Improve JWT implementation

mevdschee · mevdschee · commit a678491125bc · 2018-10-09T13:47:29.000+02:00
diff --git a/README.md b/README.md
@@ -162,6 +162,7 @@ You can tune the middleware behavior using middleware specific configuration par
 - "cors.allowCredentials": To allow credentials in the CORS request ("true")
 - "cors.maxAge": The time that the CORS grant is valid in seconds ("1728000")
 - "jwtAuth.mode": Set to "optional" if you want to allow anonymous access ("required")
+- "jwtAuth.header": Name of the header containing the JWT token ("X-Authorization")
 - "jwtAuth.leeway": The acceptable number of seconds of clock skew ("5")
 - "jwtAuth.ttl": The number of seconds the token is valid ("30")
 - "jwtAuth.secret": The shared secret used to sign the JWT token with ("")
@@ -588,10 +589,12 @@ This example sends the string "username1:password1".
 
 The JWT type requires another (SSO/Identity) server to sign a token that contains claims. 
 Both servers share a secret so that they can either sign or verify that the signature is valid.
-Claims are stored in the `$_SESSION['claims']` variable.
-You need to send an "Authorization" header containing a base64 url encoded and dot separated token header, body and signature after the word "Bearer" ([read more about JWT here](https://jwt.io/)).
+Claims are stored in the `$_SESSION['claims']` variable. You need to send an "X-Authorization" 
+header containing a base64 url encoded and dot separated token header, body and signature after
+the word "Bearer" ([read more about JWT here](https://jwt.io/)). The standard says you need to
+use the "Authorization" header, but this is problematic in Apache and PHP.
 
-    Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImlhdCI6IjE1MzgyMDc2MDUiLCJleHAiOjE1MzgyMDc2MzV9.Z5px_GT15TRKhJCTHhDt5Z6K6LRDSFnLj8U5ok9l7gw
+    X-Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImlhdCI6IjE1MzgyMDc2MDUiLCJleHAiOjE1MzgyMDc2MzV9.Z5px_GT15TRKhJCTHhDt5Z6K6LRDSFnLj8U5ok9l7gw
 
 This example sends the signed claims:
 
diff --git a/api.php b/api.php
@@ -3194,7 +3194,7 @@ public function handle(Request $request): Response
 
 class JwtAuthMiddleware extends Middleware
 {
-    private function getVerifiedClaims(String $token, int $time, int $leeway, int $ttl, String $secret): array
+    private function getVerifiedClaims(String $token, int $time, int $leeway, int $ttl, String $secret, array $requirements): array
     {
         $algorithms = array('HS256' => 'sha256', 'HS384' => 'sha384', 'HS512' => 'sha512');
         $token = explode('.', $token);
@@ -3221,6 +3221,13 @@ private function getVerifiedClaims(String $token, int $time, int $leeway, int $t
         if (!$claims) {
             return array();
         }
+        foreach ($requirements as $field => $values) {
+            if (!empty($values)) {
+                if (!isset($claims[$field]) || !in_array($claims[$field], $values)) {
+                    return array();
+                }
+            }
+        }
         if (isset($claims['nbf']) && $time + $leeway < $claims['nbf']) {
             return array();
         }
@@ -3238,21 +3245,32 @@ private function getVerifiedClaims(String $token, int $time, int $leeway, int $t
         return $claims;
     }
 
+    private function getArrayProperty(String $property, String $default): array
+    {
+        return array_filter(array_map('trim', explode(',', $this->getProperty($property, $default))));
+    }
+
     private function getClaims(String $token): array
     {
         $time = (int) $this->getProperty('time', time());
         $leeway = (int) $this->getProperty('leeway', '5');
         $ttl = (int) $this->getProperty('ttl', '30');
         $secret = $this->getProperty('secret', '');
+        $requirements = array(
+            'alg' => $this->getArrayProperty('algorithms', ''),
+            'aud' => $this->getArrayProperty('audiences', ''),
+            'iss' => $this->getArrayProperty('issuers', ''),
+        );
         if (!$secret) {
             return array();
         }
-        return $this->getVerifiedClaims($token, $time, $leeway, $ttl, $secret);
+        return $this->getVerifiedClaims($token, $time, $leeway, $ttl, $secret, $requirements);
     }
 
     private function getAuthorizationToken(Request $request): String
     {
-        $parts = explode(' ', trim($request->getHeader('Authorization')), 2);
+        $header = $this->getProperty('header', 'X-Authorization');
+        $parts = explode(' ', trim($request->getHeader($header)), 2);
         if (count($parts) != 2) {
             return '';
         }
@@ -5432,7 +5450,6 @@ public function __toString(): String
     'username' => 'php-crud-api',
     'password' => 'php-crud-api',
     'database' => 'php-crud-api',
-    'middlewares' => 'basicAuth',
 ]);
 $request = new Request();
 $api = new Api($config);
diff --git a/src/Tqdev/PhpCrudApi/Middleware/JwtAuthMiddleware.php b/src/Tqdev/PhpCrudApi/Middleware/JwtAuthMiddleware.php
@@ -84,7 +84,8 @@ private function getClaims(String $token): array
 
     private function getAuthorizationToken(Request $request): String
     {
-        $parts = explode(' ', trim($request->getHeader('Authorization')), 2);
+        $header = $this->getProperty('header', 'X-Authorization');
+        $parts = explode(' ', trim($request->getHeader($header)), 2);
         if (count($parts) != 2) {
             return '';
         }

Original file line number	Diff line number	Diff line change
`@@ -84,7 +84,8 @@ private function getClaims(String $token): array`
`84`	`84`
`85`	`85`	`private function getAuthorizationToken(Request $request): String`
`86`	`86`	`{`
`87`		`- $parts = explode(' ', trim($request->getHeader('Authorization')), 2);`
	`87`	`+ $header = $this->getProperty('header', 'X-Authorization');`
	`88`	`+ $parts = explode(' ', trim($request->getHeader($header)), 2);`
`88`	`89`	`if (count($parts) != 2) {`
`89`	`90`	`return '';`
`90`	`91`	`}`