Merge branch 'master' of github.com:mevdschee/php-crud-api

Author: mevdschee

README.md

@@ -7,7 +7,7 @@ https://github.com/mevdschee/php-crud-api/tree/v1
 
 Related projects:
 
-  - [PHP-API-AUTH](https://github.com/mevdschee/php-api-auth): Authentication add-on (for v1) supporting JWT or username/password.
+  - [PHP-API-AUTH](https://github.com/mevdschee/php-api-auth): Authentication add-on supporting JWT for username/password.
   - [PHP-SP-API](https://github.com/mevdschee/php-sp-api): Single file PHP script that adds a REST API to a SQL database.
   - [PHP-CRUD-UI](https://github.com/mevdschee/PHP-crud-ui): Single file PHP script that adds a UI to a PHP-CRUD-API (v1) project.
   - [VUE-CRUD-UI](https://github.com/nlware/vue-crud-ui): Single file Vue.js script that adds a UI to a PHP-CRUD-API (v1) project.

api.php

@@ -3117,7 +3117,7 @@ public function handle(Request $request): Response
             $response = $this->responder->error(ErrorCode::ORIGIN_FORBIDDEN, $origin);
         } elseif ($method == 'OPTIONS') {
             $response = new Response(Response::OK, '');
-            $allowHeaders = $this->getProperty('allowHeaders', 'Content-Type, X-XSRF-TOKEN');
+            $allowHeaders = $this->getProperty('allowHeaders', 'Content-Type, X-XSRF-TOKEN, X-Authorization');
             if ($allowHeaders) {
                 $response->addHeader('Access-Control-Allow-Headers', $allowHeaders);
             }

examples/clients/auth.php/vanilla.html

@@ -0,0 +1,33 @@
+<html>
+<head>
+<meta charset="utf-8" /> 
+<script>
+var authUrl = 'authorize.php'; // hostname ending in '.auth0.com'
+var clientId = 'default'; // client id as defined in auth0
+var audience = 'api.php'; // api audience as defined in auth0
+window.onload = function () {
+    var match = RegExp('[#&]access_token=([^&]*)').exec(window.location.hash);
+    var accessToken = match && decodeURIComponent(match[1].replace(/\+/g, ' '));
+    if (!accessToken) {
+        document.location = authUrl+'?audience='+audience+'&response_type=token&client_id='+clientId+'&redirect_uri='+document.location.href;
+    } else {
+        document.location.hash = '';
+        var req = new XMLHttpRequest();
+        req.onreadystatechange = function () {
+            if (req.readyState==4) {
+                console.log(req.responseText);
+                document.getElementById('output').innerHTML = JSON.stringify(JSON.parse(req.responseText), undefined, 4);
+            }
+        }
+        url = 'api.php/records/posts?join=categories&join=tags&join=comments&filter=id,eq,1';
+        req.open("GET", url, true);
+        req.setRequestHeader('X-Authorization', 'Bearer '+accessToken);
+        req.send();
+    }
+};
+</script>
+</head>
+<body>
+<pre id="output"></pre>
+</body>
+</html>

examples/clients/auth0/vanilla.html

@@ -2,11 +2,9 @@
 <head>
 <meta charset="utf-8" /> 
 <script>
-//var domain = ''; // hostname ending in '.auth0.com'
-//var authUrl = 'https://'+domain+'/authorize';
-var authUrl = 'http://127.0.0.2/authorize.php'
-var clientId = 'default'; // client id as defined in auth0
-var audience = 'http://127.0.0.3/api.php'; // api audience as defined in auth0
+var authUrl = 'https://php-crud-api.auth0.com/authorize'; // hostname ending in '.auth0.com'
+var clientId = ''; // client id as defined in auth0
+var audience = ''; // api audience as defined in auth0
 window.onload = function () {
     var match = RegExp('[#&]access_token=([^&]*)').exec(window.location.hash);
     var accessToken = match && decodeURIComponent(match[1].replace(/\+/g, ' '));
@@ -32,4 +30,4 @@
 <body>
 <pre id="output"></pre>
 </body>
-</html>
+</html>

src/Tqdev/PhpCrudApi/Middleware/CorsMiddleware.php

@@ -32,7 +32,7 @@ public function handle(Request $request): Response
             $response = $this->responder->error(ErrorCode::ORIGIN_FORBIDDEN, $origin);
         } elseif ($method == 'OPTIONS') {
             $response = new Response(Response::OK, '');
-            $allowHeaders = $this->getProperty('allowHeaders', 'Content-Type, X-XSRF-TOKEN');
+            $allowHeaders = $this->getProperty('allowHeaders', 'Content-Type, X-XSRF-TOKEN, X-Authorization');
             if ($allowHeaders) {
                 $response->addHeader('Access-Control-Allow-Headers', $allowHeaders);
             }

src/Tqdev/PhpCrudApi/Middleware/JwtAuthMiddleware.php

@@ -38,8 +38,14 @@ private function getVerifiedClaims(String $token, int $time, int $leeway, int $t
         }
         foreach ($requirements as $field => $values) {
             if (!empty($values)) {
-                if (!isset($claims[$field]) || !in_array($claims[$field], $values)) {
-                    return array();
+                if ($field == 'alg') {
+                    if (!isset($header[$field]) || !in_array($header[$field], $values)) {
+                        return array();
+                    }
+                } else {
+                    if (!isset($claims[$field]) || !in_array($claims[$field], $values)) {
+                        return array();
+                    }
                 }
             }
         }

tests/functional/001_records/041_cors_pre_flight.log

@@ -4,7 +4,7 @@ Access-Control-Request-Method: POST
 Access-Control-Request-Headers: X-XSRF-TOKEN, X-Requested-With
 ===
 200
-Access-Control-Allow-Headers: Content-Type, X-XSRF-TOKEN
+Access-Control-Allow-Headers: Content-Type, X-XSRF-TOKEN, X-Authorization
 Access-Control-Allow-Methods: OPTIONS, GET, PUT, POST, DELETE, PATCH
 Access-Control-Allow-Credentials: true
 Access-Control-Max-Age: 1728000