aboutsummaryrefslogtreecommitdiffhomepage
path: root/application/api/ApiUtils.php
diff options
context:
space:
mode:
authorVirtualTam <virtualtam+github@flibidi.net>2017-01-05 12:39:17 +0100
committerGitHub <noreply@github.com>2017-01-05 12:39:17 +0100
commit383cbaf2c5a49f5fa54e635ed437d18784830afe (patch)
treeb92c37792e7af48e1da36686f1d722aaffb90a06 /application/api/ApiUtils.php
parentfc11ab2f290a3712b766d78fdbcd354625a35d0a (diff)
parent7a9daac56dc64ec1ddb12adece3e1a8f71778cc7 (diff)
downloadShaarli-383cbaf2c5a49f5fa54e635ed437d18784830afe.tar.gz
Shaarli-383cbaf2c5a49f5fa54e635ed437d18784830afe.tar.zst
Shaarli-383cbaf2c5a49f5fa54e635ed437d18784830afe.zip
Merge pull request #739 from virtualtam/fix/api/jwt-signature
API: fix JWT signature verification
Diffstat (limited to 'application/api/ApiUtils.php')
-rw-r--r--application/api/ApiUtils.php12
1 files changed, 5 insertions, 7 deletions
diff --git a/application/api/ApiUtils.php b/application/api/ApiUtils.php
index fbb1e72f..a419c396 100644
--- a/application/api/ApiUtils.php
+++ b/application/api/ApiUtils.php
@@ -1,13 +1,11 @@
1<?php 1<?php
2
3namespace Shaarli\Api; 2namespace Shaarli\Api;
4 3
4use Shaarli\Base64Url;
5use Shaarli\Api\Exceptions\ApiAuthorizationException; 5use Shaarli\Api\Exceptions\ApiAuthorizationException;
6 6
7/** 7/**
8 * Class ApiUtils 8 * REST API utilities
9 *
10 * Utility functions for the API.
11 */ 9 */
12class ApiUtils 10class ApiUtils
13{ 11{
@@ -26,17 +24,17 @@ class ApiUtils
26 throw new ApiAuthorizationException('Malformed JWT token'); 24 throw new ApiAuthorizationException('Malformed JWT token');
27 } 25 }
28 26
29 $genSign = hash_hmac('sha512', $parts[0] .'.'. $parts[1], $secret); 27 $genSign = Base64Url::encode(hash_hmac('sha512', $parts[0] .'.'. $parts[1], $secret, true));
30 if ($parts[2] != $genSign) { 28 if ($parts[2] != $genSign) {
31 throw new ApiAuthorizationException('Invalid JWT signature'); 29 throw new ApiAuthorizationException('Invalid JWT signature');
32 } 30 }
33 31
34 $header = json_decode(base64_decode($parts[0])); 32 $header = json_decode(Base64Url::decode($parts[0]));
35 if ($header === null) { 33 if ($header === null) {
36 throw new ApiAuthorizationException('Invalid JWT header'); 34 throw new ApiAuthorizationException('Invalid JWT header');
37 } 35 }
38 36
39 $payload = json_decode(base64_decode($parts[1])); 37 $payload = json_decode(Base64Url::decode($parts[1]));
40 if ($payload === null) { 38 if ($payload === null) {
41 throw new ApiAuthorizationException('Invalid JWT payload'); 39 throw new ApiAuthorizationException('Invalid JWT payload');
42 } 40 }