Improve JWT support

mevdschee · mevdschee · commit 8fbaa0c68ed3 · 2018-11-01T20:37:15.000+01:00
diff --git a/src/Tqdev/PhpCrudApi/Middleware/JwtAuthMiddleware.php b/src/Tqdev/PhpCrudApi/Middleware/JwtAuthMiddleware.php
@@ -11,7 +11,14 @@ class JwtAuthMiddleware extends Middleware
 {
     private function getVerifiedClaims(String $token, int $time, int $leeway, int $ttl, String $secret, array $requirements): array
     {
-        $algorithms = array('HS256' => 'sha256', 'HS384' => 'sha384', 'HS512' => 'sha512');
+        $algorithms = array(
+            'HS256' => 'sha256',
+            'HS384' => 'sha384',
+            'HS512' => 'sha512',
+            'RS256' => 'sha256',
+            'RS384' => 'sha384',
+            'RS512' => 'sha512',
+        );
         $token = explode('.', $token);
         if (count($token) < 3) {
             return array();
@@ -27,22 +34,38 @@ private function getVerifiedClaims(String $token, int $time, int $leeway, int $t
         if (!isset($algorithms[$algorithm])) {
             return array();
         }
-        $hmac = $algorithms[$algorithm];
-        $signature = bin2hex(base64_decode(strtr($token[2], '-_', '+/')));
-        if ($signature != hash_hmac($hmac, "$token[0].$token[1]", $secret)) {
+        if (!in_array($algorithm, $requirements['alg'])) {
             return array();
         }
+        $hmac = $algorithms[$algorithm];
+        $signature = base64_decode(strtr($token[2], '-_', '+/'));
+        $data = "$token[0].$token[1]";
+        switch ($algorithm[0]) {
+            case 'H':
+                $hash = hash_hmac($hmac, $data, $secret, true);
+                if (function_exists('hash_equals')) {
+                    $equals = hash_equals($signature, $hash);
+                } else {
+                    $equals = $signature == $hash;
+                }
+                if (!$equals) {
+                    return array();
+                }
+                break;
+            case 'R':
+                $equals = openssl_verify($data, $signature, $secret, $hmac) == 1;
+                if (!$equals) {
+                    return array();
+                }
+                break;
+        }
         $claims = json_decode(base64_decode(strtr($token[1], '-_', '+/')), true);
         if (!$claims) {
             return array();
         }
         foreach ($requirements as $field => $values) {
             if (!empty($values)) {
-                if ($field == 'alg') {
-                    if (!isset($header[$field]) || !in_array($header[$field], $values)) {
-                        return array();
-                    }
-                } else {
+                if ($field != 'alg') {
                     if (!isset($claims[$field]) || !in_array($claims[$field], $values)) {
                         return array();
                     }
