diff options
| author | VirtualTam <virtualtam@flibidi.net> | 2017-01-04 11:41:05 +0100 |
|---|---|---|
| committer | VirtualTam <virtualtam@flibidi.net> | 2017-01-04 16:59:47 +0100 |
| commit | 7a9daac56dc64ec1ddb12adece3e1a8f71778cc7 (patch) | |
| tree | b92c37792e7af48e1da36686f1d722aaffb90a06 /tests/api | |
| parent | fc11ab2f290a3712b766d78fdbcd354625a35d0a (diff) | |
| download | Shaarli-7a9daac56dc64ec1ddb12adece3e1a8f71778cc7.tar.gz Shaarli-7a9daac56dc64ec1ddb12adece3e1a8f71778cc7.tar.zst Shaarli-7a9daac56dc64ec1ddb12adece3e1a8f71778cc7.zip | |
API: fix JWT signature verification
Fixes https://github.com/shaarli/Shaarli/issues/737
Added:
- Base64Url utilities
Fixed:
- use URL-safe Base64 encoding/decoding functions
- use byte representations for HMAC digests
- all JWT parts are Base64Url-encoded
See:
- https://en.wikipedia.org/wiki/JSON_Web_Token
- https://tools.ietf.org/html/rfc7519
- https://scotch.io/tutorials/the-anatomy-of-a-json-web-token
- https://jwt.io/introduction/
- https://en.wikipedia.org/wiki/Base64#URL_applications
- https://secure.php.net/manual/en/function.base64-encode.php#103849
Signed-off-by: VirtualTam <virtualtam@flibidi.net>
Diffstat (limited to 'tests/api')
| -rw-r--r-- | tests/api/ApiUtilsTest.php | 15 |
1 files changed, 9 insertions, 6 deletions
diff --git a/tests/api/ApiUtilsTest.php b/tests/api/ApiUtilsTest.php index 10da1459..4b2fa3b2 100644 --- a/tests/api/ApiUtilsTest.php +++ b/tests/api/ApiUtilsTest.php | |||
| @@ -2,6 +2,9 @@ | |||
| 2 | 2 | ||
| 3 | namespace Shaarli\Api; | 3 | namespace Shaarli\Api; |
| 4 | 4 | ||
| 5 | use Shaarli\Base64Url; | ||
| 6 | |||
| 7 | |||
| 5 | /** | 8 | /** |
| 6 | * Class ApiUtilsTest | 9 | * Class ApiUtilsTest |
| 7 | */ | 10 | */ |
| @@ -24,14 +27,14 @@ class ApiUtilsTest extends \PHPUnit_Framework_TestCase | |||
| 24 | */ | 27 | */ |
| 25 | public static function generateValidJwtToken($secret) | 28 | public static function generateValidJwtToken($secret) |
| 26 | { | 29 | { |
| 27 | $header = base64_encode('{ | 30 | $header = Base64Url::encode('{ |
| 28 | "typ": "JWT", | 31 | "typ": "JWT", |
| 29 | "alg": "HS512" | 32 | "alg": "HS512" |
| 30 | }'); | 33 | }'); |
| 31 | $payload = base64_encode('{ | 34 | $payload = Base64Url::encode('{ |
| 32 | "iat": '. time() .' | 35 | "iat": '. time() .' |
| 33 | }'); | 36 | }'); |
| 34 | $signature = hash_hmac('sha512', $header .'.'. $payload , $secret); | 37 | $signature = Base64Url::encode(hash_hmac('sha512', $header .'.'. $payload , $secret, true)); |
| 35 | return $header .'.'. $payload .'.'. $signature; | 38 | return $header .'.'. $payload .'.'. $signature; |
| 36 | } | 39 | } |
| 37 | 40 | ||
| @@ -46,9 +49,9 @@ class ApiUtilsTest extends \PHPUnit_Framework_TestCase | |||
| 46 | */ | 49 | */ |
| 47 | public static function generateCustomJwtToken($header, $payload, $secret) | 50 | public static function generateCustomJwtToken($header, $payload, $secret) |
| 48 | { | 51 | { |
| 49 | $header = base64_encode($header); | 52 | $header = Base64Url::encode($header); |
| 50 | $payload = base64_encode($payload); | 53 | $payload = Base64Url::encode($payload); |
| 51 | $signature = hash_hmac('sha512', $header . '.' . $payload, $secret); | 54 | $signature = Base64Url::encode(hash_hmac('sha512', $header . '.' . $payload, $secret, true)); |
| 52 | return $header . '.' . $payload . '.' . $signature; | 55 | return $header . '.' . $payload . '.' . $signature; |
| 53 | } | 56 | } |
| 54 | 57 | ||