| 159,15 → 159,21 |
|---|
| // When an user believes that a token was compromised, then they can blacklist the tokens identified by their "iat" ("Issued at") property |
| // When a user logs out of a "remember me" session, the JWT token will be blacklisted as well |
| // Small side effect: All "remember me" sessions of that user will be revoked then |
| $iat = $contentProvider->getValue('iat',0); |
| if (($iat-120/*leeway 2min*/) > time()) { |
| // Token was created in the future. Something is wrong! |
| throw new OIDplusException(_L('JWT Token cannot be verified because the server time is wrong')); |
| } |
| $sublist = $contentProvider->loggedInRaList(); |
| foreach ($sublist as &$sub) { |
| $sub = $sub->raEmail(); |
| $usernames = array(); |
| foreach ($sublist as $sub) { |
| $usernames[] = $sub->raEmail(); |
| } |
| if ($has_admin) $sublist[] = 'admin'; |
| foreach ($sublist as $sub) { |
| $bl_time = self::jwtGetBlacklistTime($gen, $sub); |
| $iat = $contentProvider->getValue('iat',0); |
| if ($has_admin) $usernames[] = 'admin'; |
| foreach ($usernames as $username) { |
| $bl_time = self::jwtGetBlacklistTime($gen, $username); |
| if ($iat <= $bl_time) { |
| // Token is blacklisted (it was created before the last blacklist time) |
| throw new OIDplusException(_L('The JWT token was blacklisted on %1. Please generate a new one',date('d F Y, H:i:s',$bl_time))); |
| } |
| } |