search

paragonie / paseto

Platform-Agnostic Security Tokens
https://paseto.io
Other
3.24k stars 108 forks source link

dummy usage example... #79

Closed Grummfy closed 2 years ago

Grummfy commented 6 years ago

Hello, In the documentation we got example to create and validate token, but to avoid miss-usage it could be interesting to have a dummy example.

So, for me, I will do something like this :

init.php

<?php
use ParagonIE\Paseto\Keys\{
    AsymmetricSecretKey,
    SymmetricKey    
};

$privateKey = new AsymmetricSecretKey(sodium_crypto_sign_keypair());
$publicKey = $privateKey->getPublicKey();

$sharedKey = new SymmetricKey(random_bytes(32));
// shared key is stored in a config file? a database? ....

getToken.php

<?php
use ParagonIE\Paseto\Builder;
use ParagonIE\Paseto\Purpose;
use ParagonIE\Paseto\Keys\SymmetricKey;
use ParagonIE\Paseto\Protocol\Version2;

// reuse our shared key
$token = Builder::getLocal($sharedKey, new Version2());

// the user is authenticated insight the app
$userId = $app->getTheUserId();

$token = (new Builder())
    ->setKey($sharedKey)
    ->setVersion(new Version2())
    ->setPurpose(Purpose::local())
    ->setExpiration(
        (new DateTime())->add(new DateInterval('P1D'))
    )
    ->setClaims([
        'user_id' => $userId,
    ]);

echo $token;
// make the token available in the frontend.

bar.js

$.ajax({
  method: 'POST',
  url: 'foo.php',
  data: { token: tokenPreviouslyGivenByTheServer, data: 'some-data-to-save }
})
  .done(function( msg ) {
    alert( "Data Saved: " + msg );
  });

foo.php

<?php
use ParagonIE\Paseto\Exception\PasetoException;
use ParagonIE\Paseto\Keys\SymmetricKey;
use ParagonIE\Paseto\Parser;
use ParagonIE\Paseto\Purpose;
use ParagonIE\Paseto\Rules\{
    IssuedBy,
    NotExpired
};
use ParagonIE\Paseto\ProtocolCollection;

$providedToken = htmlspecialchars($_POST['token']);

/**
 * @var string $providedToken
 * @var SymmetricKey $sharedKey
 */
$parser = Parser::getLocal($sharedKey, ProtocolCollection::v2());
// This is the same as:
$parser = (new Parser())
    ->setKey($sharedKey)
    // Adding rules to be checked against the token
    ->addRule(new NotExpired)
    ->addRule(new IssuedBy('issuer defined during creation'))
    ->setPurpose(Purpose::local())
    // Only allow version 2
    ->setAllowedVersions(ProtocolCollection::v2());

try {
    $token = $parser->parse($providedToken);
} catch (PasetoException $ex) {
    /* Handle invalid token cases here. */
  header('HTTP/1.0 401 Unauthenticated');
}

if (!($token instanceof \ParagonIE\Paseto\JsonToken))
{
  header('HTTP/1.0 401 Unauthenticated');
}

$userId = $token->get('user_id');
// ....
// do something with the posted data

Is this something that could be considered as valid? In the other case, how should we handle it? An example is always a starting point

thanks

Grummfy commented 6 years ago

up

paragonie-security commented 2 years ago

The documentation has come a long way in the past 3 years. Does this meet your expectations for this library? https://github.com/paragonie/paseto/tree/master/docs