Rev 1282 | Rev 1300 | Go to most recent revision | Show entire file | Regard whitespace | Details | Blame | Last modification | View Log | RSS feed
| Rev 1282 | Rev 1283 | ||
|---|---|---|---|
| Line 381... | Line 381... | ||
| 381 | } |
381 | } |
| 382 | 382 | ||
| 383 | // Authentication keys for generating secrets or validating arguments (e.g. sent by mail) |
383 | // Authentication keys for generating secrets or validating arguments (e.g. sent by mail) |
| 384 | 384 | ||
| 385 | /** |
385 | /** |
| 386 | * @param string $data |
386 | * @param array|string $data |
| 387 | * @return string |
387 | * @return string |
| 388 | * @throws OIDplusException |
388 | * @throws OIDplusException |
| 389 | */ |
389 | */ |
| 390 | public function makeSecret(string $data): string { |
390 | public function makeSecret($data): string { |
| - | 391 | if (!is_array($data)) $data = [$data]; |
|
| - | 392 | $data = json_encode($data); |
|
| 391 | return sha3_512_hmac($data, 'OIDplus:'.OIDplus::baseConfig()->getValue('SERVER_SECRET'), false); |
393 | return sha3_512_hmac($data, 'OIDplus:'.OIDplus::baseConfig()->getValue('SERVER_SECRET'), false); |
| 392 | } |
394 | } |
| 393 | 395 | ||
| 394 | /** |
396 | /** |
| 395 | * @param string $data |
397 | * @param array|string $data Arbitary data to be validated later |
| 396 | * @return string |
398 | * @return string A string that need to be validated with validateAuthKey |
| 397 | * @throws OIDplusException |
399 | * @throws OIDplusException |
| 398 | */ |
400 | */ |
| 399 | public function makeAuthKey(string $data): string { |
401 | public function makeAuthKey($data): string { |
| - | 402 | if (!is_array($data)) $data = [$data]; |
|
| - | 403 | $ts = time(); |
|
| - | 404 | $data_ext = [$ts, $data]; |
|
| 400 | return $this->makeSecret($data); |
405 | $secret = $this->makeSecret($data_ext); |
| - | 406 | return $ts.'.'.$secret; |
|
| 401 | } |
407 | } |
| 402 | 408 | ||
| 403 | /** |
409 | /** |
| 404 | * @param string $data |
410 | * @param array|string $data The original data that had been passed to makeAuthKey() |
| 405 | * @param string $auth_key |
411 | * @param string $auth_key The result from makeAuthKey() |
| - | 412 | * @param int $valid_secs How many seconds is the auth key valid? (-1 for infinite) |
|
| 406 | * @return bool |
413 | * @return bool True if the key is valid and not expired. |
| 407 | * @throws OIDplusException |
414 | * @throws OIDplusException |
| 408 | */ |
415 | */ |
| 409 | public function validateAuthKey(string $data, string $auth_key): bool { |
416 | public function validateAuthKey($data, string $auth_key, int $valid_secs=-1): bool { |
| - | 417 | $auth_key_ary = explode('.', $auth_key, 2); |
|
| - | 418 | if (count($auth_key_ary) != 2) return false; // invalid auth key syntax |
|
| - | 419 | list($ts, $secret) = $auth_key_ary; |
|
| - | 420 | if (!is_numeric($ts)) return false; // invalid auth key syntax |
|
| - | 421 | if ($valid_secs >= 0) { |
|
| - | 422 | if (time() > ($ts+$valid_secs)) return false; // expired auth key |
|
| - | 423 | } |
|
| - | 424 | if (!is_array($data)) $data = [$data]; |
|
| - | 425 | $data_ext = [(int)$ts, $data]; |
|
| 410 | return hash_equals($this->makeAuthKey($data), $auth_key); |
426 | return hash_equals($this->makeSecret($data_ext), $secret); |
| 411 | } |
427 | } |
| 412 | 428 | ||
| 413 | // "Veto" functions to force logout state |
429 | // "Veto" functions to force logout state |
| 414 | 430 | ||
| 415 | /** |
431 | /** |