Commit a7acb85a authored by François Agneray's avatar François Agneray
Browse files

Change JWT lib (#63)

parent ab39270f
Pipeline #4684 passed with stages
in 3 minutes and 13 seconds
......@@ -24,7 +24,7 @@
"php-di/php-di": "^6.3",
"monolog/monolog": "^2.2",
"doctrine/orm": "^2.8",
"lcobucci/jwt": "^4.1"
"firebase/php-jwt": "^5.2"
},
"require-dev": {
"phpunit/phpunit": "^9.5",
......
......@@ -4,7 +4,7 @@
"Read more about it at https://getcomposer.org/doc/01-basic-usage.md#installing-dependencies",
"This file is @generated automatically"
],
"content-hash": "a60c2b2452586978ff1ec79965e0c3d4",
"content-hash": "df10cb89c262e08d94c642228bf6607f",
"packages": [
{
"name": "composer/package-versions-deprecated",
......@@ -1033,139 +1033,58 @@
"time": "2020-10-24T22:13:54+00:00"
},
{
"name": "lcobucci/clock",
"version": "2.0.0",
"name": "firebase/php-jwt",
"version": "v5.2.1",
"source": {
"type": "git",
"url": "https://github.com/lcobucci/clock.git",
"reference": "353d83fe2e6ae95745b16b3d911813df6a05bfb3"
"url": "https://github.com/firebase/php-jwt.git",
"reference": "f42c9110abe98dd6cfe9053c49bc86acc70b2d23"
},
"dist": {
"type": "zip",
"url": "https://api.github.com/repos/lcobucci/clock/zipball/353d83fe2e6ae95745b16b3d911813df6a05bfb3",
"reference": "353d83fe2e6ae95745b16b3d911813df6a05bfb3",
"url": "https://api.github.com/repos/firebase/php-jwt/zipball/f42c9110abe98dd6cfe9053c49bc86acc70b2d23",
"reference": "f42c9110abe98dd6cfe9053c49bc86acc70b2d23",
"shasum": ""
},
"require": {
"php": "^7.4 || ^8.0"
"php": ">=5.3.0"
},
"require-dev": {
"infection/infection": "^0.17",
"lcobucci/coding-standard": "^6.0",
"phpstan/extension-installer": "^1.0",
"phpstan/phpstan": "^0.12",
"phpstan/phpstan-deprecation-rules": "^0.12",
"phpstan/phpstan-phpunit": "^0.12",
"phpstan/phpstan-strict-rules": "^0.12",
"phpunit/php-code-coverage": "9.1.4",
"phpunit/phpunit": "9.3.7"
"phpunit/phpunit": ">=4.8 <=9"
},
"type": "library",
"autoload": {
"psr-4": {
"Lcobucci\\Clock\\": "src"
"Firebase\\JWT\\": "src"
}
},
"notification-url": "https://packagist.org/downloads/",
"license": [
"MIT"
"BSD-3-Clause"
],
"authors": [
{
"name": "Luís Cobucci",
"email": "lcobucci@gmail.com"
}
],
"description": "Yet another clock abstraction",
"support": {
"issues": "https://github.com/lcobucci/clock/issues",
"source": "https://github.com/lcobucci/clock/tree/2.0.x"
},
"funding": [
{
"url": "https://github.com/lcobucci",
"type": "github"
"name": "Neuman Vong",
"email": "neuman+pear@twilio.com",
"role": "Developer"
},
{
"url": "https://www.patreon.com/lcobucci",
"type": "patreon"
}
],
"time": "2020-08-27T18:56:02+00:00"
},
{
"name": "lcobucci/jwt",
"version": "4.1.4",
"source": {
"type": "git",
"url": "https://github.com/lcobucci/jwt.git",
"reference": "71cf170102c8371ccd933fa4df6252086d144de6"
},
"dist": {
"type": "zip",
"url": "https://api.github.com/repos/lcobucci/jwt/zipball/71cf170102c8371ccd933fa4df6252086d144de6",
"reference": "71cf170102c8371ccd933fa4df6252086d144de6",
"shasum": ""
},
"require": {
"ext-hash": "*",
"ext-json": "*",
"ext-mbstring": "*",
"ext-openssl": "*",
"ext-sodium": "*",
"lcobucci/clock": "^2.0",
"php": "^7.4 || ^8.0"
},
"require-dev": {
"infection/infection": "^0.21",
"lcobucci/coding-standard": "^6.0",
"mikey179/vfsstream": "^1.6.7",
"phpbench/phpbench": "^1.0@alpha",
"phpstan/extension-installer": "^1.0",
"phpstan/phpstan": "^0.12",
"phpstan/phpstan-deprecation-rules": "^0.12",
"phpstan/phpstan-phpunit": "^0.12",
"phpstan/phpstan-strict-rules": "^0.12",
"phpunit/php-invoker": "^3.1",
"phpunit/phpunit": "^9.5"
},
"type": "library",
"autoload": {
"psr-4": {
"Lcobucci\\JWT\\": "src"
}
},
"notification-url": "https://packagist.org/downloads/",
"license": [
"BSD-3-Clause"
],
"authors": [
{
"name": "Luís Cobucci",
"email": "lcobucci@gmail.com",
"name": "Anant Narayanan",
"email": "anant@php.net",
"role": "Developer"
}
],
"description": "A simple library to work with JSON Web Token and JSON Web Signature",
"description": "A simple library to encode and decode JSON Web Tokens (JWT) in PHP. Should conform to the current spec.",
"homepage": "https://github.com/firebase/php-jwt",
"keywords": [
"JWS",
"jwt"
"jwt",
"php"
],
"support": {
"issues": "https://github.com/lcobucci/jwt/issues",
"source": "https://github.com/lcobucci/jwt/tree/4.1.4"
"issues": "https://github.com/firebase/php-jwt/issues",
"source": "https://github.com/firebase/php-jwt/tree/v5.2.1"
},
"funding": [
{
"url": "https://github.com/lcobucci",
"type": "github"
},
{
"url": "https://www.patreon.com/lcobucci",
"type": "patreon"
}
],
"time": "2021-03-23T23:53:08+00:00"
"time": "2021-02-12T00:02:00+00:00"
},
{
"name": "monolog/monolog",
......
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1PHpi8f0iWxr1M9lwlL9tWwfZCIfO/oUFvtAPz94wOJCnISVe1AZDvHba2+Zn6fGQ9iXBkxjjz0Qn/p4YiV1zM/TaPme/LFrefTyrI8fhIQmucMSGWm37DgWPJrb5aZDJIdt7GKoEpAAMFFhh0qAH1BZ9s9vVNBCTSyhpsela9+XLTwIDGU0pAyEBNyc8/AOLiNv9LgPJoe/GHixJKcGkoyEacKJfhfzM36EpZedHBMvIv/ENUanMcD4aHhSIm44i6uEcZvFnQUtYCj9MluyJhfCw+arDja8bghB/6Wwzg7hq3H1oLfOJotpPculNaRA2ppTD/qIkdyiBmLw/puSEQIDAQAB
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAplPCdQmPmmqR/CisztTpIfxNWsD1ALO2MNZxO/MpltP/TPJdPJVZQwoefgcmVO5pYnjeWwn8mlbFe5NgpCWGEWS9nc29FGx/VGxMhdkaM9xwcN8gmFx9Z97FUv3ciyyJw8MzgGszwRQnmVE8J5KxsuYXHWrfedF9twcS9r0klyvCmYn1loCX0tO+JLph7NFRR2Cbou3bYtw75C/2LZf/UfhrfKZ6wWaM/94hEQ6K1m7WrzSQgFvSpzex0Ff5kSjaSxLH/gjRLFt7yTi7/dzdqItze2rFsI/YGllWrR+6dTEbCJHnYZh3RTbF3nohuOaTfdS5ikxmWdI5kCIBPFW10QIDAQAB
-----END PUBLIC KEY-----
......@@ -17,7 +17,7 @@ services:
LOGGER_NAME: "anis-metamodel"
LOGGER_PATH: "php://stderr"
LOGGER_LEVEL: "debug"
TOKEN_ENABLED: 0
TOKEN_ENABLED: 1
TOKEN_PUBLIC_KEY_FILE: /data/public_key
TOKEN_ADMIN_ROLE: anis_admin
ports:
......
......@@ -65,7 +65,7 @@ abstract class AbstractAction
// The user is not connected (401)
throw new HttpUnauthorizedException($request);
}
$roles = $token->getClaim('realm_access')->roles;
$roles = $token->realm_access->roles;
if (!in_array($adminRole, $roles)) {
$qb = $this->em->createQueryBuilder();
$qb->select('d.name')
......
......@@ -77,7 +77,7 @@ final class DatasetListByInstanceAction extends AbstractAction
// If user is not connected return public datasets
$qb->andWhere($qb->expr()->eq('d.public', 'true'));
} else {
$roles = $token->getClaim('realm_access')->roles;
$roles = $token->realm_access->roles;
if (!in_array($this->settings['admin_role'], $roles)) {
// If user is not an admin return public datasets
// And returns datasets from user's groups
......
......@@ -61,7 +61,7 @@ final class AdminMiddleware implements MiddlewareInterface
if (!$token) {
return $this->getResponse('HTTP 401: This url need a valid token', 401);
}
if (!in_array($this->settings['admin_role'], $token->getClaim('realm_access')->roles)) {
if (!in_array($this->settings['admin_role'], $token->realm_access->roles)) {
return $this->getResponse('HTTP 403: This url need a higher level of permission', 403);
}
......
......@@ -18,10 +18,7 @@ use Psr\Http\Server\RequestHandlerInterface as RequestHandler;
use Slim\Exception\HttpUnauthorizedException;
use Nyholm\Psr7\Response as NyholmResponse;
use Psr\Http\Server\MiddlewareInterface;
use Lcobucci\JWT\Parser;
use Lcobucci\JWT\ValidationData;
use Lcobucci\JWT\Signer\Key;
use Lcobucci\JWT\Signer\Rsa\Sha256;
use Firebase\JWT\JWT;
/**
* Middleware to handle Authorization request header (JWT)
......@@ -76,19 +73,13 @@ final class AuthorizationMiddleware implements MiddlewareInterface
);
}
// Parse the JWT Token
$token = (new Parser())->parse((string) $data[1]);
// Read public key
$publicKey = file_get_contents($this->settings['public_key_file']);
// Validating token (verifying expiration date and issuer)
$data = new ValidationData();
if (!$token->validate($data)) {
return $this->getUnauthorizedResponse('HTTP 401: Access Token is not valid or has expired');
}
// Test token signature with the public key
$publicKey = new Key('file://' . $this->settings['public_key_file']);
if (!$token->verify(new Sha256(), $publicKey)) {
return $this->getUnauthorizedResponse('HTTP 401: Access Token signature is not valid');
try {
$token = JWT::decode($data[1], $publicKey, array('RS256'));
} catch (\Exception $e) {
return $this->getUnauthorizedResponse('HTTP 401: ' . $e->getMessage());
}
return $handler->handle($request->withAttribute('token', $token));
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment