Replace emarref/jwt with lcobucci/jwt

Refactor all JWT-related components
Replace RS256 with ES256 as a preferred JWT algorithm

api/models/authentication/AuthenticationResult.php

@@ -0,0 +1,47 @@
+<?php
+declare(strict_types=1);
+
+namespace api\models\authentication;
+
+use Lcobucci\JWT\Token;
+
+class AuthenticationResult {
+
+    /**
+     * @var Token
+     */
+    private $token;
+
+    /**
+     * @var string|null
+     */
+    private $refreshToken;
+
+    public function __construct(Token $token, string $refreshToken = null) {
+        $this->token = $token;
+        $this->refreshToken = $refreshToken;
+    }
+
+    public function getToken(): Token {
+        return $this->token;
+    }
+
+    public function getRefreshToken(): ?string {
+        return $this->refreshToken;
+    }
+
+    public function formatAsOAuth2Response(): array {
+        $response = [
+            'access_token' => (string)$this->token,
+            'expires_in' => $this->token->getClaim('exp') - time(),
+        ];
+
+        $refreshToken = $this->refreshToken;
+        if ($refreshToken !== null) {
+            $response['refresh_token'] = $refreshToken;
+        }
+
+        return $response;
+    }
+
+}

api/models/authentication/ConfirmEmailForm.php

@@ -4,7 +4,7 @@ declare(strict_types=1);
 namespace api\models\authentication;
 
 use api\aop\annotations\CollectModelMetrics;
-use api\components\User\AuthenticationResult;
+use api\components\Tokens\TokensFactory;
 use api\models\base\ApiForm;
 use api\validators\EmailActivationKeyValidator;
 use common\models\Account;
@@ -25,12 +25,10 @@ class ConfirmEmailForm extends ApiForm {
 
     /**
      * @CollectModelMetrics(prefix="signup.confirmEmail")
-     * @return AuthenticationResult|bool
-     * @throws \Throwable
      */
-    public function confirm() {
+    public function confirm(): ?AuthenticationResult {
         if (!$this->validate()) {
-            return false;
+            return null;
         }
 
         $transaction = Yii::$app->db->beginTransaction();
@@ -39,6 +37,7 @@ class ConfirmEmailForm extends ApiForm {
         $confirmModel = $this->key;
         $account = $confirmModel->account;
         $account->status = Account::STATUS_ACTIVE;
+        /** @noinspection PhpUnhandledExceptionInspection */
         Assert::notSame($confirmModel->delete(), false, 'Unable remove activation key.');
 
         Assert::true($account->save(), 'Unable activate user account.');
@@ -49,12 +48,11 @@ class ConfirmEmailForm extends ApiForm {
         $session->generateRefreshToken();
         Assert::true($session->save(), 'Cannot save account session model');
 
-        $token = Yii::$app->user->createJwtAuthenticationToken($account, $session);
-        $jwt = Yii::$app->user->serializeToken($token);
+        $token = TokensFactory::createForAccount($account, $session);
 
         $transaction->commit();
 
-        return new AuthenticationResult($account, $jwt, $session);
+        return new AuthenticationResult($token, $session->refresh_token);
     }
 
 }

api/models/authentication/LoginForm.php

@@ -4,7 +4,7 @@ declare(strict_types=1);
 namespace api\models\authentication;
 
 use api\aop\annotations\CollectModelMetrics;
-use api\components\User\AuthenticationResult;
+use api\components\Tokens\TokensFactory;
 use api\models\base\ApiForm;
 use api\traits\AccountFinder;
 use api\validators\TotpValidator;
@@ -30,12 +30,12 @@ class LoginForm extends ApiForm {
             ['login', 'required', 'message' => E::LOGIN_REQUIRED],
             ['login', 'validateLogin'],
 
-            ['password', 'required', 'when' => function(self $model) {
+            ['password', 'required', 'when' => function(self $model): bool {
                 return !$model->hasErrors();
             }, 'message' => E::PASSWORD_REQUIRED],
             ['password', 'validatePassword'],
 
-            ['totp', 'required', 'when' => function(self $model) {
+            ['totp', 'required', 'when' => function(self $model): bool {
                 return !$model->hasErrors() && $model->getAccount()->is_otp_enabled;
             }, 'message' => E::TOTP_REQUIRED],
             ['totp', 'validateTotp'],
@@ -97,11 +97,10 @@ class LoginForm extends ApiForm {
 
     /**
      * @CollectModelMetrics(prefix="authentication.login")
-     * @return AuthenticationResult|bool
      */
-    public function login() {
+    public function login(): ?AuthenticationResult {
         if (!$this->validate()) {
-            return false;
+            return null;
         }
 
         $transaction = Yii::$app->db->beginTransaction();
@@ -113,21 +112,22 @@ class LoginForm extends ApiForm {
             Assert::true($account->save(), 'Unable to upgrade user\'s password');
         }
 
-        $session = null;
+        $refreshToken = null;
         if ($this->rememberMe) {
             $session = new AccountSession();
             $session->account_id = $account->id;
             $session->setIp(Yii::$app->request->userIP);
             $session->generateRefreshToken();
             Assert::true($session->save(), 'Cannot save account session model');
+
+            $refreshToken = $session->refresh_token;
         }
 
-        $token = Yii::$app->user->createJwtAuthenticationToken($account, $session);
-        $jwt = Yii::$app->user->serializeToken($token);
+        $token = TokensFactory::createForAccount($account, $session);
 
         $transaction->commit();
 
-        return new AuthenticationResult($account, $jwt, $session);
+        return new AuthenticationResult($token, $refreshToken);
     }
 
 }

api/models/authentication/RecoverPasswordForm.php

@@ -4,6 +4,7 @@ declare(strict_types=1);
 namespace api\models\authentication;
 
 use api\aop\annotations\CollectModelMetrics;
+use api\components\Tokens\TokensFactory;
 use api\models\base\ApiForm;
 use api\validators\EmailActivationKeyValidator;
 use common\helpers\Error as E;
@@ -38,12 +39,10 @@ class RecoverPasswordForm extends ApiForm {
 
     /**
      * @CollectModelMetrics(prefix="authentication.recoverPassword")
-     * @return \api\components\User\AuthenticationResult|bool
-     * @throws \Throwable
      */
-    public function recoverPassword() {
+    public function recoverPassword(): ?AuthenticationResult {
         if (!$this->validate()) {
-            return false;
+            return null;
         }
 
         $transaction = Yii::$app->db->beginTransaction();
@@ -52,16 +51,16 @@ class RecoverPasswordForm extends ApiForm {
         $confirmModel = $this->key;
         $account = $confirmModel->account;
         $account->password = $this->newPassword;
+        /** @noinspection PhpUnhandledExceptionInspection */
         Assert::notSame($confirmModel->delete(), false, 'Unable remove activation key.');
 
         Assert::true($account->save(), 'Unable activate user account.');
 
-        $token = Yii::$app->user->createJwtAuthenticationToken($account);
-        $jwt = Yii::$app->user->serializeToken($token);
+        $token = TokensFactory::createForAccount($account);
 
         $transaction->commit();
 
-        return new \api\components\User\AuthenticationResult($account, $jwt, null);
+        return new AuthenticationResult($token);
     }
 
 }

api/models/authentication/RefreshTokenForm.php

@@ -1,10 +1,14 @@
 <?php
+declare(strict_types=1);
+
 namespace api\models\authentication;
 
 use api\aop\annotations\CollectModelMetrics;
+use api\components\Tokens\TokensFactory;
 use api\models\base\ApiForm;
 use common\helpers\Error as E;
 use common\models\AccountSession;
+use Webmozart\Assert\Assert;
 use Yii;
 
 class RefreshTokenForm extends ApiForm {
@@ -16,41 +20,45 @@ class RefreshTokenForm extends ApiForm {
      */
     private $session;
 
-    public function rules() {
+    public function rules(): array {
         return [
             ['refresh_token', 'required', 'message' => E::REFRESH_TOKEN_REQUIRED],
             ['refresh_token', 'validateRefreshToken'],
         ];
     }
 
-    public function validateRefreshToken() {
-        if (!$this->hasErrors()) {
-            /** @var AccountSession|null $token */
-            if ($this->getSession() === null) {
-                $this->addError('refresh_token', E::REFRESH_TOKEN_NOT_EXISTS);
-            }
+    public function validateRefreshToken(): void {
+        if (!$this->hasErrors() && $this->findSession() === null) {
+            $this->addError('refresh_token', E::REFRESH_TOKEN_NOT_EXISTS);
         }
     }
 
     /**
      * @CollectModelMetrics(prefix="authentication.renew")
-     * @return \api\components\User\AuthenticationResult|bool
      */
-    public function renew() {
+    public function renew(): ?AuthenticationResult {
         if (!$this->validate()) {
-            return false;
+            return null;
         }
 
-        /** @var \api\components\User\Component $component */
-        $component = Yii::$app->user;
+        /** @var AccountSession $session */
+        $session = $this->findSession();
+        $account = $session->account;
 
-        return $component->renewJwtAuthenticationToken($this->getSession());
+        $transaction = Yii::$app->db->beginTransaction();
+
+        $token = TokensFactory::createForAccount($account, $session);
+
+        $session->setIp(Yii::$app->request->userIP);
+        $session->touch('last_refreshed_at');
+        Assert::true($session->save(), 'Cannot update session info');
+
+        $transaction->commit();
+
+        return new AuthenticationResult($token, $session->refresh_token);
     }
 
-    /**
-     * @return AccountSession|null
-     */
-    public function getSession() {
+    private function findSession(): ?AccountSession {
         if ($this->session === null) {
             $this->session = AccountSession::findOne(['refresh_token' => $this->refresh_token]);
         }