aboutsummaryrefslogtreecommitdiffhomepage
path: root/tests/api
diff options
context:
space:
mode:
authorVirtualTam <virtualtam@flibidi.net>2017-01-04 11:41:05 +0100
committerVirtualTam <virtualtam@flibidi.net>2017-01-04 16:59:47 +0100
commit7a9daac56dc64ec1ddb12adece3e1a8f71778cc7 (patch)
treeb92c37792e7af48e1da36686f1d722aaffb90a06 /tests/api
parentfc11ab2f290a3712b766d78fdbcd354625a35d0a (diff)
downloadShaarli-7a9daac56dc64ec1ddb12adece3e1a8f71778cc7.tar.gz
Shaarli-7a9daac56dc64ec1ddb12adece3e1a8f71778cc7.tar.zst
Shaarli-7a9daac56dc64ec1ddb12adece3e1a8f71778cc7.zip
API: fix JWT signature verification
Fixes https://github.com/shaarli/Shaarli/issues/737 Added: - Base64Url utilities Fixed: - use URL-safe Base64 encoding/decoding functions - use byte representations for HMAC digests - all JWT parts are Base64Url-encoded See: - https://en.wikipedia.org/wiki/JSON_Web_Token - https://tools.ietf.org/html/rfc7519 - https://scotch.io/tutorials/the-anatomy-of-a-json-web-token - https://jwt.io/introduction/ - https://en.wikipedia.org/wiki/Base64#URL_applications - https://secure.php.net/manual/en/function.base64-encode.php#103849 Signed-off-by: VirtualTam <virtualtam@flibidi.net>
Diffstat (limited to 'tests/api')
-rw-r--r--tests/api/ApiUtilsTest.php15
1 files changed, 9 insertions, 6 deletions
diff --git a/tests/api/ApiUtilsTest.php b/tests/api/ApiUtilsTest.php
index 10da1459..4b2fa3b2 100644
--- a/tests/api/ApiUtilsTest.php
+++ b/tests/api/ApiUtilsTest.php
@@ -2,6 +2,9 @@
2 2
3namespace Shaarli\Api; 3namespace Shaarli\Api;
4 4
5use Shaarli\Base64Url;
6
7
5/** 8/**
6 * Class ApiUtilsTest 9 * Class ApiUtilsTest
7 */ 10 */
@@ -24,14 +27,14 @@ class ApiUtilsTest extends \PHPUnit_Framework_TestCase
24 */ 27 */
25 public static function generateValidJwtToken($secret) 28 public static function generateValidJwtToken($secret)
26 { 29 {
27 $header = base64_encode('{ 30 $header = Base64Url::encode('{
28 "typ": "JWT", 31 "typ": "JWT",
29 "alg": "HS512" 32 "alg": "HS512"
30 }'); 33 }');
31 $payload = base64_encode('{ 34 $payload = Base64Url::encode('{
32 "iat": '. time() .' 35 "iat": '. time() .'
33 }'); 36 }');
34 $signature = hash_hmac('sha512', $header .'.'. $payload , $secret); 37 $signature = Base64Url::encode(hash_hmac('sha512', $header .'.'. $payload , $secret, true));
35 return $header .'.'. $payload .'.'. $signature; 38 return $header .'.'. $payload .'.'. $signature;
36 } 39 }
37 40
@@ -46,9 +49,9 @@ class ApiUtilsTest extends \PHPUnit_Framework_TestCase
46 */ 49 */
47 public static function generateCustomJwtToken($header, $payload, $secret) 50 public static function generateCustomJwtToken($header, $payload, $secret)
48 { 51 {
49 $header = base64_encode($header); 52 $header = Base64Url::encode($header);
50 $payload = base64_encode($payload); 53 $payload = Base64Url::encode($payload);
51 $signature = hash_hmac('sha512', $header . '.' . $payload, $secret); 54 $signature = Base64Url::encode(hash_hmac('sha512', $header . '.' . $payload, $secret, true));
52 return $header . '.' . $payload . '.' . $signature; 55 return $header . '.' . $payload . '.' . $signature;
53 } 56 }
54 57