mirror of
https://github.com/elyby/accounts.git
synced 2025-05-31 14:11:46 +05:30
Replace emarref/jwt with lcobucci/jwt
Refactor all JWT-related components Replace RS256 with ES256 as a preferred JWT algorithm
This commit is contained in:
ErickSkrauch
12
api/components/Tokens/AlgorithmIsNotDefinedException.php
Normal file
12
api/components/Tokens/AlgorithmIsNotDefinedException.php
Normal file
@@ -0,0 +1,12 @@
|
||||
<?php
|
||||
declare(strict_types=1);
|
||||
|
||||
namespace api\components\Tokens;
|
||||
|
||||
class AlgorithmIsNotDefinedException extends \Exception {
|
||||
|
||||
public function __construct(string $algorithmId) {
|
||||
parent::__construct("Algorithm with id \"{$algorithmId}\" is not defined");
|
||||
}
|
||||
|
||||
}
|
||||
19
api/components/Tokens/Algorithms/AlgorithmInterface.php
Normal file
19
api/components/Tokens/Algorithms/AlgorithmInterface.php
Normal file
@@ -0,0 +1,19 @@
|
||||
<?php
|
||||
declare(strict_types=1);
|
||||
|
||||
namespace api\components\Tokens\Algorithms;
|
||||
|
||||
use Lcobucci\JWT\Signer;
|
||||
use Lcobucci\JWT\Signer\Key;
|
||||
|
||||
interface AlgorithmInterface {
|
||||
|
||||
public function getAlgorithmId(): string;
|
||||
|
||||
public function getSigner(): Signer;
|
||||
|
||||
public function getPrivateKey(): Key;
|
||||
|
||||
public function getPublicKey(): Key;
|
||||
|
||||
}
|
||||
74
api/components/Tokens/Algorithms/ES256.php
Normal file
74
api/components/Tokens/Algorithms/ES256.php
Normal file
@@ -0,0 +1,74 @@
|
||||
<?php
|
||||
declare(strict_types=1);
|
||||
|
||||
namespace api\components\Tokens\Algorithms;
|
||||
|
||||
use Lcobucci\JWT\Signer;
|
||||
use Lcobucci\JWT\Signer\Ecdsa\Sha256;
|
||||
use Lcobucci\JWT\Signer\Key;
|
||||
|
||||
class ES256 implements AlgorithmInterface {
|
||||
|
||||
/**
|
||||
* @var string
|
||||
*/
|
||||
private $privateKey;
|
||||
|
||||
/**
|
||||
* @var string|null
|
||||
*/
|
||||
private $privateKeyPass;
|
||||
|
||||
/**
|
||||
* @var string
|
||||
*/
|
||||
private $publicKey;
|
||||
|
||||
/**
|
||||
* @var Key|null
|
||||
*/
|
||||
private $loadedPrivateKey;
|
||||
|
||||
/**
|
||||
* @var Key|null
|
||||
*/
|
||||
private $loadedPublicKey;
|
||||
|
||||
/**
|
||||
* TODO: document arguments
|
||||
*
|
||||
* @param string $privateKey
|
||||
* @param string|null $privateKeyPass
|
||||
* @param string $publicKey
|
||||
*/
|
||||
public function __construct(string $privateKey, ?string $privateKeyPass, string $publicKey) {
|
||||
$this->privateKey = $privateKey;
|
||||
$this->privateKeyPass = $privateKeyPass;
|
||||
$this->publicKey = $publicKey;
|
||||
}
|
||||
|
||||
public function getAlgorithmId(): string {
|
||||
return 'ES256';
|
||||
}
|
||||
|
||||
public function getSigner(): Signer {
|
||||
return new Sha256();
|
||||
}
|
||||
|
||||
public function getPrivateKey(): Key {
|
||||
if ($this->loadedPrivateKey === null) {
|
||||
$this->loadedPrivateKey = new Key($this->privateKey, $this->privateKeyPass);
|
||||
}
|
||||
|
||||
return $this->loadedPrivateKey;
|
||||
}
|
||||
|
||||
public function getPublicKey(): Key {
|
||||
if ($this->loadedPublicKey === null) {
|
||||
$this->loadedPublicKey = new Key($this->publicKey);
|
||||
}
|
||||
|
||||
return $this->loadedPublicKey;
|
||||
}
|
||||
|
||||
}
|
||||
50
api/components/Tokens/Algorithms/HS256.php
Normal file
50
api/components/Tokens/Algorithms/HS256.php
Normal file
@@ -0,0 +1,50 @@
|
||||
<?php
|
||||
declare(strict_types=1);
|
||||
|
||||
namespace api\components\Tokens\Algorithms;
|
||||
|
||||
use Lcobucci\JWT\Signer;
|
||||
use Lcobucci\JWT\Signer\Hmac\Sha256;
|
||||
use Lcobucci\JWT\Signer\Key;
|
||||
|
||||
class HS256 implements AlgorithmInterface {
|
||||
|
||||
/**
|
||||
* @var string
|
||||
*/
|
||||
private $key;
|
||||
|
||||
/**
|
||||
* @var Key|null
|
||||
*/
|
||||
private $loadedKey;
|
||||
|
||||
public function __construct(string $key) {
|
||||
$this->key = $key;
|
||||
}
|
||||
|
||||
public function getAlgorithmId(): string {
|
||||
return 'HS256';
|
||||
}
|
||||
|
||||
public function getSigner(): Signer {
|
||||
return new Sha256();
|
||||
}
|
||||
|
||||
public function getPrivateKey(): Key {
|
||||
return $this->loadKey();
|
||||
}
|
||||
|
||||
public function getPublicKey(): Key {
|
||||
return $this->loadKey();
|
||||
}
|
||||
|
||||
private function loadKey(): Key {
|
||||
if ($this->loadedKey === null) {
|
||||
$this->loadedKey = new Key($this->key);
|
||||
}
|
||||
|
||||
return $this->loadedKey;
|
||||
}
|
||||
|
||||
}
|
||||
42
api/components/Tokens/AlgorithmsManager.php
Normal file
42
api/components/Tokens/AlgorithmsManager.php
Normal file
@@ -0,0 +1,42 @@
|
||||
<?php
|
||||
declare(strict_types=1);
|
||||
|
||||
namespace api\components\Tokens;
|
||||
|
||||
use api\components\Tokens\Algorithms\AlgorithmInterface;
|
||||
use Webmozart\Assert\Assert;
|
||||
|
||||
class AlgorithmsManager {
|
||||
|
||||
/**
|
||||
* @var AlgorithmInterface[]
|
||||
*/
|
||||
private $algorithms = [];
|
||||
|
||||
public function __construct(array $algorithms = []) {
|
||||
array_map([$this, 'add'], $algorithms);
|
||||
}
|
||||
|
||||
public function add(AlgorithmInterface $algorithm): self {
|
||||
$id = $algorithm->getAlgorithmId();
|
||||
Assert::keyNotExists($this->algorithms, $id, 'passed algorithm is already exists');
|
||||
$this->algorithms[$algorithm->getSigner()->getAlgorithmId()] = $algorithm;
|
||||
|
||||
return $this;
|
||||
}
|
||||
|
||||
/**
|
||||
* @param string $algorithmId
|
||||
*
|
||||
* @return AlgorithmInterface
|
||||
* @throws AlgorithmIsNotDefinedException
|
||||
*/
|
||||
public function get(string $algorithmId): AlgorithmInterface {
|
||||
if (!isset($this->algorithms[$algorithmId])) {
|
||||
throw new AlgorithmIsNotDefinedException($algorithmId);
|
||||
}
|
||||
|
||||
return $this->algorithms[$algorithmId];
|
||||
}
|
||||
|
||||
}
|
||||
96
api/components/Tokens/Component.php
Normal file
96
api/components/Tokens/Component.php
Normal file
@@ -0,0 +1,96 @@
|
||||
<?php
|
||||
declare(strict_types=1);
|
||||
|
||||
namespace api\components\Tokens;
|
||||
|
||||
use Exception;
|
||||
use Lcobucci\JWT\Builder;
|
||||
use Lcobucci\JWT\Parser;
|
||||
use Lcobucci\JWT\Token;
|
||||
use yii\base\Component as BaseComponent;
|
||||
|
||||
class Component extends BaseComponent {
|
||||
|
||||
private const EXPIRATION_TIMEOUT = 3600; // 1h
|
||||
|
||||
private const PREFERRED_ALGORITHM = 'ES256';
|
||||
|
||||
/**
|
||||
* @var string
|
||||
*/
|
||||
public $hmacKey;
|
||||
|
||||
/**
|
||||
* @var string
|
||||
*/
|
||||
public $publicKeyPath;
|
||||
|
||||
/**
|
||||
* @var string
|
||||
*/
|
||||
public $privateKeyPath;
|
||||
|
||||
/**
|
||||
* @var string|null
|
||||
*/
|
||||
public $privateKeyPass;
|
||||
|
||||
/**
|
||||
* @var AlgorithmsManager|null
|
||||
*/
|
||||
private $algorithmManager;
|
||||
|
||||
public function create(array $payloads = [], array $headers = []): Token {
|
||||
$time = time();
|
||||
$builder = (new Builder())
|
||||
->issuedAt($time)
|
||||
->expiresAt($time + self::EXPIRATION_TIMEOUT);
|
||||
foreach ($payloads as $claim => $value) {
|
||||
$builder->withClaim($claim, $value);
|
||||
}
|
||||
|
||||
foreach ($headers as $claim => $value) {
|
||||
$builder->withHeader($claim, $value);
|
||||
}
|
||||
|
||||
/** @noinspection PhpUnhandledExceptionInspection */
|
||||
$algorithm = $this->getAlgorithmManager()->get(self::PREFERRED_ALGORITHM);
|
||||
|
||||
return $builder->getToken($algorithm->getSigner(), $algorithm->getPrivateKey());
|
||||
}
|
||||
|
||||
/**
|
||||
* @param string $jwt
|
||||
*
|
||||
* @return Token
|
||||
* @throws \InvalidArgumentException
|
||||
*/
|
||||
public function parse(string $jwt): Token {
|
||||
return (new Parser())->parse($jwt);
|
||||
}
|
||||
|
||||
public function verify(Token $token): bool {
|
||||
try {
|
||||
$algorithm = $this->getAlgorithmManager()->get($token->getHeader('alg'));
|
||||
return $token->verify($algorithm->getSigner(), $algorithm->getPublicKey());
|
||||
} catch (Exception $e) {
|
||||
return false;
|
||||
}
|
||||
}
|
||||
|
||||
private function getAlgorithmManager(): AlgorithmsManager {
|
||||
if ($this->algorithmManager === null) {
|
||||
$this->algorithmManager = new AlgorithmsManager([
|
||||
new Algorithms\HS256($this->hmacKey),
|
||||
new Algorithms\ES256(
|
||||
"file://{$this->privateKeyPath}",
|
||||
$this->privateKeyPass,
|
||||
"file://{$this->publicKeyPath}"
|
||||
),
|
||||
]);
|
||||
}
|
||||
|
||||
return $this->algorithmManager;
|
||||
}
|
||||
|
||||
}
|
||||
31
api/components/Tokens/TokensFactory.php
Normal file
31
api/components/Tokens/TokensFactory.php
Normal file
@@ -0,0 +1,31 @@
|
||||
<?php
|
||||
declare(strict_types=1);
|
||||
|
||||
namespace api\components\Tokens;
|
||||
|
||||
use common\models\Account;
|
||||
use common\models\AccountSession;
|
||||
use Lcobucci\JWT\Token;
|
||||
use Yii;
|
||||
|
||||
class TokensFactory {
|
||||
|
||||
public const SUB_ACCOUNT_PREFIX = 'ely|';
|
||||
|
||||
public static function createForAccount(Account $account, AccountSession $session = null): Token {
|
||||
$payloads = [
|
||||
'ely-scopes' => 'accounts_web_user',
|
||||
'sub' => self::SUB_ACCOUNT_PREFIX . $account->id,
|
||||
];
|
||||
if ($session === null) {
|
||||
// If we don't remember a session, the token should live longer
|
||||
// so that the session doesn't end while working with the account
|
||||
$payloads['exp'] = time() + 60 * 60 * 24 * 7; // 7d
|
||||
} else {
|
||||
$payloads['jti'] = $session->id;
|
||||
}
|
||||
|
||||
return Yii::$app->tokens->create($payloads);
|
||||
}
|
||||
|
||||
}
|
||||
Reference in New Issue
Block a user