API: fix JWT signature verification

Fixes https://github.com/shaarli/Shaarli/issues/737

Added:
- Base64Url utilities

Fixed:
- use URL-safe Base64 encoding/decoding functions
- use byte representations for HMAC digests
- all JWT parts are Base64Url-encoded

See:
- https://en.wikipedia.org/wiki/JSON_Web_Token
- https://tools.ietf.org/html/rfc7519
- https://scotch.io/tutorials/the-anatomy-of-a-json-web-token
- https://jwt.io/introduction/
- https://en.wikipedia.org/wiki/Base64#URL_applications
- https://secure.php.net/manual/en/function.base64-encode.php#103849

Signed-off-by: VirtualTam <virtualtam@flibidi.net>

1 files changed, 34 insertions, 0 deletions

diff --git a/application/Base64Url.php b/application/Base64Url.php
new file mode 100644
index 00000000..61590e43
--- /dev/null
+++ b/application/Base64Url.php
@@ -0,0 +1,34 @@
+<?php
+
+namespace Shaarli;
+
+
+/**
+ * URL-safe Base64 operations
+ *
+ * @see https://en.wikipedia.org/wiki/Base64#URL_applications
+ */
+class Base64Url
+{
+    /**
+     * Base64Url-encodes data
+     *
+     * @param string $data Data to encode
+     *
+     * @return string Base64Url-encoded data
+     */
+    public static function encode($data) {
+        return rtrim(strtr(base64_encode($data), '+/', '-_'), '=');
+    }
+
+    /**
+     * Decodes Base64Url-encoded data
+     *
+     * @param string $data Data to decode
+     *
+     * @return string Decoded data
+     */
+    public static function decode($data) {
+        return base64_decode(str_pad(strtr($data, '-_', '+/'), strlen($data) % 4, '=', STR_PAD_RIGHT));
+    }
+}