jwt.php
3.42 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
<?php
namespace WordfenceLS\Crypto;
use WordfenceLS\Controller_Time;
use WordfenceLS\Model_Crypto;
/**
* Class Model_JWT
* @package Wordfence2FA\Crypto
* @property array $payload
* @property int $expiration
*/
class Model_JWT {
private $_payload;
private $_expiration;
/**
* Decodes and returns the payload of a JWT. This also validates the signature and expiration. Currently assumes HS256 JWTs.
*
* @param string $token
* @return Model_JWT|bool The decoded JWT or false if the token is invalid or fails validation.
*/
public static function decode_jwt($token) {
$components = explode('.', $token);
if (count($components) != 3) {
return false;
}
$key = Model_Crypto::shared_hash_secret();
$body = $components[0] . '.' . $components[1];
$signature = hash_hmac('sha256', $body, $key, true);
$testSignature = self::base64url_decode($components[2]);
if (!hash_equals($signature, $testSignature)) {
return false;
}
$json = self::base64url_decode($components[1]);
$payload = @json_decode($json, true);
$expiration = false;
if (isset($payload['_exp'])) {
$expiration = $payload['_exp'];
if ($payload['_exp'] < Controller_Time::time()) {
return false;
}
unset($payload['_exp']);
}
return new self($payload, $expiration);
}
/**
* Model_JWT constructor.
*
* @param array $payload
* @param bool|int $expiration
*/
public function __construct($payload, $expiration = false) {
$this->_payload = $payload;
$this->_expiration = $expiration;
}
public function __toString() {
$payload = $this->_payload;
if ($this->_expiration !== false) {
$payload['_exp'] = $this->_expiration;
}
$key = Model_Crypto::shared_hash_secret();
$header = '{"alg":"HS256","typ":"JWT"}';
$body = self::base64url_encode($header) . '.' . self::base64url_encode(json_encode($payload));
$signature = hash_hmac('sha256', $body, $key, true);
return $body . '.' . self::base64url_encode($signature);
}
public function __isset($key) {
switch ($key) {
case 'payload':
case 'expiration':
return true;
}
throw new \OutOfBoundsException('Invalid key: ' . $key);
}
public function __get($key) {
switch ($key) {
case 'payload':
return $this->_payload;
case 'expiration':
return $this->_expiration;
}
throw new \OutOfBoundsException('Invalid key: ' . $key);
}
/**
* Utility
*/
/**
* Base64URL-encodes the given payload. This is identical to base64_encode except it substitutes characters
* not safe for use in URLs.
*
* @param string $payload
* @return string
*/
public static function base64url_encode($payload) {
return self::base64url_convert_to(base64_encode($payload));
}
public static function base64url_convert_to($base64) {
$intermediate = rtrim($base64, '=');
$intermediate = str_replace('+', '-', $intermediate);
$intermediate = str_replace('/', '_', $intermediate);
return $intermediate;
}
/**
* Base64URL-decodes the given payload. This is identical to base64_encode except it allows for the characters
* substituted by base64url_encode.
*
* @param string $payload
* @return string
*/
public static function base64url_decode($payload) {
return base64_decode(self::base64url_convert_from($payload));
}
public static function base64url_convert_from($base64url) {
$intermediate = str_replace('_', '/', $base64url);
$intermediate = str_replace('-', '+', $intermediate);
return $intermediate;
}
}