aboutsummaryrefslogtreecommitdiffhomepage
path: root/application/api
diff options
context:
space:
mode:
authorVirtualTam <virtualtam@flibidi.net>2017-01-04 11:41:05 +0100
committerVirtualTam <virtualtam@flibidi.net>2017-01-04 16:59:47 +0100
commit7a9daac56dc64ec1ddb12adece3e1a8f71778cc7 (patch)
treeb92c37792e7af48e1da36686f1d722aaffb90a06 /application/api
parentfc11ab2f290a3712b766d78fdbcd354625a35d0a (diff)
downloadShaarli-7a9daac56dc64ec1ddb12adece3e1a8f71778cc7.tar.gz
Shaarli-7a9daac56dc64ec1ddb12adece3e1a8f71778cc7.tar.zst
Shaarli-7a9daac56dc64ec1ddb12adece3e1a8f71778cc7.zip
API: fix JWT signature verification
Fixes https://github.com/shaarli/Shaarli/issues/737 Added: - Base64Url utilities Fixed: - use URL-safe Base64 encoding/decoding functions - use byte representations for HMAC digests - all JWT parts are Base64Url-encoded See: - https://en.wikipedia.org/wiki/JSON_Web_Token - https://tools.ietf.org/html/rfc7519 - https://scotch.io/tutorials/the-anatomy-of-a-json-web-token - https://jwt.io/introduction/ - https://en.wikipedia.org/wiki/Base64#URL_applications - https://secure.php.net/manual/en/function.base64-encode.php#103849 Signed-off-by: VirtualTam <virtualtam@flibidi.net>
Diffstat (limited to 'application/api')
-rw-r--r--application/api/ApiUtils.php12
1 files changed, 5 insertions, 7 deletions
diff --git a/application/api/ApiUtils.php b/application/api/ApiUtils.php
index fbb1e72f..a419c396 100644
--- a/application/api/ApiUtils.php
+++ b/application/api/ApiUtils.php
@@ -1,13 +1,11 @@
1<?php 1<?php
2
3namespace Shaarli\Api; 2namespace Shaarli\Api;
4 3
4use Shaarli\Base64Url;
5use Shaarli\Api\Exceptions\ApiAuthorizationException; 5use Shaarli\Api\Exceptions\ApiAuthorizationException;
6 6
7/** 7/**
8 * Class ApiUtils 8 * REST API utilities
9 *
10 * Utility functions for the API.
11 */ 9 */
12class ApiUtils 10class ApiUtils
13{ 11{
@@ -26,17 +24,17 @@ class ApiUtils
26 throw new ApiAuthorizationException('Malformed JWT token'); 24 throw new ApiAuthorizationException('Malformed JWT token');
27 } 25 }
28 26
29 $genSign = hash_hmac('sha512', $parts[0] .'.'. $parts[1], $secret); 27 $genSign = Base64Url::encode(hash_hmac('sha512', $parts[0] .'.'. $parts[1], $secret, true));
30 if ($parts[2] != $genSign) { 28 if ($parts[2] != $genSign) {
31 throw new ApiAuthorizationException('Invalid JWT signature'); 29 throw new ApiAuthorizationException('Invalid JWT signature');
32 } 30 }
33 31
34 $header = json_decode(base64_decode($parts[0])); 32 $header = json_decode(Base64Url::decode($parts[0]));
35 if ($header === null) { 33 if ($header === null) {
36 throw new ApiAuthorizationException('Invalid JWT header'); 34 throw new ApiAuthorizationException('Invalid JWT header');
37 } 35 }
38 36
39 $payload = json_decode(base64_decode($parts[1])); 37 $payload = json_decode(Base64Url::decode($parts[1]));
40 if ($payload === null) { 38 if ($payload === null) {
41 throw new ApiAuthorizationException('Invalid JWT payload'); 39 throw new ApiAuthorizationException('Invalid JWT payload');
42 } 40 }