1
|
|
|
<?php |
2
|
|
|
|
3
|
|
|
declare(strict_types=1); |
4
|
|
|
|
5
|
|
|
namespace Facile\JoseVerifier\Validate; |
6
|
|
|
|
7
|
|
|
use Facile\JoseVerifier\Exception\RuntimeException; |
8
|
|
|
use Jose\Component\Checker; |
9
|
|
|
use Jose\Component\Core\AlgorithmManager; |
10
|
|
|
use Jose\Component\Core\Util\JsonConverter; |
11
|
|
|
use Jose\Component\Signature\Algorithm; |
12
|
|
|
use Jose\Component\Signature\JWSTokenSupport; |
13
|
|
|
use Jose\Component\Signature\JWSVerifier; |
14
|
|
|
use Jose\Component\Signature\Serializer\CompactSerializer; |
15
|
|
|
use Jose\Easy\AbstractLoader; |
16
|
|
|
use Jose\Easy\JWT; |
17
|
|
|
|
18
|
|
|
class Validate extends AbstractLoader |
19
|
|
|
{ |
20
|
58 |
|
public static function token(string $token): self |
21
|
|
|
{ |
22
|
58 |
|
return new self($token); |
23
|
|
|
} |
24
|
|
|
|
25
|
51 |
|
public function run(): JWT |
26
|
|
|
{ |
27
|
51 |
|
if (0 !== \count($this->allowedAlgorithms)) { |
28
|
48 |
|
$this->headerCheckers[] = new Checker\AlgorithmChecker($this->allowedAlgorithms, true); |
29
|
|
|
} |
30
|
51 |
|
$jws = (new CompactSerializer())->unserialize($this->token); |
31
|
51 |
|
$headerChecker = new Checker\HeaderCheckerManager($this->headerCheckers, [new JWSTokenSupport()]); |
32
|
51 |
|
$headerChecker->check($jws, 0); |
33
|
|
|
|
34
|
51 |
|
$verifier = new JWSVerifier(new AlgorithmManager($this->algorithms)); |
35
|
51 |
|
if (! $verifier->verifyWithKeySet($jws, $this->jwkset, 0)) { |
36
|
3 |
|
throw new RuntimeException('Invalid signature'); |
37
|
|
|
} |
38
|
|
|
|
39
|
48 |
|
$jwt = new JWT(); |
40
|
48 |
|
$jwt->header->replace($jws->getSignature(0)->getProtectedHeader()); |
41
|
48 |
|
$jwt->claims->replace(JsonConverter::decode($jws->getPayload() ?? '{}')); |
42
|
|
|
|
43
|
45 |
|
$claimChecker = new Checker\ClaimCheckerManager($this->claimCheckers); |
44
|
45 |
|
$claimChecker->check($jwt->claims->all(), $this->mandatoryClaims); |
45
|
|
|
|
46
|
15 |
|
return $jwt; |
47
|
|
|
} |
48
|
|
|
|
49
|
|
|
/** |
50
|
|
|
* @return string[] |
51
|
|
|
*/ |
52
|
58 |
|
protected function getAlgorithmMap(): array |
53
|
|
|
{ |
54
|
|
|
return [ |
55
|
58 |
|
Algorithm\None::class, |
56
|
|
|
Algorithm\HS256::class, |
57
|
|
|
Algorithm\HS384::class, |
58
|
|
|
Algorithm\HS512::class, |
59
|
|
|
Algorithm\RS256::class, |
60
|
|
|
Algorithm\RS384::class, |
61
|
|
|
Algorithm\RS512::class, |
62
|
|
|
Algorithm\PS256::class, |
63
|
|
|
Algorithm\PS384::class, |
64
|
|
|
Algorithm\PS512::class, |
65
|
|
|
Algorithm\ES256::class, |
66
|
|
|
Algorithm\ES384::class, |
67
|
|
|
Algorithm\ES512::class, |
68
|
|
|
Algorithm\EdDSA::class, |
69
|
|
|
]; |
70
|
|
|
} |
71
|
|
|
} |
72
|
|
|
|