search

lcobucci / jwt

A simple library to work with JSON Web Token and JSON Web Signature
https://lcobucci-jwt.readthedocs.io/en/stable/
BSD 3-Clause "New" or "Revised" License
7.29k stars 597 forks source link

Doubt in php token validation #141

Closed arthurlauck closed 7 years ago

arthurlauck commented 7 years ago

I`m new in app development, trying to build a login function and im having some troubles in validating, the way im validating is it correct?

require_once 'vendor/autoload.php';

use Lcobucci\JWT\Builder;
use Lcobucci\JWT\Parser;
use Lcobucci\JWT\ValidationData;
use Lcobucci\JWT\Signer\Hmac\Sha256;

//http://stackoverflow.com/questions/18382740/cors-not-working-php
      if (isset($_SERVER['HTTP_ORIGIN'])) {
        header("Access-Control-Allow-Origin: {$_SERVER['HTTP_ORIGIN']}");
        header('Access-Control-Allow-Credentials: true');
        header('Access-Control-Max-Age: 86400');    // cache for 1 day
    }

    // Access-Control headers are received during OPTIONS requests
    if ($_SERVER['REQUEST_METHOD'] == 'OPTIONS') {

        if (isset($_SERVER['HTTP_ACCESS_CONTROL_REQUEST_METHOD']))
            header("Access-Control-Allow-Methods: GET, POST, OPTIONS");         

        if (isset($_SERVER['HTTP_ACCESS_CONTROL_REQUEST_HEADERS']))
            header("Access-Control-Allow-Headers:        {$_SERVER['HTTP_ACCESS_CONTROL_REQUEST_HEADERS']}");

        exit(0);
    }

    $postdata = file_get_contents("php://input");

            $request = json_decode($postdata);
            $token2 = $request->token;
            $id = $request->id;
            $email = $request->email;

$signer = new Sha256();

    $token = (new Builder())
            ->setIssuer('app ceva') // Configures the issuer (iss claim)
                        ->setId($id, true) // Configures the id (jti claim), replicating as a header item
                        ->set('email', $email)                  
                        ->sign($signer, 'key') // creates a signature using "testing" as key
                        ->getToken(); // Retrieves the generated token

    $token->getHeaders(); // Retrieves the token headers
    $token->getClaims(); // Retrieves the token claims

if($token2 == $token)
{
$data = new ValidationData(); // It will use the current time to validate (iat, nbf and exp)
$data->setIssuer('app ceva');
$data->setId($id);

$validacao = $token->validate($data);
$key = $token->verify($signer, 'key');

if($validacao == TRUE and $key == TRUE)
{
      echo '1';
}
else
{
      echo '0';
}
}
else{
      echo 'tokens doest match';
}
lcobucci commented 7 years ago

@arthurlauck I'm not sure how to answer your question. Your token creation and validation is a bit naive so let me ask: what exactly are you trying to achieve with the code?

lcobucci commented 7 years ago

Closing since this is a question and not an issue with the lib.

arthurlauck commented 7 years ago

Im trying when a user log in, create a token and that part is when a user log in with already a token, he can go on without filling any field, its working, but im not sure if its the most secure/easy mode to do it

lcobucci commented 7 years ago

@arthurlauck got it. The problem here is that it seems you didn't understand the meaning of each registered claim.

Please take a look on the RFC 7519 to understand them and also learn how to use them.