Rev 1321 | Rev 1367 | Go to most recent revision | Show entire file | Regard whitespace | Details | Blame | Last modification | View Log | RSS feed
| Rev 1321 | Rev 1345 | ||
|---|---|---|---|
| Line 265... | Line 265... | ||
| 265 | } |
265 | } |
| 266 | 266 | ||
| 267 | // Optional feature: Limit the JWT to a specific IP address (used if JWT_FIXED_IP_USER or JWT_FIXED_IP_ADMIN is true) |
267 | // Optional feature: Limit the JWT to a specific IP address (used if JWT_FIXED_IP_USER or JWT_FIXED_IP_ADMIN is true) |
| 268 | $ip = $contentProvider->getValue(self::CLAIM_LIMIT_IP, null); |
268 | $ip = $contentProvider->getValue(self::CLAIM_LIMIT_IP, null); |
| 269 | if (!is_null($ip)) { |
269 | if (!is_null($ip)) { |
| 270 | if (isset($_SERVER['REMOTE_ADDR']) && ($ip !== $_SERVER['REMOTE_ADDR'])) { |
270 | if ($ip !== OIDplus::getClientIpAddress()) { |
| 271 | throw new OIDplusException(_L('Your IP address is not allowed to use this token')); |
271 | throw new OIDplusException(_L('Your IP address is not allowed to use this token')); |
| 272 | } |
272 | } |
| 273 | } |
273 | } |
| 274 | 274 | ||
| 275 | // Checks if JWT are dependent on the generator |
275 | // Checks if JWT are dependent on the generator |
| Line 362... | Line 362... | ||
| 362 | $authSimulation->raLogin($username); |
362 | $authSimulation->raLogin($username); |
| 363 | } |
363 | } |
| 364 | if ($admin) $authSimulation->adminLogin(); |
364 | if ($admin) $authSimulation->adminLogin(); |
| 365 | $authSimulation->setValue(OIDplusAuthContentStoreJWT::CLAIM_GENERATOR, $gen); |
365 | $authSimulation->setValue(OIDplusAuthContentStoreJWT::CLAIM_GENERATOR, $gen); |
| 366 | $authSimulation->setValue('exp', time()+$ttl); |
366 | $authSimulation->setValue('exp', time()+$ttl); |
| - | 367 | if ($limit_ip) { |
|
| 367 | if ($limit_ip && isset($_SERVER['REMOTE_ADDR'])) { |
368 | $cur_ip = OIDplus::getClientIpAddress(); |
| - | 369 | if ($cur_ip !== false) { |
|
| 368 | $authSimulation->setValue(self::CLAIM_LIMIT_IP, $_SERVER['REMOTE_ADDR']); |
370 | $authSimulation->setValue(self::CLAIM_LIMIT_IP, $cur_ip); |
| - | 371 | } |
|
| 369 | } |
372 | } |
| 370 | return $authSimulation->getJWTToken(); |
373 | return $authSimulation->getJWTToken(); |
| 371 | } |
374 | } |
| 372 | 375 | ||
| 373 | // RA authentication functions (low-level) |
376 | // RA authentication functions (low-level) |
| Line 597... | Line 600... | ||
| 597 | $loginfo = 'into existing JWT session'; |
600 | $loginfo = 'into existing JWT session'; |
| 598 | } |
601 | } |
| 599 | $this->raLogin($email); |
602 | $this->raLogin($email); |
| 600 | $ttl = OIDplus::baseConfig()->getValue('JWT_TTL_LOGIN_USER', 30*24*60*60); |
603 | $ttl = OIDplus::baseConfig()->getValue('JWT_TTL_LOGIN_USER', 30*24*60*60); |
| 601 | $this->setValue('exp', time()+$ttl); // JWT "exp" attribute |
604 | $this->setValue('exp', time()+$ttl); // JWT "exp" attribute |
| 602 | if (OIDplus::baseConfig()->getValue('JWT_FIXED_IP_USER', false) && isset($_SERVER['REMOTE_ADDR'])) { |
605 | if (OIDplus::baseConfig()->getValue('JWT_FIXED_IP_USER', false)) { |
| - | 606 | $cur_ip = OIDplus::getClientIpAddress(); |
|
| - | 607 | if ($cur_ip !== false) { |
|
| 603 | $this->setValue(self::CLAIM_LIMIT_IP, $_SERVER['REMOTE_ADDR']); |
608 | $this->setValue(self::CLAIM_LIMIT_IP, $cur_ip); |
| - | 609 | } |
|
| 604 | } |
610 | } |
| 605 | } |
611 | } |
| 606 | 612 | ||
| 607 | /** |
613 | /** |
| 608 | * @param string $loginfo |
614 | * @param string $loginfo |
| Line 632... | Line 638... | ||
| 632 | $loginfo = 'into existing JWT session'; |
638 | $loginfo = 'into existing JWT session'; |
| 633 | } |
639 | } |
| 634 | $this->adminLogin(); |
640 | $this->adminLogin(); |
| 635 | $ttl = OIDplus::baseConfig()->getValue('JWT_TTL_LOGIN_ADMIN', 30*24*60*60); |
641 | $ttl = OIDplus::baseConfig()->getValue('JWT_TTL_LOGIN_ADMIN', 30*24*60*60); |
| 636 | $this->setValue('exp', time()+$ttl); // JWT "exp" attribute |
642 | $this->setValue('exp', time()+$ttl); // JWT "exp" attribute |
| 637 | if (OIDplus::baseConfig()->getValue('JWT_FIXED_IP_ADMIN', false) && isset($_SERVER['REMOTE_ADDR'])) { |
643 | if (OIDplus::baseConfig()->getValue('JWT_FIXED_IP_ADMIN', false)) { |
| - | 644 | $cur_ip = OIDplus::getClientIpAddress(); |
|
| - | 645 | if ($cur_ip !== false) { |
|
| 638 | $this->setValue(self::CLAIM_LIMIT_IP, $_SERVER['REMOTE_ADDR']); |
646 | $this->setValue(self::CLAIM_LIMIT_IP, $cur_ip); |
| - | 647 | } |
|
| 639 | } |
648 | } |
| 640 | } |
649 | } |
| 641 | 650 | ||
| 642 | // Individual functions |
651 | // Individual functions |
| 643 | 652 | ||
| Line 674... | Line 683... | ||
| 674 | $payload["jti"] = gen_uuid(); // always set/renew it; therefore not checking isset() |
683 | $payload["jti"] = gen_uuid(); // always set/renew it; therefore not checking isset() |
| 675 | $payload["iat"] = time(); // always set/renew it; therefore not checking isset() |
684 | $payload["iat"] = time(); // always set/renew it; therefore not checking isset() |
| 676 | if (!isset($payload["nbf"])) $payload["nbf"] = time(); |
685 | if (!isset($payload["nbf"])) $payload["nbf"] = time(); |
| 677 | if (!isset($payload["exp"])) $payload["exp"] = time()+3600/*1h*/; |
686 | if (!isset($payload["exp"])) $payload["exp"] = time()+3600/*1h*/; |
| 678 | 687 | ||
| - | 688 | $cur_ip = OIDplus::getClientIpAddress(); |
|
| 679 | if (!isset($payload[self::CLAIM_TRACE])) { |
689 | if (!isset($payload[self::CLAIM_TRACE])) { |
| 680 | // "Trace" can be used for later updates |
690 | // "Trace" can be used for later updates |
| 681 | // For example, if the IP changes "too much" (different country, different AS, etc.) |
691 | // For example, if the IP changes "too much" (different country, different AS, etc.) |
| 682 | // Or revoke all tokens from a single login flow (sequence 1, 2, 3, ...) |
692 | // Or revoke all tokens from a single login flow (sequence 1, 2, 3, ...) |
| 683 | $payload[self::CLAIM_TRACE] = array(); |
693 | $payload[self::CLAIM_TRACE] = array(); |
| 684 | $payload[self::CLAIM_TRACE]['iat_1st'] = $payload["iat"]; |
694 | $payload[self::CLAIM_TRACE]['iat_1st'] = $payload["iat"]; |
| 685 | $payload[self::CLAIM_TRACE]['jti_1st'] = $payload["jti"]; |
695 | $payload[self::CLAIM_TRACE]['jti_1st'] = $payload["jti"]; |
| 686 | $payload[self::CLAIM_TRACE]['seq'] = 1; |
696 | $payload[self::CLAIM_TRACE]['seq'] = 1; |
| 687 | $payload[self::CLAIM_TRACE]['ip'] = $_SERVER['REMOTE_ADDR'] ?? ''; |
697 | if ($cur_ip !== false) $payload[self::CLAIM_TRACE]['ip'] = $cur_ip; |
| 688 | $payload[self::CLAIM_TRACE]['ip_1st'] = $payload[self::CLAIM_TRACE]['ip']; |
698 | $payload[self::CLAIM_TRACE]['ip_1st'] = $payload[self::CLAIM_TRACE]['ip']; |
| 689 | $payload[self::CLAIM_TRACE]['ua'] = $_SERVER['HTTP_USER_AGENT'] ?? ''; |
699 | $payload[self::CLAIM_TRACE]['ua'] = $_SERVER['HTTP_USER_AGENT'] ?? ''; |
| 690 | $payload[self::CLAIM_TRACE]['ua_1st'] = $payload[self::CLAIM_TRACE]['ua']; |
700 | $payload[self::CLAIM_TRACE]['ua_1st'] = $payload[self::CLAIM_TRACE]['ua']; |
| 691 | } else { |
701 | } else { |
| 692 | assert(is_numeric($payload[self::CLAIM_TRACE]['seq'])); |
702 | assert(is_numeric($payload[self::CLAIM_TRACE]['seq'])); |
| 693 | $payload[self::CLAIM_TRACE]['seq']++; |
703 | $payload[self::CLAIM_TRACE]['seq']++; |
| 694 | $payload[self::CLAIM_TRACE]['ip'] = $_SERVER['REMOTE_ADDR'] ?? ''; |
704 | if ($cur_ip !== false) $payload[self::CLAIM_TRACE]['ip'] = $cur_ip; |
| 695 | $payload[self::CLAIM_TRACE]['ua'] = $_SERVER['HTTP_USER_AGENT'] ?? ''; |
705 | $payload[self::CLAIM_TRACE]['ua'] = $_SERVER['HTTP_USER_AGENT'] ?? ''; |
| 696 | } |
706 | } |
| 697 | 707 | ||
| 698 | uksort($payload, "strnatcmp"); // this is natsort on the key. Just to make the JWT look nicer. |
708 | uksort($payload, "strnatcmp"); // this is natsort on the key. Just to make the JWT look nicer. |
| 699 | 709 | ||