Rev 1321 | Rev 1367 | Go to most recent revision | Show entire file | Regard whitespace | Details | Blame | Last modification | View Log | RSS feed
Rev 1321 | Rev 1345 | ||
---|---|---|---|
Line 265... | Line 265... | ||
265 | } |
265 | } |
266 | 266 | ||
267 | // Optional feature: Limit the JWT to a specific IP address (used if JWT_FIXED_IP_USER or JWT_FIXED_IP_ADMIN is true) |
267 | // Optional feature: Limit the JWT to a specific IP address (used if JWT_FIXED_IP_USER or JWT_FIXED_IP_ADMIN is true) |
268 | $ip = $contentProvider->getValue(self::CLAIM_LIMIT_IP, null); |
268 | $ip = $contentProvider->getValue(self::CLAIM_LIMIT_IP, null); |
269 | if (!is_null($ip)) { |
269 | if (!is_null($ip)) { |
270 | if (isset($_SERVER['REMOTE_ADDR']) && ($ip !== $_SERVER['REMOTE_ADDR'])) { |
270 | if ($ip !== OIDplus::getClientIpAddress()) { |
271 | throw new OIDplusException(_L('Your IP address is not allowed to use this token')); |
271 | throw new OIDplusException(_L('Your IP address is not allowed to use this token')); |
272 | } |
272 | } |
273 | } |
273 | } |
274 | 274 | ||
275 | // Checks if JWT are dependent on the generator |
275 | // Checks if JWT are dependent on the generator |
Line 362... | Line 362... | ||
362 | $authSimulation->raLogin($username); |
362 | $authSimulation->raLogin($username); |
363 | } |
363 | } |
364 | if ($admin) $authSimulation->adminLogin(); |
364 | if ($admin) $authSimulation->adminLogin(); |
365 | $authSimulation->setValue(OIDplusAuthContentStoreJWT::CLAIM_GENERATOR, $gen); |
365 | $authSimulation->setValue(OIDplusAuthContentStoreJWT::CLAIM_GENERATOR, $gen); |
366 | $authSimulation->setValue('exp', time()+$ttl); |
366 | $authSimulation->setValue('exp', time()+$ttl); |
- | 367 | if ($limit_ip) { |
|
367 | if ($limit_ip && isset($_SERVER['REMOTE_ADDR'])) { |
368 | $cur_ip = OIDplus::getClientIpAddress(); |
- | 369 | if ($cur_ip !== false) { |
|
368 | $authSimulation->setValue(self::CLAIM_LIMIT_IP, $_SERVER['REMOTE_ADDR']); |
370 | $authSimulation->setValue(self::CLAIM_LIMIT_IP, $cur_ip); |
- | 371 | } |
|
369 | } |
372 | } |
370 | return $authSimulation->getJWTToken(); |
373 | return $authSimulation->getJWTToken(); |
371 | } |
374 | } |
372 | 375 | ||
373 | // RA authentication functions (low-level) |
376 | // RA authentication functions (low-level) |
Line 597... | Line 600... | ||
597 | $loginfo = 'into existing JWT session'; |
600 | $loginfo = 'into existing JWT session'; |
598 | } |
601 | } |
599 | $this->raLogin($email); |
602 | $this->raLogin($email); |
600 | $ttl = OIDplus::baseConfig()->getValue('JWT_TTL_LOGIN_USER', 30*24*60*60); |
603 | $ttl = OIDplus::baseConfig()->getValue('JWT_TTL_LOGIN_USER', 30*24*60*60); |
601 | $this->setValue('exp', time()+$ttl); // JWT "exp" attribute |
604 | $this->setValue('exp', time()+$ttl); // JWT "exp" attribute |
602 | if (OIDplus::baseConfig()->getValue('JWT_FIXED_IP_USER', false) && isset($_SERVER['REMOTE_ADDR'])) { |
605 | if (OIDplus::baseConfig()->getValue('JWT_FIXED_IP_USER', false)) { |
- | 606 | $cur_ip = OIDplus::getClientIpAddress(); |
|
- | 607 | if ($cur_ip !== false) { |
|
603 | $this->setValue(self::CLAIM_LIMIT_IP, $_SERVER['REMOTE_ADDR']); |
608 | $this->setValue(self::CLAIM_LIMIT_IP, $cur_ip); |
- | 609 | } |
|
604 | } |
610 | } |
605 | } |
611 | } |
606 | 612 | ||
607 | /** |
613 | /** |
608 | * @param string $loginfo |
614 | * @param string $loginfo |
Line 632... | Line 638... | ||
632 | $loginfo = 'into existing JWT session'; |
638 | $loginfo = 'into existing JWT session'; |
633 | } |
639 | } |
634 | $this->adminLogin(); |
640 | $this->adminLogin(); |
635 | $ttl = OIDplus::baseConfig()->getValue('JWT_TTL_LOGIN_ADMIN', 30*24*60*60); |
641 | $ttl = OIDplus::baseConfig()->getValue('JWT_TTL_LOGIN_ADMIN', 30*24*60*60); |
636 | $this->setValue('exp', time()+$ttl); // JWT "exp" attribute |
642 | $this->setValue('exp', time()+$ttl); // JWT "exp" attribute |
637 | if (OIDplus::baseConfig()->getValue('JWT_FIXED_IP_ADMIN', false) && isset($_SERVER['REMOTE_ADDR'])) { |
643 | if (OIDplus::baseConfig()->getValue('JWT_FIXED_IP_ADMIN', false)) { |
- | 644 | $cur_ip = OIDplus::getClientIpAddress(); |
|
- | 645 | if ($cur_ip !== false) { |
|
638 | $this->setValue(self::CLAIM_LIMIT_IP, $_SERVER['REMOTE_ADDR']); |
646 | $this->setValue(self::CLAIM_LIMIT_IP, $cur_ip); |
- | 647 | } |
|
639 | } |
648 | } |
640 | } |
649 | } |
641 | 650 | ||
642 | // Individual functions |
651 | // Individual functions |
643 | 652 | ||
Line 674... | Line 683... | ||
674 | $payload["jti"] = gen_uuid(); // always set/renew it; therefore not checking isset() |
683 | $payload["jti"] = gen_uuid(); // always set/renew it; therefore not checking isset() |
675 | $payload["iat"] = time(); // always set/renew it; therefore not checking isset() |
684 | $payload["iat"] = time(); // always set/renew it; therefore not checking isset() |
676 | if (!isset($payload["nbf"])) $payload["nbf"] = time(); |
685 | if (!isset($payload["nbf"])) $payload["nbf"] = time(); |
677 | if (!isset($payload["exp"])) $payload["exp"] = time()+3600/*1h*/; |
686 | if (!isset($payload["exp"])) $payload["exp"] = time()+3600/*1h*/; |
678 | 687 | ||
- | 688 | $cur_ip = OIDplus::getClientIpAddress(); |
|
679 | if (!isset($payload[self::CLAIM_TRACE])) { |
689 | if (!isset($payload[self::CLAIM_TRACE])) { |
680 | // "Trace" can be used for later updates |
690 | // "Trace" can be used for later updates |
681 | // For example, if the IP changes "too much" (different country, different AS, etc.) |
691 | // For example, if the IP changes "too much" (different country, different AS, etc.) |
682 | // Or revoke all tokens from a single login flow (sequence 1, 2, 3, ...) |
692 | // Or revoke all tokens from a single login flow (sequence 1, 2, 3, ...) |
683 | $payload[self::CLAIM_TRACE] = array(); |
693 | $payload[self::CLAIM_TRACE] = array(); |
684 | $payload[self::CLAIM_TRACE]['iat_1st'] = $payload["iat"]; |
694 | $payload[self::CLAIM_TRACE]['iat_1st'] = $payload["iat"]; |
685 | $payload[self::CLAIM_TRACE]['jti_1st'] = $payload["jti"]; |
695 | $payload[self::CLAIM_TRACE]['jti_1st'] = $payload["jti"]; |
686 | $payload[self::CLAIM_TRACE]['seq'] = 1; |
696 | $payload[self::CLAIM_TRACE]['seq'] = 1; |
687 | $payload[self::CLAIM_TRACE]['ip'] = $_SERVER['REMOTE_ADDR'] ?? ''; |
697 | if ($cur_ip !== false) $payload[self::CLAIM_TRACE]['ip'] = $cur_ip; |
688 | $payload[self::CLAIM_TRACE]['ip_1st'] = $payload[self::CLAIM_TRACE]['ip']; |
698 | $payload[self::CLAIM_TRACE]['ip_1st'] = $payload[self::CLAIM_TRACE]['ip']; |
689 | $payload[self::CLAIM_TRACE]['ua'] = $_SERVER['HTTP_USER_AGENT'] ?? ''; |
699 | $payload[self::CLAIM_TRACE]['ua'] = $_SERVER['HTTP_USER_AGENT'] ?? ''; |
690 | $payload[self::CLAIM_TRACE]['ua_1st'] = $payload[self::CLAIM_TRACE]['ua']; |
700 | $payload[self::CLAIM_TRACE]['ua_1st'] = $payload[self::CLAIM_TRACE]['ua']; |
691 | } else { |
701 | } else { |
692 | assert(is_numeric($payload[self::CLAIM_TRACE]['seq'])); |
702 | assert(is_numeric($payload[self::CLAIM_TRACE]['seq'])); |
693 | $payload[self::CLAIM_TRACE]['seq']++; |
703 | $payload[self::CLAIM_TRACE]['seq']++; |
694 | $payload[self::CLAIM_TRACE]['ip'] = $_SERVER['REMOTE_ADDR'] ?? ''; |
704 | if ($cur_ip !== false) $payload[self::CLAIM_TRACE]['ip'] = $cur_ip; |
695 | $payload[self::CLAIM_TRACE]['ua'] = $_SERVER['HTTP_USER_AGENT'] ?? ''; |
705 | $payload[self::CLAIM_TRACE]['ua'] = $_SERVER['HTTP_USER_AGENT'] ?? ''; |
696 | } |
706 | } |
697 | 707 | ||
698 | uksort($payload, "strnatcmp"); // this is natsort on the key. Just to make the JWT look nicer. |
708 | uksort($payload, "strnatcmp"); // this is natsort on the key. Just to make the JWT look nicer. |
699 | 709 |