Hello,
In the documentation we got example to create and validate token, but to avoid miss-usage it could be interesting to have a dummy example.
So, for me, I will do something like this :
init.php
<?php
use ParagonIE\Paseto\Keys\{
AsymmetricSecretKey,
SymmetricKey
};
$privateKey = new AsymmetricSecretKey(sodium_crypto_sign_keypair());
$publicKey = $privateKey->getPublicKey();
$sharedKey = new SymmetricKey(random_bytes(32));
// shared key is stored in a config file? a database? ....
getToken.php
<?php
use ParagonIE\Paseto\Builder;
use ParagonIE\Paseto\Purpose;
use ParagonIE\Paseto\Keys\SymmetricKey;
use ParagonIE\Paseto\Protocol\Version2;
// reuse our shared key
$token = Builder::getLocal($sharedKey, new Version2());
// the user is authenticated insight the app
$userId = $app->getTheUserId();
$token = (new Builder())
->setKey($sharedKey)
->setVersion(new Version2())
->setPurpose(Purpose::local())
->setExpiration(
(new DateTime())->add(new DateInterval('P1D'))
)
->setClaims([
'user_id' => $userId,
]);
echo $token;
// make the token available in the frontend.
<?php
use ParagonIE\Paseto\Exception\PasetoException;
use ParagonIE\Paseto\Keys\SymmetricKey;
use ParagonIE\Paseto\Parser;
use ParagonIE\Paseto\Purpose;
use ParagonIE\Paseto\Rules\{
IssuedBy,
NotExpired
};
use ParagonIE\Paseto\ProtocolCollection;
$providedToken = htmlspecialchars($_POST['token']);
/**
* @var string $providedToken
* @var SymmetricKey $sharedKey
*/
$parser = Parser::getLocal($sharedKey, ProtocolCollection::v2());
// This is the same as:
$parser = (new Parser())
->setKey($sharedKey)
// Adding rules to be checked against the token
->addRule(new NotExpired)
->addRule(new IssuedBy('issuer defined during creation'))
->setPurpose(Purpose::local())
// Only allow version 2
->setAllowedVersions(ProtocolCollection::v2());
try {
$token = $parser->parse($providedToken);
} catch (PasetoException $ex) {
/* Handle invalid token cases here. */
header('HTTP/1.0 401 Unauthenticated');
}
if (!($token instanceof \ParagonIE\Paseto\JsonToken))
{
header('HTTP/1.0 401 Unauthenticated');
}
$userId = $token->get('user_id');
// ....
// do something with the posted data
Is this something that could be considered as valid? In the other case, how should we handle it? An example is always a starting point
Hello, In the documentation we got example to create and validate token, but to avoid miss-usage it could be interesting to have a dummy example.
So, for me, I will do something like this :
init.php
getToken.php
bar.js
foo.php
Is this something that could be considered as valid? In the other case, how should we handle it? An example is always a starting point
thanks