Rev 1277 | Rev 1282 | Go to most recent revision | Show entire file | Regard whitespace | Details | Blame | Last modification | View Log | RSS feed
Rev 1277 | Rev 1281 | ||
---|---|---|---|
Line 157... | Line 157... | ||
157 | 157 | ||
158 | // Make sure that the IAT (issued at time) isn't in a blacklisted timeframe |
158 | // Make sure that the IAT (issued at time) isn't in a blacklisted timeframe |
159 | // When an user believes that a token was compromised, then they can blacklist the tokens identified by their "iat" ("Issued at") property |
159 | // When an user believes that a token was compromised, then they can blacklist the tokens identified by their "iat" ("Issued at") property |
160 | // When a user logs out of a "remember me" session, the JWT token will be blacklisted as well |
160 | // When a user logs out of a "remember me" session, the JWT token will be blacklisted as well |
161 | // Small side effect: All "remember me" sessions of that user will be revoked then |
161 | // Small side effect: All "remember me" sessions of that user will be revoked then |
162 | $sublist = $contentProvider->loggedInRaList(); |
162 | $iat = $contentProvider->getValue('iat',0); |
163 | foreach ($sublist as &$sub) { |
163 | if (($iat-120/*leeway 2min*/) > time()) { |
164 | $sub = $sub->raEmail(); |
164 | // Token was created in the future. Something is wrong! |
- | 165 | throw new OIDplusException(_L('JWT Token cannot be verified because the server time is wrong')); |
|
165 | } |
166 | } |
- | 167 | $sublist = $contentProvider->loggedInRaList(); |
|
166 | if ($has_admin) $sublist[] = 'admin'; |
168 | $usernames = array(); |
167 | foreach ($sublist as $sub) { |
169 | foreach ($sublist as $sub) { |
168 | $bl_time = self::jwtGetBlacklistTime($gen, $sub); |
170 | $usernames[] = $sub->raEmail(); |
- | 171 | } |
|
- | 172 | if ($has_admin) $usernames[] = 'admin'; |
|
- | 173 | foreach ($usernames as $username) { |
|
169 | $iat = $contentProvider->getValue('iat',0); |
174 | $bl_time = self::jwtGetBlacklistTime($gen, $username); |
170 | if ($iat <= $bl_time) { |
175 | if ($iat <= $bl_time) { |
- | 176 | // Token is blacklisted (it was created before the last blacklist time) |
|
171 | throw new OIDplusException(_L('The JWT token was blacklisted on %1. Please generate a new one',date('d F Y, H:i:s',$bl_time))); |
177 | throw new OIDplusException(_L('The JWT token was blacklisted on %1. Please generate a new one',date('d F Y, H:i:s',$bl_time))); |
172 | } |
178 | } |
173 | } |
179 | } |
174 | 180 | ||
175 | // Optional feature: Limit the JWT to a specific IP address |
181 | // Optional feature: Limit the JWT to a specific IP address |