52 lines
1.5 KiB
PHP
52 lines
1.5 KiB
PHP
|
<?php
|
||
|
|
||
|
namespace Shaarli\Api;
|
||
|
|
||
|
use Shaarli\Api\Exceptions\ApiAuthorizationException;
|
||
|
|
||
|
/**
|
||
|
* Class ApiUtils
|
||
|
*
|
||
|
* Utility functions for the API.
|
||
|
*/
|
||
|
class ApiUtils
|
||
|
{
|
||
|
/**
|
||
|
* Validates a JWT token authenticity.
|
||
|
*
|
||
|
* @param string $token JWT token extracted from the headers.
|
||
|
* @param string $secret API secret set in the settings.
|
||
|
*
|
||
|
* @throws ApiAuthorizationException the token is not valid.
|
||
|
*/
|
||
|
public static function validateJwtToken($token, $secret)
|
||
|
{
|
||
|
$parts = explode('.', $token);
|
||
|
if (count($parts) != 3 || strlen($parts[0]) == 0 || strlen($parts[1]) == 0) {
|
||
|
throw new ApiAuthorizationException('Malformed JWT token');
|
||
|
}
|
||
|
|
||
|
$genSign = hash_hmac('sha512', $parts[0] .'.'. $parts[1], $secret);
|
||
|
if ($parts[2] != $genSign) {
|
||
|
throw new ApiAuthorizationException('Invalid JWT signature');
|
||
|
}
|
||
|
|
||
|
$header = json_decode(base64_decode($parts[0]));
|
||
|
if ($header === null) {
|
||
|
throw new ApiAuthorizationException('Invalid JWT header');
|
||
|
}
|
||
|
|
||
|
$payload = json_decode(base64_decode($parts[1]));
|
||
|
if ($payload === null) {
|
||
|
throw new ApiAuthorizationException('Invalid JWT payload');
|
||
|
}
|
||
|
|
||
|
if (empty($payload->iat)
|
||
|
|| $payload->iat > time()
|
||
|
|| time() - $payload->iat > ApiMiddleware::$TOKEN_DURATION
|
||
|
) {
|
||
|
throw new ApiAuthorizationException('Invalid JWT issued time');
|
||
|
}
|
||
|
}
|
||
|
}
|