Rev 1277 | Rev 1282 | Go to most recent revision | Show entire file | Regard whitespace | Details | Blame | Last modification | View Log | RSS feed
| Rev 1277 | Rev 1281 | ||
|---|---|---|---|
| Line 157... | Line 157... | ||
| 157 | 157 | ||
| 158 | // Make sure that the IAT (issued at time) isn't in a blacklisted timeframe |
158 | // Make sure that the IAT (issued at time) isn't in a blacklisted timeframe |
| 159 | // When an user believes that a token was compromised, then they can blacklist the tokens identified by their "iat" ("Issued at") property |
159 | // When an user believes that a token was compromised, then they can blacklist the tokens identified by their "iat" ("Issued at") property |
| 160 | // When a user logs out of a "remember me" session, the JWT token will be blacklisted as well |
160 | // When a user logs out of a "remember me" session, the JWT token will be blacklisted as well |
| 161 | // Small side effect: All "remember me" sessions of that user will be revoked then |
161 | // Small side effect: All "remember me" sessions of that user will be revoked then |
| 162 | $sublist = $contentProvider->loggedInRaList(); |
162 | $iat = $contentProvider->getValue('iat',0); |
| 163 | foreach ($sublist as &$sub) { |
163 | if (($iat-120/*leeway 2min*/) > time()) { |
| 164 | $sub = $sub->raEmail(); |
164 | // Token was created in the future. Something is wrong! |
| - | 165 | throw new OIDplusException(_L('JWT Token cannot be verified because the server time is wrong')); |
|
| 165 | } |
166 | } |
| - | 167 | $sublist = $contentProvider->loggedInRaList(); |
|
| 166 | if ($has_admin) $sublist[] = 'admin'; |
168 | $usernames = array(); |
| 167 | foreach ($sublist as $sub) { |
169 | foreach ($sublist as $sub) { |
| 168 | $bl_time = self::jwtGetBlacklistTime($gen, $sub); |
170 | $usernames[] = $sub->raEmail(); |
| - | 171 | } |
|
| - | 172 | if ($has_admin) $usernames[] = 'admin'; |
|
| - | 173 | foreach ($usernames as $username) { |
|
| 169 | $iat = $contentProvider->getValue('iat',0); |
174 | $bl_time = self::jwtGetBlacklistTime($gen, $username); |
| 170 | if ($iat <= $bl_time) { |
175 | if ($iat <= $bl_time) { |
| - | 176 | // Token is blacklisted (it was created before the last blacklist time) |
|
| 171 | throw new OIDplusException(_L('The JWT token was blacklisted on %1. Please generate a new one',date('d F Y, H:i:s',$bl_time))); |
177 | throw new OIDplusException(_L('The JWT token was blacklisted on %1. Please generate a new one',date('d F Y, H:i:s',$bl_time))); |
| 172 | } |
178 | } |
| 173 | } |
179 | } |
| 174 | 180 | ||
| 175 | // Optional feature: Limit the JWT to a specific IP address |
181 | // Optional feature: Limit the JWT to a specific IP address |