WE2-689 Updated README

WE2-689 Added example project
WE2-683 Added method withSecureRandom() to ChallengeNonceGeneratorBuilder

Author: Guido Gröön

README.md

@@ -0,0 +1,31 @@
+{
+    "name": "demo/webeid-php",
+    "description": "Web eID PHP demo",
+    "license": "MIT",
+    "type": "library",
+    "authors": [
+        {
+            "name": "Guido Gröön",
+            "role" : "developer"
+        }
+    ],
+    "require": {
+        "php": ">=7.4",
+        "web_eid/web_eid_authtoken_validation_php": "dev-main",
+        "web_eid/ocsp_php": "dev-main",
+        "altorouter/altorouter": "1.1.0"
+    },
+    "autoload": {
+        "classmap": ["src"]
+    },
+    "repositories": [
+        {
+            "type": "vcs",
+            "url": "https://github.com/web-eid/web-eid-authtoken-validation-php.git"
+        },
+        {
+            "type": "vcs",
+            "url": "https://github.com/web-eid/ocsp-php.git"
+        }        
+    ]        
+}

examples/composer.json

@@ -0,0 +1,4 @@
+RewriteEngine on
+RewriteCond %{REQUEST_FILENAME} !-f
+RewriteCond %{REQUEST_FILENAME}/ !-f
+RewriteRule . index.php [L]

examples/index.php

@@ -0,0 +1,13 @@
+<?php
+
+header('Content-type: text/html; charset=UTF-8');
+
+session_start();
+
+// Define the log location
+define("LOGFILE", dirname(__FILE__) . "/../log/web-eid-authtoken-validation-php.log");
+
+require __DIR__ . '/../vendor/autoload.php';
+
+$router = new Router();
+$router->init();

examples/public/.htaccess

@@ -0,0 +1,115 @@
+<?php
+
+use web_eid\web_eid_authtoken_validation_php\authtoken\WebEidAuthToken;
+use web_eid\web_eid_authtoken_validation_php\certificate\CertificateData;
+use web_eid\web_eid_authtoken_validation_php\certificate\CertificateLoader;
+use web_eid\web_eid_authtoken_validation_php\challenge\ChallengeNonceGenerator;
+use web_eid\web_eid_authtoken_validation_php\challenge\ChallengeNonceGeneratorBuilder;
+use web_eid\web_eid_authtoken_validation_php\challenge\ChallengeNonceStore;
+use web_eid\web_eid_authtoken_validation_php\exceptions\ChallengeNonceExpiredException;
+use web_eid\web_eid_authtoken_validation_php\util\Uri;
+use web_eid\web_eid_authtoken_validation_php\validator\AuthTokenValidator;
+use web_eid\web_eid_authtoken_validation_php\validator\AuthTokenValidatorBuilder;
+
+class Auth
+{
+
+    public function trustedIntermediateCACertificates(): array
+    {
+        return CertificateLoader::loadCertificatesFromResources(
+            __DIR__ . "/../certificates/esteid2018.der.crt", __DIR__ . "/../certificates/ESTEID-SK_2015.der.crt"
+        );
+    }
+
+    public function generator(): ChallengeNonceGenerator
+    {
+        return (new ChallengeNonceGeneratorBuilder())
+            ->withNonceTtl(300)
+            ->build();
+    }
+
+    public function tokenValidator(): AuthTokenValidator
+    {
+        return (new AuthTokenValidatorBuilder())
+            ->withSiteOrigin(new Uri('https://localhost:8443'))
+            ->withTrustedCertificateAuthorities(...self::trustedIntermediateCACertificates())
+            ->build();
+    }
+
+    /**
+     * Get challenge nonce
+     *
+     * @return string
+     */    
+    public function getNonce()
+    {
+        try {
+            header('Content-Type: application/json; charset=utf-8');
+            $generator = $this->generator();
+            $challengeNonce = $generator->generateAndStoreNonce();
+            $responseArr = [];
+            $responseArr["nonce"] = $challengeNonce->getBase64EncodedNonce();
+            echo json_encode($responseArr);
+        } catch (Exception $e) {
+            header("HTTP/1.0 400 Bad Request");
+            echo $e->getMessage();
+        }
+    }
+
+    /**
+     * Authenticate
+     *
+     * @return string
+     */    
+    public function validate()
+    {
+        $authToken = file_get_contents('php://input');
+
+        try {
+
+            /* Get and remove nonce from store */
+            $challengeNonce = (new ChallengeNonceStore())->getAndRemove();
+
+            try {
+
+                // Build token validator
+                $tokenValidator = $this->tokenValidator();
+
+                // Validate token
+                $cert = $tokenValidator->validate(new WebEidAuthToken($authToken), $challengeNonce->getBase64EncodedNonce());
+
+                session_regenerate_id();
+
+                $subjectName = CertificateData::getSubjectGivenName($cert) . " " . CertificateData::getSubjectSurname($cert);
+                $result = [
+                    'sub' => $subjectName
+                ];
+
+                $_SESSION["auth-user"] = $subjectName;
+
+                echo json_encode($result);
+
+            } catch (Exception $e) {
+                header("HTTP/1.0 400 Bad Request");
+                echo $e->getMessage();
+            }
+
+        } catch (ChallengeNonceExpiredException $e) {
+            header("HTTP/1.0 400 Bad Request");
+            echo $e->getMessage();
+        }
+    }
+
+    /**
+     * Logout
+     *
+     */
+    public function logout()
+    {
+        unset($_SESSION["auth-user"]);
+        session_regenerate_id();
+        // Redirect to login
+        header("location:/");
+    }
+
+}

examples/public/index.php

@@ -0,0 +1,36 @@
+<?php
+
+class Pages
+{
+    var $template;
+    var $data = [];
+
+    public function __construct()
+    {
+        $this->template = new Template();
+    }
+
+    public function login()
+    {
+        $this->data['content'] = $this->template->getHtml(__DIR__ . '/../tpl/login.phtml');
+    }
+
+    public function welcome()
+    {
+        if (!isset($_SESSION["auth-user"])) {
+            // Redirect to login
+            header("location:/");
+            return;
+        }
+
+        $data = [];
+        $data["auth_user"] = $_SESSION["auth-user"];
+        $this->data['content'] = $this->template->getHtml(__DIR__ . '/../tpl/welcome.phtml', $data);
+    }
+
+    public function __destruct()
+    {
+        echo $this->template->getHtml(__DIR__ . '/../tpl/site.phtml', $this->data);
+    }
+
+}

examples/js/errors.js examples/public/js/errors.jsexamples/js/errors.js renamed to examples/public/js/errors.js

@@ -0,0 +1,41 @@
+<?php
+/* App router */
+
+class Router
+{
+    public function init()
+    {
+
+        $router = new AltoRouter();
+        $router->setBasePath('');
+
+        // Page routes
+        $router->map('GET', '', ['controller' => 'Pages', 'method' => 'login']);
+        $router->map('GET', '/', ['controller' => 'Pages', 'method' => 'login']);
+        $router->map('GET', '/logout', ['controller' => 'Auth', 'method' => 'logout']);
+
+        // Allow route onlu for authenticated users
+        if (isset($_SESSION["auth-user"])) {
+            $router->map('GET', '/welcome', ['controller' => 'Pages', 'method' => 'welcome']);
+        }
+
+        // Web eID routes
+        $router->map('GET', '/nonce', ['controller' => 'Auth', 'method' => 'getNonce']);
+        $router->map('POST', '/validate', ['controller' => 'Auth', 'method' => 'validate']);
+        
+        $match = $router->match();
+
+        if (!$match) {
+            // Redirect to login
+            header("location:/");
+            return;
+        }
+
+
+        $controller = new $match['target']['controller'];
+        $method = $match['target']['method'];
+
+        call_user_func([$controller, $method], $match['params'], []);        
+
+    }
+}