Handled JWT verification for WS endpoints

dd6c80b4 · Sonia Zorba · 719e7463 · dd6c80b4 · dd6c80b4 · dd6c80b4
Commit dd6c80b4 authored 5 years ago by Sonia Zorba
--- a/classes/IdTokenBuilder.php
+++ b/classes/IdTokenBuilder.php
@@ -29,7 +29,7 @@ class IdTokenBuilder {
            'iss' => $this->locator->config->jwtIssuer,
            'sub' => $user->id,
            'iat' => time(),
-            'exp' => time() + 120,
+            'exp' => time() + 3600,
            'name' => $user->getCompleteName()
        );

--- a/classes/OAuth2RequestHandler.php
+++ b/classes/OAuth2RequestHandler.php
@@ -2,6 +2,8 @@
 namespace RAP;
+use \Firebase\JWT\JWT;
 class OAuth2RequestHandler {
    private $locator;
@@ -166,7 +168,33 @@ class OAuth2RequestHandler {
        }
        $accessToken = $this->locator->getAccessTokenDAO()->getAccessToken($bearer_token);
-        if ($accessToken->expired) {
+        if ($accessToken === null) {
+            $this->attemptJWTTokenValidation($bearer_token);
+        } else if ($accessToken->expired) {
+            throw new UnauthorizedException("Access token is expired");
+        }
+    }
+    private function attemptJWTTokenValidation($jwt): void {
+        $jwtParts = explode('.', $jwt);
+        if (count($jwtParts) === 0) {
+            throw new UnauthorizedException("Invalid token");
+        }
+        $header = JWT::jsonDecode(JWT::urlsafeB64Decode($jwtParts[0]));
+        if (!isset($header->kid)) {
+            throw new UnauthorizedException("Invalid token: missing kid in header");
+        }
+        $keyPair = $this->locator->getJWKSDAO()->getRSAKeyPairById($header->kid);
+        if ($keyPair === null) {
+            throw new UnauthorizedException("Invalid kid: no key found");
+        }
+        try {
+            JWT::decode($jwt, $keyPair->publicKey, [$keyPair->alg]);
+        } catch (\Firebase\JWT\ExpiredException $ex) {
            throw new UnauthorizedException("Access token is expired");
        }
    }

--- a/classes/datalayer/JWKSDAO.php
+++ b/classes/datalayer/JWKSDAO.php
@@ -6,6 +6,8 @@ interface JWKSDAO {
    public function getRSAKeyPairs(): array;
+    public function getRSAKeyPairById(string $id): ?RSAKeyPair;
    public function insertRSAKeyPair(RSAKeyPair $keyPair): RSAKeyPair;
    public function getNewestKeyPair(): RSAKeyPair;

--- a/classes/datalayer/mysql/MySQLJWKSDAO.php
+++ b/classes/datalayer/mysql/MySQLJWKSDAO.php
@@ -43,6 +43,23 @@ class MySQLJWKSDAO extends BaseMySQLDAO implements JWKSDAO {
        return $keyPairs;
    }
+    public function getRSAKeyPairById(string $id): ?RSAKeyPair {
+        $dbh = $this->getDBHandler();
+        $query = "SELECT id, private_key, public_key, alg, creation_time FROM rsa_keypairs WHERE id = :id";
+        $stmt = $dbh->prepare($query);
+        $stmt->bindParam(':id', $id);
+        $stmt->execute();
+        foreach ($stmt->fetchAll() as $row) {
+            return $this->getRSAKeyPairFromResultRow($row);
+        }
+        return null;
+    }
    public function getNewestKeyPair(): RSAKeyPair {
        $dbh = $this->getDBHandler();

--- a/index.php
+++ b/index.php
@@ -37,12 +37,14 @@ Flight::map('error', function($ex) {
        http_response_code(401);
        echo "Unauthorized: " . $ex->message;
    } else if ($ex instanceof \Exception) {
+        http_response_code(500);
        if ($ex->getMessage() !== null) {
            echo $ex->getMessage();
        } else {
            echo $ex->getTraceAsString();
        }
    } else {
+        http_response_code(500);
        throw $ex;
    }
 });