Skip to content

Commit 8cc997d

Browse files
mevdscheemevdschee
committed
Add optional claim verification
1 parent 7a230fa commit 8cc997d

File tree

2 files changed

+22
-2
lines changed

2 files changed

+22
-2
lines changed

README.md

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -165,6 +165,9 @@ You can tune the middleware behavior using middleware specific configuration par
165165
- "jwtAuth.leeway": The acceptable number of seconds of clock skew ("5")
166166
- "jwtAuth.ttl": The number of seconds the token is valid ("30")
167167
- "jwtAuth.secret": The shared secret used to sign the JWT token with ("")
168+
- "jwtAuth.algorithms": The algorithms that are allowed, empty means 'all' ("")
169+
- "jwtAuth.audiences": The audiences that are allowed, empty means 'all' ("")
170+
- "jwtAuth.issuers": The issuers that are allowed, empty means 'all' ("")
168171
- "basicAuth.mode": Set to "optional" if you want to allow anonymous access ("required")
169172
- "basicAuth.realm": Text to prompt when showing login ("Username and password required")
170173
- "basicAuth.passwordFile": The file to read for username/password combinations (".htpasswd")

src/Tqdev/PhpCrudApi/Middleware/JwtAuthMiddleware.php

Lines changed: 19 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -9,7 +9,7 @@
99

1010
class JwtAuthMiddleware extends Middleware
1111
{
12-
private function getVerifiedClaims(String $token, int $time, int $leeway, int $ttl, String $secret): array
12+
private function getVerifiedClaims(String $token, int $time, int $leeway, int $ttl, String $secret, array $requirements): array
1313
{
1414
$algorithms = array('HS256' => 'sha256', 'HS384' => 'sha384', 'HS512' => 'sha512');
1515
$token = explode('.', $token);
@@ -36,6 +36,13 @@ private function getVerifiedClaims(String $token, int $time, int $leeway, int $t
3636
if (!$claims) {
3737
return array();
3838
}
39+
foreach ($requirements as $field => $values) {
40+
if (!empty($values)) {
41+
if (!isset($claims[$field]) || !in_array($claims[$field], $values)) {
42+
return array();
43+
}
44+
}
45+
}
3946
if (isset($claims['nbf']) && $time + $leeway < $claims['nbf']) {
4047
return array();
4148
}
@@ -53,16 +60,26 @@ private function getVerifiedClaims(String $token, int $time, int $leeway, int $t
5360
return $claims;
5461
}
5562

63+
private function getArrayProperty(String $property, String $default): array
64+
{
65+
return array_filter(array_map('trim', explode(',', $this->getProperty($property, $default))));
66+
}
67+
5668
private function getClaims(String $token): array
5769
{
5870
$time = (int) $this->getProperty('time', time());
5971
$leeway = (int) $this->getProperty('leeway', '5');
6072
$ttl = (int) $this->getProperty('ttl', '30');
6173
$secret = $this->getProperty('secret', '');
74+
$requirements = array(
75+
'alg' => $this->getArrayProperty('algorithms', ''),
76+
'aud' => $this->getArrayProperty('audiences', ''),
77+
'iss' => $this->getArrayProperty('issuers', ''),
78+
);
6279
if (!$secret) {
6380
return array();
6481
}
65-
return $this->getVerifiedClaims($token, $time, $leeway, $ttl, $secret);
82+
return $this->getVerifiedClaims($token, $time, $leeway, $ttl, $secret, $requirements);
6683
}
6784

6885
private function getAuthorizationToken(Request $request): String

0 commit comments

Comments
 (0)