oidplusalarmingautosfxaysaliacalllibchecksum-toolscolormanagercryptochatcurrency_converterdecoderdelphiutilsdistributeddpg2fastphpfileformatsfilter_foundryforestgridgameht46f47_simulatorindexer_suiteipe_artfile_utilsjavautilsjumperlightgamelogviewermusikboxmystic_houseoidconverteroidinfo_apioidinfo_new_designpersonal-webbasephp_antispamphp_clientchallengephp_guestbookphp_utilsplumbersprependrecyclebinunitsimple_log_eventsokobanspacemissionstackmanuserdetect2uuid_mac_utilsvgwhoisvnagwebcounterwinbugtrackeryt_downloader

BlueGreycalmElegant

Català-Valencià – Catalan中文 – Chinese (Simplified)中文 – Chinese (Traditional)Česky – CzechDansk – DanishNederlands – DutchEnglish – EnglishSuomi – FinnishFrançais – FrenchDeutsch – Germanעברית – Hebrewहिंदी – HindiMagyar – HungarianBahasa Indonesia – IndonesianItaliano – Italian日本語 – Japanese한국어 – KoreanМакедонски – Macedonianमराठी – MarathiNorsk – NorwegianPolski – PolishPortuguês – PortuguesePortuguês – Portuguese (Brazil)Русский – RussianSlovenčina – SlovakSlovenščina – SlovenianEspañol – SpanishSvenska – SwedishTürkçe – TurkishУкраїнська – UkrainianOëzbekcha – Uzbek

Compare Revisions

• This comparison shows the changes necessary to convert path

  → /trunk/ @ 1299

  → /trunk/ @ 1300

  ↔ Reverse comparison

• Compare Path:	Rev

  With Path:	Rev

Regard whitespace Rev 1299 → Rev 1300

/trunk/doc/config_values.md
670,13 → 670,14
Allow "Remember me" logins for a RA.
### JWT_ALLOW_MANUAL
### JWT_ALLOW_MANUAL_ADMIN and JWT_ALLOW_MANUAL_ADMIN_USER
OIDplus::baseConfig()->setValue('JWT_ALLOW_MANUAL', false);
OIDplus::baseConfig()->setValue('JWT_ALLOW_MANUAL_ADMIN', false);
OIDplus::baseConfig()->setValue('JWT_ALLOW_MANUAL_USER', false);
Allow JWT tokens which were manually created "by hand".
These can have any content you like, but they must
contain the claim "oidplus_generator" with value "2".
contain the claim `oidplus_generator` with value `OIDplusAuthContentStoreJWT::JWT_GENERATOR_MANUAL`.
### JWT_TTL_LOGIN_USER

/trunk/includes/classes/OIDplusAuthContentStoreJWT.class.php
161,10 → 161,13
}
}
else if ($gen === self::JWT_GENERATOR_MANUAL) {
// Generator 2 are "hand-crafted" tokens
if (!OIDplus::baseConfig()->getValue('JWT_ALLOW_MANUAL', false)) {
throw new OIDplusException(_L('The administrator has disabled this feature. (Base configuration setting %1).','JWT_ALLOW_MANUAL'));
// Generator: "hand-crafted" tokens
if (($has_admin) && !OIDplus::baseConfig()->getValue('JWT_ALLOW_MANUAL_ADMIN', false)) {
throw new OIDplusException(_L('The administrator has disabled this feature. (Base configuration setting %1).','JWT_ALLOW_MANUAL_ADMIN'));
}
if (($has_ra) && !OIDplus::baseConfig()->getValue('JWT_ALLOW_MANUAL_USER', false)) {
throw new OIDplusException(_L('The administrator has disabled this feature. (Base configuration setting %1).','JWT_ALLOW_MANUAL_USER'));
}
} else {
throw new OIDplusException(_L('Token generator %1 not recognized',$gen));
}
194,7 → 197,7
// Optional feature: Limit the JWT to a specific IP address
// Currently not used in OIDplus
$ip = $contentProvider->getValue('ip','');
$ip = $contentProvider->getValue('oidplus_limit_ip','');
if ($ip !== '') {
if (isset($_SERVER['REMOTE_ADDR']) && ($ip !== $_SERVER['REMOTE_ADDR'])) {
throw new OIDplusException(_L('Your IP address is not allowed to use this token'));
441,11 → 444,11
*/
public function getJWTToken(): string {
$payload = $this->content;
$payload["oidplus_ssh"] = self::getSsh(); // SSH = Server Secret Hash
$payload["iss"] = OIDplus::getEditionInfo()['jwtaud'];
$payload["aud"] = OIDplus::getEditionInfo()['jwtaud'];
$payload["jti"] = gen_uuid();
$payload["iat"] = time();
$payload["oidplus_ssh"] = self::getSsh(); // SSH = Server Secret Hash
if (OIDplus::getPkiStatus()) {
$privKey = OIDplus::getSystemPrivateKey();

/trunk/includes/classes/OIDplusAuthContentStoreSession.class.php
97,6 → 97,12
public static function getActiveProvider()/*: ?OIDplusAuthContentStore*/ {
static $contentProvider = null;
$rel_url = substr($_SERVER['REQUEST_URI'], strlen(OIDplus::webpath(null, OIDplus::PATH_RELATIVE_TO_ROOT)));
if (str_starts_with($rel_url, 'rest/')) { // <== TODO: Find a way how to move this into the plugin, since REST does not belong to the core. (Maybe some kind of "stateless mode" that is enabled by the REST plugin)
// For REST, we must only allow JWT from Bearer and nothing else! So disable cookies if we are accessing the REST plugin
return null;
}
if (!$contentProvider) {
if (self::getSessionHandler()->isActive()) {
$contentProvider = new OIDplusAuthContentStoreSession();

/trunk/includes/classes/OIDplusAuthUtils.class.php
75,20 → 75,15
// TODO: Should we implement these AuthContentStore as plugin type, so that there can be more than just JWT and PHP session?
// Logged in via JWT
// (The JWT can come from a REST Authentication Bearer, an AJAX Cookie, or an Automated AJAX Call GET/POST token.)
$tmp = OIDplusAuthContentStoreJWT::getActiveProvider();
if ($tmp) return $tmp;
// For REST, we must only allow JWT from Bearer and nothing else! So disable cookies if we are accessing the REST plugin
$rel_url = substr($_SERVER['REQUEST_URI'], strlen(OIDplus::webpath(null, OIDplus::PATH_RELATIVE_TO_ROOT)));
if (!str_starts_with($rel_url, 'rest/')) { // <== TODO: Find a way how to move this into the plugin, since REST does not belong to the core. (Maybe some kind of "stateless mode" that is enabled by the REST plugin)
// Normal login via web-browser
// Cookie will only be created once content is stored
$tmp = OIDplusAuthContentStoreSession::getActiveProvider();
if ($tmp) return $tmp;
}
// No active session and no JWT token available. User is not logged in.
return null;
}