Edit File by line

<?php

[0] Fix | Delete

[1] Fix | Delete

class wfJWT {

[2] Fix | Delete

[3] Fix | Delete

private $claims;

[4] Fix | Delete

const JWT_TTL = 600;

[5] Fix | Delete

const ISSUER = 600;

[6] Fix | Delete

[7] Fix | Delete

public static function extractTokenContents($token) {

[8] Fix | Delete

if (!is_string($token)) {

[9] Fix | Delete

throw new InvalidArgumentException('Token is not a string. ' . gettype($token) . ' given.');

[10] Fix | Delete

}

[11] Fix | Delete

[12] Fix | Delete

// Verify the token matches the JWT format.

[13] Fix | Delete

if (!preg_match('/^[a-zA-Z0-9\-_]+?\.[a-zA-Z0-9\-_]+?\.[a-zA-Z0-9\-_]+?$/', $token)) {

[14] Fix | Delete

throw new wfJWTException('Invalid token format.');

[15] Fix | Delete

}

[16] Fix | Delete

list($header, $body, $signature) = explode('.', $token);

[17] Fix | Delete

[18] Fix | Delete

// Test that the token is valid and not expired.

[19] Fix | Delete

$decodedHeader = base64_decode($header);

[20] Fix | Delete

[21] Fix | Delete

if (!(is_string($decodedHeader) && $decodedHeader)) {

[22] Fix | Delete

throw new wfJWTException('Token header is invalid.');

[23] Fix | Delete

}

[24] Fix | Delete

[25] Fix | Delete

$header = json_decode($decodedHeader, true);

[26] Fix | Delete

if (!is_array($header)) {

[27] Fix | Delete

throw new wfJWTException('Token header is invalid.');

[28] Fix | Delete

}

[29] Fix | Delete

[30] Fix | Delete

$decodedBody = base64_decode($body);

[31] Fix | Delete

[32] Fix | Delete

if (!(is_string($decodedBody) && $decodedBody)) {

[33] Fix | Delete

throw new wfJWTException('Token body is invalid.');

[34] Fix | Delete

}

[35] Fix | Delete

[36] Fix | Delete

$body = json_decode($decodedBody, true);

[37] Fix | Delete

if (!is_array($body)) {

[38] Fix | Delete

throw new wfJWTException('Token body is invalid.');

[39] Fix | Delete

}

[40] Fix | Delete

[41] Fix | Delete

return array(

[42] Fix | Delete

'header' => $header,

[43] Fix | Delete

'body' => $body,

[44] Fix | Delete

'signature' => $signature,

[45] Fix | Delete

);

[46] Fix | Delete

[47] Fix | Delete

}

[48] Fix | Delete

[49] Fix | Delete

/**

[50] Fix | Delete

* @param mixed $subject

[51] Fix | Delete

[52] Fix | Delete

public function __construct($subject = null) {

[53] Fix | Delete

$this->claims = $this->getClaimDefaults();

[54] Fix | Delete

$this->claims['sub'] = $subject;

[55] Fix | Delete

}

[56] Fix | Delete

[57] Fix | Delete

/**

[58] Fix | Delete

* @return string

[59] Fix | Delete

[60] Fix | Delete

public function encode() {

[61] Fix | Delete

$header = $this->encodeString($this->buildHeader());

[62] Fix | Delete

$body = $this->encodeString($this->buildBody());

[63] Fix | Delete

return sprintf('%s.%s.%s', $header, $body,

[64] Fix | Delete

$this->encodeString($this->sign(sprintf('%s.%s', $header, $body))));

[65] Fix | Delete

}

[66] Fix | Delete

[67] Fix | Delete

/**

[68] Fix | Delete

* @param string $token

[69] Fix | Delete

* @return array

[70] Fix | Delete

* @throws wfJWTException|InvalidArgumentException

[71] Fix | Delete

[72] Fix | Delete

public function decode($token) {

[73] Fix | Delete

if (!is_string($token)) {

[74] Fix | Delete

throw new InvalidArgumentException('Token is not a string. ' . gettype($token) . ' given.');

[75] Fix | Delete

}

[76] Fix | Delete

[77] Fix | Delete

// Verify the token matches the JWT format.

[78] Fix | Delete

if (!preg_match('/^[a-zA-Z0-9\-_]+?\.[a-zA-Z0-9\-_]+?\.[a-zA-Z0-9\-_]+?$/', $token)) {

[79] Fix | Delete

throw new wfJWTException('Invalid token format.');

[80] Fix | Delete

}

[81] Fix | Delete

list($header, $body, $signature) = explode('.', $token);

[82] Fix | Delete

[83] Fix | Delete

// Verify signature matches the supplied payload.

[84] Fix | Delete

if (!$this->verifySignature($this->decodeString($signature), sprintf('%s.%s', $header, $body))) {

[85] Fix | Delete

throw new wfJWTException('Invalid signature.');

[86] Fix | Delete

}

[87] Fix | Delete

[88] Fix | Delete

// Test that the token is valid and not expired.

[89] Fix | Delete

$decodedHeader = base64_decode($header);

[90] Fix | Delete

[91] Fix | Delete

if (!(is_string($decodedHeader) && $decodedHeader)) {

[92] Fix | Delete

throw new wfJWTException('Token header is invalid.');

[93] Fix | Delete

}

[94] Fix | Delete

[95] Fix | Delete

$header = json_decode($decodedHeader, true);

[96] Fix | Delete

if (!(

[97] Fix | Delete

is_array($header) &&

[98] Fix | Delete

array_key_exists('alg', $header) &&

[99] Fix | Delete

$header['alg'] === 'HS256' &&

[100] Fix | Delete

$header['typ'] === 'JWT'

[101] Fix | Delete

)) {

[102] Fix | Delete

throw new wfJWTException('Token header is invalid.');

[103] Fix | Delete

}

[104] Fix | Delete

[105] Fix | Delete

$decodedBody = base64_decode($body);

[106] Fix | Delete

[107] Fix | Delete

if (!(is_string($decodedBody) && $decodedBody)) {

[108] Fix | Delete

throw new wfJWTException('Token body is invalid.');

[109] Fix | Delete

}

[110] Fix | Delete

[111] Fix | Delete

$body = json_decode($decodedBody, true);

[112] Fix | Delete

if (!(

[113] Fix | Delete

is_array($body) &&

[114] Fix | Delete

[115] Fix | Delete

// Check the token not before now timestamp.

[116] Fix | Delete

array_key_exists('nbf', $body) &&

[117] Fix | Delete

is_numeric($body['nbf']) &&

[118] Fix | Delete

$body['nbf'] <= time() &&

[119] Fix | Delete

[120] Fix | Delete

// Check the token is not expired.

[121] Fix | Delete

array_key_exists('exp', $body) &&

[122] Fix | Delete

is_numeric($body['exp']) &&

[123] Fix | Delete

$body['exp'] >= time() &&

[124] Fix | Delete

[125] Fix | Delete

// Check the issuer and audience is ours.

[126] Fix | Delete

$body['iss'] === 'Wordfence ' . WORDFENCE_VERSION &&

[127] Fix | Delete

$body['aud'] === 'Wordfence Central'

[128] Fix | Delete

)) {

[129] Fix | Delete

throw new wfJWTException('Token is invalid or expired.');

[130] Fix | Delete

}

[131] Fix | Delete

[132] Fix | Delete

return array(

[133] Fix | Delete

'header' => $header,

[134] Fix | Delete

'body' => $body,

[135] Fix | Delete

);

[136] Fix | Delete

}

[137] Fix | Delete

[138] Fix | Delete

/**

[139] Fix | Delete

* @param string $string

[140] Fix | Delete

* @return string

[141] Fix | Delete

[142] Fix | Delete

public function sign($string) {

[143] Fix | Delete

$salt = wp_salt('auth');

[144] Fix | Delete

[145] Fix | Delete

return hash_hmac('sha256', $string, $salt, true);

[146] Fix | Delete

}

[147] Fix | Delete

[148] Fix | Delete

/**

[149] Fix | Delete

* @param string $signature

[150] Fix | Delete

* @param string $message

[151] Fix | Delete

* @return bool

[152] Fix | Delete

[153] Fix | Delete

public function verifySignature($signature, $message) {

[154] Fix | Delete

return hash_equals($this->sign($message), $signature);

[155] Fix | Delete

}

[156] Fix | Delete

[157] Fix | Delete

/**

[158] Fix | Delete

* @return string

[159] Fix | Delete

[160] Fix | Delete

public function __toString() {

[161] Fix | Delete

return $this->encode();

[162] Fix | Delete

}

[163] Fix | Delete

[164] Fix | Delete

/**

[165] Fix | Delete

* @param string $data

[166] Fix | Delete

* @return string

[167] Fix | Delete

[168] Fix | Delete

public function encodeString($data) {

[169] Fix | Delete

return rtrim(strtr(base64_encode($data), '+/', '-_'), '=');

[170] Fix | Delete

}

[171] Fix | Delete

[172] Fix | Delete

/**

[173] Fix | Delete

* @param string $data

[174] Fix | Delete

* @return bool|string

[175] Fix | Delete

[176] Fix | Delete

public function decodeString($data) {

[177] Fix | Delete

return base64_decode(strtr($data, '-_', '+/'));

[178] Fix | Delete

}

[179] Fix | Delete

[180] Fix | Delete

/**

[181] Fix | Delete

* @return mixed|string

[182] Fix | Delete

[183] Fix | Delete

protected function buildHeader() {

[184] Fix | Delete

return '{"alg":"HS256","typ":"JWT"}';

[185] Fix | Delete

}

[186] Fix | Delete

[187] Fix | Delete

/**

[188] Fix | Delete

* @return mixed|string

[189] Fix | Delete

[190] Fix | Delete

protected function buildBody() {

[191] Fix | Delete

return json_encode($this->getClaims());

[192] Fix | Delete

}

[193] Fix | Delete

[194] Fix | Delete

/**

[195] Fix | Delete

* @return array

[196] Fix | Delete

[197] Fix | Delete

protected function getClaimDefaults() {

[198] Fix | Delete

$now = time();

[199] Fix | Delete

return array(

[200] Fix | Delete

'iss' => 'Wordfence ' . WORDFENCE_VERSION,

[201] Fix | Delete

'aud' => 'Wordfence Central',

[202] Fix | Delete

'nbf' => $now,

[203] Fix | Delete

'iat' => $now,

[204] Fix | Delete

'exp' => $now + self::JWT_TTL,

[205] Fix | Delete

);

[206] Fix | Delete

}

[207] Fix | Delete

[208] Fix | Delete

/**

[209] Fix | Delete

* @param array $claims

[210] Fix | Delete

[211] Fix | Delete

public function addClaims($claims) {

[212] Fix | Delete

if (!is_array($claims)) {

[213] Fix | Delete

throw new InvalidArgumentException(__METHOD__ . ' expects argument 1 to be array.');

[214] Fix | Delete

}

[215] Fix | Delete

$this->setClaims(array_merge($this->getClaims(), $claims));

[216] Fix | Delete

}

[217] Fix | Delete

[218] Fix | Delete

/**

[219] Fix | Delete

* @return array

[220] Fix | Delete

[221] Fix | Delete

public function getClaims() {

[222] Fix | Delete

return $this->claims;

[223] Fix | Delete

}

[224] Fix | Delete

[225] Fix | Delete

/**

[226] Fix | Delete

* @param array $claims

[227] Fix | Delete

[228] Fix | Delete

public function setClaims($claims) {

[229] Fix | Delete

$this->claims = $claims;

[230] Fix | Delete

}

[231] Fix | Delete

}

[232] Fix | Delete

[233] Fix | Delete

class wfJWTException extends Exception {

[234] Fix | Delete

[235] Fix | Delete

}

[236] Fix | Delete