From 7a9daac56dc64ec1ddb12adece3e1a8f71778cc7 Mon Sep 17 00:00:00 2001 From: VirtualTam Date: Wed, 4 Jan 2017 11:41:05 +0100 Subject: API: fix JWT signature verification Fixes https://github.com/shaarli/Shaarli/issues/737 Added: - Base64Url utilities Fixed: - use URL-safe Base64 encoding/decoding functions - use byte representations for HMAC digests - all JWT parts are Base64Url-encoded See: - https://en.wikipedia.org/wiki/JSON_Web_Token - https://tools.ietf.org/html/rfc7519 - https://scotch.io/tutorials/the-anatomy-of-a-json-web-token - https://jwt.io/introduction/ - https://en.wikipedia.org/wiki/Base64#URL_applications - https://secure.php.net/manual/en/function.base64-encode.php#103849 Signed-off-by: VirtualTam --- application/Base64Url.php | 34 ++++++++++++++++++++++++++++++++++ application/api/ApiUtils.php | 12 +++++------- composer.json | 1 + tests/api/ApiUtilsTest.php | 15 +++++++++------ 4 files changed, 49 insertions(+), 13 deletions(-) create mode 100644 application/Base64Url.php diff --git a/application/Base64Url.php b/application/Base64Url.php new file mode 100644 index 00000000..61590e43 --- /dev/null +++ b/application/Base64Url.php @@ -0,0 +1,34 @@ +