("true")
 - "cors.maxAge": The time that the CORS grant is valid in seconds ("1728000")
 - "jwtAuth.mode": Set to "optional" if you want to allow anonymous access ("required")
+- "jwtAuth.header": Name of the header containing the JWT token ("X-Authorization")
 - "jwtAuth.leeway": The acceptable number of seconds of clock skew ("5")
 - "jwtAuth.ttl": The number of seconds the token is valid ("30")
 - "jwtAuth.secret": The shared secret used to sign the JWT token with ("")
+- "jwtAuth.algorithms": The algorithms that are allowed, empty means 'all' ("")
+- "jwtAuth.audiences": The audiences that are allowed, empty means 'all' ("")
+- "jwtAuth.issuers": The issuers that are allowed, empty means 'all' ("")
 - "basicAuth.mode": Set to "optional" if you want to allow anonymous access ("required")
 - "basicAuth.realm": Text to prompt when showing login ("Username and password required")
 - "basicAuth.passwordFile": The file to read for username/password combinations (".htpasswd")
@@ -585,10 +589,12 @@ This example sends the string "username1:password1".
 
 The JWT type requires another (SSO/Identity) server to sign a token that contains claims. 
 Both servers share a secret so that they can either sign or verify that the signature is valid.
-Claims are stored in the `$_SESSION['claims']` variable.
-You need to send an "Authorization" header containing a base64 url encoded and dot separated token header, body and signature after the word "Bearer" ([read more about JWT here](https://jwt.io/)).
+Claims are stored in the `$_SESSION['claims']` variable. You need to send an "X-Authorization" 
+header containing a base64 url encoded and dot separated token header, body and signature after
+the word "Bearer" ([read more about JWT here](https://jwt.io/)). The standard says you need to
+use the "Authorization" header, but this is problematic in Apache and PHP.
 
-    Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImlhdCI6IjE1MzgyMDc2MDUiLCJleHAiOjE1MzgyMDc2MzV9.Z5px_GT15TRKhJCTHhDt5Z6K6LRDSFnLj8U5ok9l7gw
+    X-Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImlhdCI6IjE1MzgyMDc2MDUiLCJleHAiOjE1MzgyMDc2MzV9.Z5px_GT15TRKhJCTHhDt5Z6K6LRDSFnLj8U5ok9l7gw
 
 This example sends the signed claims:
 

api.php

@@ -3261,7 +3261,7 @@ public function handle(Request $request): Response
 
 class JwtAuthMiddleware extends Middleware
 {
-    private function getVerifiedClaims(String $token, int $time, int $leeway, int $ttl, String $secret): array
+    private function getVerifiedClaims(String $token, int $time, int $leeway, int $ttl, String $secret, array $requirements): array
     {
         $algorithms = array('HS256' => 'sha256', 'HS384' => 'sha384', 'HS512' => 'sha512');
         $token = explode('.', $token);
@@ -3288,6 +3288,13 @@ private function getVerifiedClaims(String $token, int $time, int $leeway, int $t
         if (!$claims) {
             return array();
         }
+        foreach ($requirements as $field => $values) {
+            if (!empty($values)) {
+                if (!isset($claims[$field]) || !in_array($claims[$field], $values)) {
+                    return array();
+                }
+            }
+        }
         if (isset($claims['nbf']) && $time + $leeway < $claims['nbf']) {
             return array();
         }
@@ -3305,21 +3312,32 @@ private function getVerifiedClaims(String $token, int $time, int $leeway, int $t
         return $claims;
     }
 
+    private function getArrayProperty(String $property, String $default): array
+    {
+        return array_filter(array_map('trim', explode(',', $this->getProperty($property, $default))));
+    }
+
     private function getClaims(String $token): array
     {
         $time = (int) $this->getProperty('time', time());
         $leeway = (int) $this->getProperty('leeway', '5');
         $ttl = (int) $this->getProperty('ttl', '30');
         $secret = $this->getProperty('secret', '');
+        $requirements = array(
+            'alg' => $this->getArrayProperty('algorithms', ''),
+            'aud' => $this->getArrayProperty('audiences', ''),
+            'iss' => $this->getArrayProperty('issuers', ''),
+        );
         if (!$secret) {
             return array();
         }
-        return $this->getVerifiedClaims($token, $time, $leeway, $ttl, $secret);
+        return $this->getVerifiedClaims($token, $time, $leeway, $ttl, $secret, $requirements);
     }
 
     private function getAuthorizationToken(Request $request): String
     {
-        $parts = explode(' ', trim($request->getHeader('Authorization')), 2);
+        $header = $this->getProperty('header', 'X-Authorization');
+        $parts = explode(' ', trim($request->getHeader($header)), 2);
         if (count($parts) != 2) {
             return '';
         }

examples/clients/auth0/vanilla.html

@@ -0,0 +1,33 @@
+<html>
+<head>
+<meta charset="utf-8" /> 
+<script>
+var domain = ''; // hostname ending in '.auth0.com'
+var clientId = ''; // client id as defined in auth0
+var audience = ''; // api audience as defined in auth0
+window.onload = function () {
+    var match = RegExp('[#&]access_token=([^&]*)').exec(window.location.hash);
+    var accessToken = match && decodeURIComponent(match[1].replace(/\+/g, ' '));
+    if (!accessToken) {
+        document.location = 'https://'+domain+'/authorize?audience='+audience+'&response_type=token&client_id='+clientId+'&redirect_uri='+document.location.href;
+    } else {
+        document.location.hash = '';
+        var req = new XMLHttpRequest();
+        req.onreadystatechange = function () {
+            if (req.readyState==4) {
+                console.log(req.responseText);
+                document.getElementById('output').innerHTML = JSON.stringify(JSON.parse(req.responseText), undefined, 4);
+            }
+        }
+        url = '/api.php/records/posts?join=categories&join=tags&join=comments&filter=id,eq,1';
+        req.open("GET", url, true);
+        req.setRequestHeader('X-Authorization', 'Bearer '+accessToken);
+        req.send();
+    }
+};
+</script>
+</head>
+<body>
+<pre id="output"></pre>
+</body>
+</html>

examples/index.html

@@ -5,6 +5,7 @@
     <body>
         <h1>Example clients</h1>
         <ul>
+            <li><a href="/examples/clients/auth0/vanilla.html">Auth0 + VanillaJS</a></li>
             <li><a href="/examples/clients/vanilla.html">VanillaJS</a></li>
             <li><a href="/examples/clients/angular.html">Angular</a></li>
             <li><a href="/examples/clients/angular2.html">Angular 2</a></li>

src/Tqdev/PhpCrudApi/Middleware/JwtAuthMiddleware.php

@@ -9,7 +9,7 @@
 
 class JwtAuthMiddleware extends Middleware
 {
-    private function getVerifiedClaims(String $token, int $time, int $leeway, int $ttl, String $secret): array
+    private function getVerifiedClaims(String $token, int $time, int $leeway, int $ttl, String $secret, array $requirements): array
     {
         $algorithms = array('HS256' => 'sha256', 'HS384' => 'sha384', 'HS512' => 'sha512');
         $token = explode('.', $token);
@@ -36,6 +36,13 @@ private function getVerifiedClaims(String $token, int $time, int $leeway, int $t
         if (!$claims) {
             return array();
         }
+        foreach ($requirements as $field => $values) {
+            if (!empty($values)) {
+                if (!isset($claims[$field]) || !in_array($claims[$field], $values)) {
+                    return array();
+                }
+            }
+        }
         if (isset($claims['nbf']) && $time + $leeway < $claims['nbf']) {
             return array();
         }
@@ -53,21 +60,32 @@ private function getVerifiedClaims(String $token, int $time, int $leeway, int $t
         return $claims;
     }
 
+    private function getArrayProperty(String $property, String $default): array
+    {
+        return array_filter(array_map('trim', explode(',', $this->getProperty($property, $default))));
+    }
+
     private function getClaims(String $token): array
     {
         $time = (int) $this->getProperty('time', time());
         $leeway = (int) $this->getProperty('leeway', '5');
         $ttl = (int) $this->getProperty('ttl', '30');
         $secret = $this->getProperty('secret', '');
+        $requirements = array(
+            'alg' => $this->getArrayProperty('algorithms', ''),
+            'aud' => $this->getArrayProperty('audiences', ''),
+            'iss' => $this->getArrayProperty('issuers', ''),
+        );
         if (!$secret) {
             return array();
         }
-        return $this->getVerifiedClaims($token, $time, $leeway, $ttl, $secret);
+        return $this->getVerifiedClaims($token, $time, $leeway, $ttl, $secret, $requirements);
     }
 
     private function getAuthorizationToken(Request $request): String
     {
-        $parts = explode(' ', trim($request->getHeader('Authorization')), 2);
+        $header = $this->getProperty('header', 'X-Authorization');
+        $parts = explode(' ', trim($request->getHeader($header)), 2);
         if (count($parts) != 2) {
             return '';
         }