From 7a9daac56dc64ec1ddb12adece3e1a8f71778cc7 Mon Sep 17 00:00:00 2001 From: VirtualTam Date: Wed, 4 Jan 2017 11:41:05 +0100 Subject: API: fix JWT signature verification Fixes https://github.com/shaarli/Shaarli/issues/737 Added: - Base64Url utilities Fixed: - use URL-safe Base64 encoding/decoding functions - use byte representations for HMAC digests - all JWT parts are Base64Url-encoded See: - https://en.wikipedia.org/wiki/JSON_Web_Token - https://tools.ietf.org/html/rfc7519 - https://scotch.io/tutorials/the-anatomy-of-a-json-web-token - https://jwt.io/introduction/ - https://en.wikipedia.org/wiki/Base64#URL_applications - https://secure.php.net/manual/en/function.base64-encode.php#103849 Signed-off-by: VirtualTam --- tests/api/ApiUtilsTest.php | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) (limited to 'tests/api/ApiUtilsTest.php') diff --git a/tests/api/ApiUtilsTest.php b/tests/api/ApiUtilsTest.php index 10da1459..4b2fa3b2 100644 --- a/tests/api/ApiUtilsTest.php +++ b/tests/api/ApiUtilsTest.php @@ -2,6 +2,9 @@ namespace Shaarli\Api; +use Shaarli\Base64Url; + + /** * Class ApiUtilsTest */ @@ -24,14 +27,14 @@ class ApiUtilsTest extends \PHPUnit_Framework_TestCase */ public static function generateValidJwtToken($secret) { - $header = base64_encode('{ + $header = Base64Url::encode('{ "typ": "JWT", "alg": "HS512" }'); - $payload = base64_encode('{ + $payload = Base64Url::encode('{ "iat": '. time() .' }'); - $signature = hash_hmac('sha512', $header .'.'. $payload , $secret); + $signature = Base64Url::encode(hash_hmac('sha512', $header .'.'. $payload , $secret, true)); return $header .'.'. $payload .'.'. $signature; } @@ -46,9 +49,9 @@ class ApiUtilsTest extends \PHPUnit_Framework_TestCase */ public static function generateCustomJwtToken($header, $payload, $secret) { - $header = base64_encode($header); - $payload = base64_encode($payload); - $signature = hash_hmac('sha512', $header . '.' . $payload, $secret); + $header = Base64Url::encode($header); + $payload = Base64Url::encode($payload); + $signature = Base64Url::encode(hash_hmac('sha512', $header . '.' . $payload, $secret, true)); return $header . '.' . $payload . '.' . $signature; } -- cgit v1.2.3