application/api/ApiUtils.php

   1 <?php
   2
   3 namespace Shaarli\Api;
   4
   5 use Shaarli\Api\Exceptions\ApiAuthorizationException;
   6
   7 /**
   8  * Class ApiUtils
   9  *
  10  * Utility functions for the API.
  11  */
  12 class ApiUtils
  13 {
  14     /**
  15      * Validates a JWT token authenticity.
  16      *
  17      * @param string $token  JWT token extracted from the headers.
  18      * @param string $secret API secret set in the settings.
  19      *
  20      * @throws ApiAuthorizationException the token is not valid.
  21      */
  22     public static function validateJwtToken($token, $secret)
  23     {
  24         $parts = explode('.', $token);
  25         if (count($parts) != 3 || strlen($parts[0]) == 0 || strlen($parts[1]) == 0) {
  26             throw new ApiAuthorizationException('Malformed JWT token');
  27         }
  28
  29         $genSign = hash_hmac('sha512', $parts[0] .'.'. $parts[1], $secret);
  30         if ($parts[2] != $genSign) {
  31             throw new ApiAuthorizationException('Invalid JWT signature');
  32         }
  33
  34         $header = json_decode(base64_decode($parts[0]));
  35         if ($header === null) {
  36             throw new ApiAuthorizationException('Invalid JWT header');
  37         }
  38
  39         $payload = json_decode(base64_decode($parts[1]));
  40         if ($payload === null) {
  41             throw new ApiAuthorizationException('Invalid JWT payload');
  42         }
  43
  44         if (empty($payload->iat)
  45             || $payload->iat > time()
  46             || time() - $payload->iat > ApiMiddleware::$TOKEN_DURATION
  47         ) {
  48             throw new ApiAuthorizationException('Invalid JWT issued time');
  49         }
  50     }
  51 }