Edit File by line

<?php

[0] Fix | Delete

[1] Fix | Delete

namespace WordfenceLS\Crypto;

[2] Fix | Delete

[3] Fix | Delete

use WordfenceLS\Controller_Time;

[4] Fix | Delete

use WordfenceLS\Model_Crypto;

[5] Fix | Delete

[6] Fix | Delete

/**

[7] Fix | Delete

* Class Model_JWT

[8] Fix | Delete

* @package Wordfence2FA\Crypto

[9] Fix | Delete

* @property array $payload

[10] Fix | Delete

* @property int $expiration

[11] Fix | Delete

[12] Fix | Delete

class Model_JWT {

[13] Fix | Delete

private $_payload;

[14] Fix | Delete

private $_expiration;

[15] Fix | Delete

[16] Fix | Delete

/**

[17] Fix | Delete

* Decodes and returns the payload of a JWT. This also validates the signature and expiration. Currently assumes HS256 JWTs.

[18] Fix | Delete

[19] Fix | Delete

* @param string $token

[20] Fix | Delete

* @return Model_JWT|bool The decoded JWT or false if the token is invalid or fails validation.

[21] Fix | Delete

[22] Fix | Delete

public static function decode_jwt($token) {

[23] Fix | Delete

$components = explode('.', $token);

[24] Fix | Delete

if (count($components) != 3) {

[25] Fix | Delete

return false;

[26] Fix | Delete

}

[27] Fix | Delete

[28] Fix | Delete

$key = Model_Crypto::shared_hash_secret();

[29] Fix | Delete

$body = $components[0] . '.' . $components[1];

[30] Fix | Delete

$signature = hash_hmac('sha256', $body, $key, true);

[31] Fix | Delete

$testSignature = self::base64url_decode($components[2]);

[32] Fix | Delete

if (!hash_equals($signature, $testSignature)) {

[33] Fix | Delete

return false;

[34] Fix | Delete

}

[35] Fix | Delete

[36] Fix | Delete

$json = self::base64url_decode($components[1]);

[37] Fix | Delete

$payload = @json_decode($json, true);

[38] Fix | Delete

$expiration = false;

[39] Fix | Delete

if (isset($payload['_exp'])) {

[40] Fix | Delete

$expiration = $payload['_exp'];

[41] Fix | Delete

[42] Fix | Delete

if ($payload['_exp'] < Controller_Time::time()) {

[43] Fix | Delete

return false;

[44] Fix | Delete

}

[45] Fix | Delete

[46] Fix | Delete

unset($payload['_exp']);

[47] Fix | Delete

}

[48] Fix | Delete

[49] Fix | Delete

return new self($payload, $expiration);

[50] Fix | Delete

}

[51] Fix | Delete

[52] Fix | Delete

/**

[53] Fix | Delete

* Model_JWT constructor.

[54] Fix | Delete

[55] Fix | Delete

* @param array $payload

[56] Fix | Delete

* @param bool|int $expiration

[57] Fix | Delete

[58] Fix | Delete

public function __construct($payload, $expiration = false) {

[59] Fix | Delete

$this->_payload = $payload;

[60] Fix | Delete

$this->_expiration = $expiration;

[61] Fix | Delete

}

[62] Fix | Delete

[63] Fix | Delete

public function __toString() {

[64] Fix | Delete

$payload = $this->_payload;

[65] Fix | Delete

if ($this->_expiration !== false) {

[66] Fix | Delete

$payload['_exp'] = $this->_expiration;

[67] Fix | Delete

}

[68] Fix | Delete

$key = Model_Crypto::shared_hash_secret();

[69] Fix | Delete

$header = '{"alg":"HS256","typ":"JWT"}';

[70] Fix | Delete

$body = self::base64url_encode($header) . '.' . self::base64url_encode(json_encode($payload));

[71] Fix | Delete

$signature = hash_hmac('sha256', $body, $key, true);

[72] Fix | Delete

return $body . '.' . self::base64url_encode($signature);

[73] Fix | Delete

}

[74] Fix | Delete

[75] Fix | Delete

public function __isset($key) {

[76] Fix | Delete

switch ($key) {

[77] Fix | Delete

case 'payload':

[78] Fix | Delete

case 'expiration':

[79] Fix | Delete

return true;

[80] Fix | Delete

}

[81] Fix | Delete

[82] Fix | Delete

throw new \OutOfBoundsException('Invalid key: ' . $key);

[83] Fix | Delete

}

[84] Fix | Delete

[85] Fix | Delete

public function __get($key) {

[86] Fix | Delete

switch ($key) {

[87] Fix | Delete

case 'payload':

[88] Fix | Delete

return $this->_payload;

[89] Fix | Delete

case 'expiration':

[90] Fix | Delete

return $this->_expiration;

[91] Fix | Delete

}

[92] Fix | Delete

[93] Fix | Delete

throw new \OutOfBoundsException('Invalid key: ' . $key);

[94] Fix | Delete

}

[95] Fix | Delete

[96] Fix | Delete

/**

[97] Fix | Delete

* Utility

[98] Fix | Delete

[99] Fix | Delete

[100] Fix | Delete

/**

[101] Fix | Delete

* Base64URL-encodes the given payload. This is identical to base64_encode except it substitutes characters

[102] Fix | Delete

* not safe for use in URLs.

[103] Fix | Delete

[104] Fix | Delete

* @param string $payload

[105] Fix | Delete

* @return string

[106] Fix | Delete

[107] Fix | Delete

public static function base64url_encode($payload) {

[108] Fix | Delete

return self::base64url_convert_to(base64_encode($payload));

[109] Fix | Delete

}

[110] Fix | Delete

[111] Fix | Delete

public static function base64url_convert_to($base64) {

[112] Fix | Delete

$intermediate = rtrim($base64, '=');

[113] Fix | Delete

$intermediate = str_replace('+', '-', $intermediate);

[114] Fix | Delete

$intermediate = str_replace('/', '_', $intermediate);

[115] Fix | Delete

return $intermediate;

[116] Fix | Delete

}

[117] Fix | Delete

[118] Fix | Delete

/**

[119] Fix | Delete

* Base64URL-decodes the given payload. This is identical to base64_encode except it allows for the characters

[120] Fix | Delete

* substituted by base64url_encode.

[121] Fix | Delete

[122] Fix | Delete

* @param string $payload

[123] Fix | Delete

* @return string

[124] Fix | Delete

[125] Fix | Delete

public static function base64url_decode($payload) {

[126] Fix | Delete

return base64_decode(self::base64url_convert_from($payload));

[127] Fix | Delete

}

[128] Fix | Delete

[129] Fix | Delete

public static function base64url_convert_from($base64url) {

[130] Fix | Delete

$intermediate = str_replace('_', '/', $base64url);

[131] Fix | Delete

$intermediate = str_replace('-', '+', $intermediate);

[132] Fix | Delete

return $intermediate;

[133] Fix | Delete

}

[134] Fix | Delete

}

[135] Fix | Delete