From 7a9daac56dc64ec1ddb12adece3e1a8f71778cc7 Mon Sep 17 00:00:00 2001
From: VirtualTam <virtualtam@flibidi.net>
Date: Wed, 4 Jan 2017 11:41:05 +0100
Subject: [PATCH] API: fix JWT signature verification

Fixes https://github.com/shaarli/Shaarli/issues/737

Added:
- Base64Url utilities

Fixed:
- use URL-safe Base64 encoding/decoding functions
- use byte representations for HMAC digests
- all JWT parts are Base64Url-encoded

See:
- https://en.wikipedia.org/wiki/JSON_Web_Token
- https://tools.ietf.org/html/rfc7519
- https://scotch.io/tutorials/the-anatomy-of-a-json-web-token
- https://jwt.io/introduction/
- https://en.wikipedia.org/wiki/Base64#URL_applications
- https://secure.php.net/manual/en/function.base64-encode.php#103849

Signed-off-by: VirtualTam <virtualtam@flibidi.net>
---
 application/Base64Url.php    | 34 ++++++++++++++++++++++++++++++++++
 application/api/ApiUtils.php | 12 +++++-------
 composer.json                |  1 +
 tests/api/ApiUtilsTest.php   | 15 +++++++++------
 4 files changed, 49 insertions(+), 13 deletions(-)
 create mode 100644 application/Base64Url.php

diff --git a/application/Base64Url.php b/application/Base64Url.php
new file mode 100644
index 0000000..61590e4
--- /dev/null
+++ b/application/Base64Url.php
@@ -0,0 +1,34 @@
+<?php
+
+namespace Shaarli;
+
+
+/**
+ * URL-safe Base64 operations
+ *
+ * @see https://en.wikipedia.org/wiki/Base64#URL_applications
+ */
+class Base64Url
+{
+    /**
+     * Base64Url-encodes data
+     *
+     * @param string $data Data to encode
+     *
+     * @return string Base64Url-encoded data
+     */
+    public static function encode($data) {
+        return rtrim(strtr(base64_encode($data), '+/', '-_'), '=');
+    }
+
+    /**
+     * Decodes Base64Url-encoded data
+     *
+     * @param string $data Data to decode
+     *
+     * @return string Decoded data
+     */
+    public static function decode($data) {
+        return base64_decode(str_pad(strtr($data, '-_', '+/'), strlen($data) % 4, '=', STR_PAD_RIGHT));
+    }
+}
diff --git a/application/api/ApiUtils.php b/application/api/ApiUtils.php
index fbb1e72..a419c39 100644
--- a/application/api/ApiUtils.php
+++ b/application/api/ApiUtils.php
@@ -1,13 +1,11 @@
 <?php
-
 namespace Shaarli\Api;
 
+use Shaarli\Base64Url;
 use Shaarli\Api\Exceptions\ApiAuthorizationException;
 
 /**
- * Class ApiUtils
- *
- * Utility functions for the API.
+ * REST API utilities
  */
 class ApiUtils
 {
@@ -26,17 +24,17 @@ class ApiUtils
             throw new ApiAuthorizationException('Malformed JWT token');
         }
 
-        $genSign = hash_hmac('sha512', $parts[0] .'.'. $parts[1], $secret);
+        $genSign = Base64Url::encode(hash_hmac('sha512', $parts[0] .'.'. $parts[1], $secret, true));
         if ($parts[2] != $genSign) {
             throw new ApiAuthorizationException('Invalid JWT signature');
         }
 
-        $header = json_decode(base64_decode($parts[0]));
+        $header = json_decode(Base64Url::decode($parts[0]));
         if ($header === null) {
             throw new ApiAuthorizationException('Invalid JWT header');
         }
 
-        $payload = json_decode(base64_decode($parts[1]));
+        $payload = json_decode(Base64Url::decode($parts[1]));
         if ($payload === null) {
             throw new ApiAuthorizationException('Invalid JWT payload');
         }
diff --git a/composer.json b/composer.json
index cfbde1a..2fed0df 100644
--- a/composer.json
+++ b/composer.json
@@ -24,6 +24,7 @@
     },
     "autoload": {
         "psr-4": {
+            "Shaarli\\": "application",
             "Shaarli\\Api\\": "application/api/",
             "Shaarli\\Api\\Controllers\\": "application/api/controllers",
             "Shaarli\\Api\\Exceptions\\": "application/api/exceptions"
diff --git a/tests/api/ApiUtilsTest.php b/tests/api/ApiUtilsTest.php
index 10da145..4b2fa3b 100644
--- a/tests/api/ApiUtilsTest.php
+++ b/tests/api/ApiUtilsTest.php
@@ -2,6 +2,9 @@
 
 namespace Shaarli\Api;
 
+use Shaarli\Base64Url;
+
+
 /**
  * Class ApiUtilsTest
  */
@@ -24,14 +27,14 @@ class ApiUtilsTest extends \PHPUnit_Framework_TestCase
      */
     public static function generateValidJwtToken($secret)
     {
-        $header = base64_encode('{
+        $header = Base64Url::encode('{
             "typ": "JWT",
             "alg": "HS512"
         }');
-        $payload = base64_encode('{
+        $payload = Base64Url::encode('{
             "iat": '. time() .'
         }');
-        $signature = hash_hmac('sha512', $header .'.'. $payload , $secret);
+        $signature = Base64Url::encode(hash_hmac('sha512', $header .'.'. $payload , $secret, true));
         return $header .'.'. $payload .'.'. $signature;
     }
 
@@ -46,9 +49,9 @@ class ApiUtilsTest extends \PHPUnit_Framework_TestCase
      */
     public static function generateCustomJwtToken($header, $payload, $secret)
     {
-        $header = base64_encode($header);
-        $payload = base64_encode($payload);
-        $signature = hash_hmac('sha512', $header . '.' . $payload, $secret);
+        $header = Base64Url::encode($header);
+        $payload = Base64Url::encode($payload);
+        $signature = Base64Url::encode(hash_hmac('sha512', $header . '.' . $payload, $secret, true));
         return $header . '.' . $payload . '.' . $signature;
     }