Issues in Guard.php (master) - Issues in master - framgia/laravel-jwt - Measure and Improve Code Quality continuously with Scrutinizer

Issues (5)

Security Analysis no request data

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Header Injection

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

src/Guard.php (1 issue)

Labels

Bug 1

Severity

Major 1

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php

namespace Framgia\Jwt;

use Carbon\Carbon;
use Framgia\Jwt\Contracts\ChecksClaims;
use Illuminate\Contracts\Auth\Authenticatable;
use Illuminate\Support\Str;
use Lcobucci\JWT\Claim;
use Lcobucci\JWT\Parser;
use Lcobucci\JWT\Builder;
use Illuminate\Http\Request;
use InvalidArgumentException;
use Framgia\Jwt\Contracts\Signer;
use Illuminate\Auth\GuardHelpers;
use Illuminate\Contracts\Auth\UserProvider;
use Framgia\Jwt\Contracts\ProvidesCredentials;
use Illuminate\Contracts\Auth\Guard as GuardContract;
use Lcobucci\JWT\Token;

class Guard implements GuardContract
{
    use GuardHelpers;

    /**
     * Default claims.
     * 
     * @var array
     */
    protected $claims = [
        'aud' => 'Audience',
        'exp' => 'Expiration',
        'jti' => 'Id',
        'iat' => 'IssuedAt',
        'iss' => 'Issuer',
        'nbf' => 'NotBefore',
        'sub' => 'Subject',
    ];

    /**
     * The request instance.
     *
     * @var \Illuminate\Http\Request
     */
    protected $request;

    /**
     * @var \Framgia\Jwt\Blacklist
     */
    protected $blacklist;

    /**
     * @var \Framgia\Jwt\Contracts\Signer
     */
    protected $signer;

    /**
     * @var \Lcobucci\JWT\Token
     */
    protected $token;

    /**
     * Create a new authentication guard.
     *
     * @param  \Illuminate\Contracts\Auth\UserProvider  $provider
     * @param  \Illuminate\Http\Request  $request
     * @param  \Framgia\Jwt\Blacklist  $blacklist
     * @param  \Framgia\Jwt\Contracts\Signer  $signer
     */
    public function __construct(
        UserProvider $provider,
        Request $request,
        Blacklist $blacklist,
        Signer $signer
    )
    {
        $this->request = $request;
        $this->provider = $provider;
        $this->blacklist = $blacklist;
        $this->signer = $signer;
    }

    /**
     * Get current token.
     * 
     * @return \Lcobucci\JWT\Token
     */
    public function token()
    {
        if (empty($this->token)) {
            $this->token = $this->getTokenForRequest();
        }

        return $this->token;
    }

    /**
     * Refresh token expiration with same ID.
     * 
     * @param  \Lcobucci\JWT\Token|null  $token
     * @return \Lcobucci\JWT\Token
     */
    public function refresh(Token $token = null)
    {
        if (is_null($token)) {
            $token = $this->token();
        }
        
        $builder = $this->applyClaims($token->getClaims());
function someFunction(A $objectMaybe = null)
{
    if ($objectMaybe instanceof A) {
        $objectMaybe->doSomething();
    }
}
        
        $builder->setExpiration($this->getExpirationTimestamp());

        return $this->signer->sign($builder)->getToken();
    }

    public function setToken(Token $token)
    {
        $this->token = $token;
        $this->user = null;

        return $this;
    }

    /**
     * Get the currently authenticated user.
     *
     * @return \Illuminate\Contracts\Auth\Authenticatable|null
     */
    public function user()
    {
        // If we've already retrieved the user for the current request we can just
        // return it back immediately. We do not want to fetch the user data on
        // every call to this method because that would be tremendously slow.
        if (! is_null($this->user)) {
            return $this->user;
        }

        $user = null;

        $token = $this->token();

        if (! is_null($token)) {
            if ($this->provider instanceof ChecksClaims) {
                $user = $this->provider->retrieveByClaims($token->getClaims());
            } else {
                $user = $this->provider->retrieveById($token->getClaim('sub'));
            }
        }

        return $this->user = $user;
    }

    public function setUser(Authenticatable $user)
    {
        $this->user = $user;
        $this->token = $this->createTokenForUser($this->user);

        return $this;
    }

    public function login(Authenticatable $user)
    {
        return $this->setUser($user);
    }

    /**
     * Get the token for the current request.
     *
     * @return \Lcobucci\JWT\Token
     */
    protected function getTokenForRequest()
    {
        $token = $this->request->bearerToken();

        if (empty($token)) {
            return null;
        }

        try {
            $token = (new Parser())->parse($token);

            if (!$this->signer->verify($token)) {
                return null;
            }
        } catch (InvalidArgumentException $e) {
            return null;
        }

        return $token;
    }

    /**
     * Validate a user's credentials.
     *
     * @param  array  $credentials
     * @return bool
     */
    public function validate(array $credentials = [])
    {
        $user = $this->provider->retrieveByCredentials($credentials);
        if (!is_null($user) && $this->provider->validateCredentials($user, $credentials)) {
            $this->user = $user;
            return true;
        }

        return false;
    }

    /**
     * @param array $credentials
     * @return \Lcobucci\JWT\Token|null
     */
    public function attempt(array $credentials)
    {
        if (!$this->validate($credentials)) {
            return null;
        }

        return $this->token = $this->createTokenForUser($this->user);
    }

    /**
     * @param  Authenticatable  $user
     * @return Token
     */
    public function createTokenForUser(Authenticatable $user)
    {
        $builder = new Builder();

        $id = $user->getAuthIdentifier();
        $builder->setSubject($id);

        if ($user instanceof ProvidesCredentials) {
            $builder = $this->applyClaims($user->getCredentials(), true, $builder);
        }

        $builder->setExpiration($this->getExpirationTimestamp());

        $builder->setId(Str::random());

        return $this->signer->sign($builder)->getToken();
    }

    /**
     * @return bool
     */
    public function logout()
    {
        $token = $this->getTokenForRequest();

        if (empty($token)) {
            $result = true;
        } else {
            $result = $this->blacklist->add($token);
        }

        if ($result) {
            $this->token = null;
            $this->user = null;
        }

        return $result;
    }

    /**
     * Set the current request instance.
     *
     * @param  \Illuminate\Http\Request  $request
     * @return $this
     */
    public function setRequest(Request $request)
    {
        $this->request = $request;

        return $this;
    }

    /**
     * Apply claims to builder.
     * 
     * @param  array  $claims
     * @param  bool  $protect
     * @param  \Lcobucci\JWT\Builder|null  $builder
     * @return \Lcobucci\JWT\Builder
     */
    protected function applyClaims(array $claims, $protect = false, Builder $builder = null)
    {
        if (is_null($builder)) {
            $builder = new Builder();
        }

        foreach ($claims as $key => $value) {

            if ($value instanceof Claim) {
                $key = $value->getName();
                $value = $value->getValue();
            }

            if (array_key_exists($key, $this->claims)) {
                if (!$protect) {
                    $builder->{'set' . $this->claims[$key]}($value);
                }
            } else {
                $builder->set($key, $value);
            }
        }

        return $builder;
    }

    /**
     * Get token expiration timestamp.
     * 
     * @return int
     */
    protected function getExpirationTimestamp()
    {
        return Carbon::now()->addDay()->timestamp;
    }
}


1			<?php
2
3			namespace Framgia\Jwt;
4
5			use Carbon\Carbon;
6			use Framgia\Jwt\Contracts\ChecksClaims;
7			use Illuminate\Contracts\Auth\Authenticatable;
8			use Illuminate\Support\Str;
9			use Lcobucci\JWT\Claim;
10			use Lcobucci\JWT\Parser;
11			use Lcobucci\JWT\Builder;
12			use Illuminate\Http\Request;
13			use InvalidArgumentException;
14			use Framgia\Jwt\Contracts\Signer;
15			use Illuminate\Auth\GuardHelpers;
16			use Illuminate\Contracts\Auth\UserProvider;
17			use Framgia\Jwt\Contracts\ProvidesCredentials;
18			use Illuminate\Contracts\Auth\Guard as GuardContract;
19			use Lcobucci\JWT\Token;
20
21			class Guard implements GuardContract
22			{
23			use GuardHelpers;
24
25			/**
26			* Default claims.
27			*
28			* @var array
29			*/
30			protected $claims = [
31			'aud' => 'Audience',
32			'exp' => 'Expiration',
33			'jti' => 'Id',
34			'iat' => 'IssuedAt',
35			'iss' => 'Issuer',
36			'nbf' => 'NotBefore',
37			'sub' => 'Subject',
38			];
39
40			/**
41			* The request instance.
42			*
43			* @var \Illuminate\Http\Request
44			*/
45			protected $request;
46
47			/**
48			* @var \Framgia\Jwt\Blacklist
49			*/
50			protected $blacklist;
51
52			/**
53			* @var \Framgia\Jwt\Contracts\Signer
54			*/
55			protected $signer;
56
57			/**
58			* @var \Lcobucci\JWT\Token
59			*/
60			protected $token;
61
62			/**
63			* Create a new authentication guard.
64			*
65			* @param \Illuminate\Contracts\Auth\UserProvider $provider
66			* @param \Illuminate\Http\Request $request
67			* @param \Framgia\Jwt\Blacklist $blacklist
68			* @param \Framgia\Jwt\Contracts\Signer $signer
69			*/
70			public function __construct(
71			UserProvider $provider,
72			Request $request,
73			Blacklist $blacklist,
74			Signer $signer
75			)
76			{
77			$this->request = $request;
78			$this->provider = $provider;
79			$this->blacklist = $blacklist;
80			$this->signer = $signer;
81			}
82
83			/**
84			* Get current token.
85			*
86			* @return \Lcobucci\JWT\Token
87			*/
88			public function token()
89			{
90			if (empty($this->token)) {
91			$this->token = $this->getTokenForRequest();
92			}
93
94			return $this->token;
95			}
96
97			/**
98			* Refresh token expiration with same ID.
99			*
100			* @param \Lcobucci\JWT\Token\|null $token
101			* @return \Lcobucci\JWT\Token
102			*/
103			public function refresh(Token $token = null)
104			{
105			if (is_null($token)) {
106			$token = $this->token();
107			}
108
109			$builder = $this->applyClaims($token->getClaims());
			0 ignored issues – show Bug introduced 2016-06-08 08:35 UTC by Report Bug Copy Issue Report Show Similar Issues like this It seems like `$token` is not always an object, but can also be of type `null`. Maybe add an additional type check? If a variable is not always an object, we recommend to add an additional type check to ensure your method call is safe: function someFunction(A $objectMaybe = null) { if ($objectMaybe instanceof A) { $objectMaybe->doSomething(); } } Loading history...
110
111			$builder->setExpiration($this->getExpirationTimestamp());
112
113			return $this->signer->sign($builder)->getToken();
114			}
115
116			public function setToken(Token $token)
117			{
118			$this->token = $token;
119			$this->user = null;
120
121			return $this;
122			}
123
124			/**
125			* Get the currently authenticated user.
126			*
127			* @return \Illuminate\Contracts\Auth\Authenticatable\|null
128			*/
129			public function user()
130			{
131			// If we've already retrieved the user for the current request we can just
132			// return it back immediately. We do not want to fetch the user data on
133			// every call to this method because that would be tremendously slow.
134			if (! is_null($this->user)) {
135			return $this->user;
136			}
137
138			$user = null;
139
140			$token = $this->token();
141
142			if (! is_null($token)) {
143			if ($this->provider instanceof ChecksClaims) {
144			$user = $this->provider->retrieveByClaims($token->getClaims());
145			} else {
146			$user = $this->provider->retrieveById($token->getClaim('sub'));
147			}
148			}
149
150			return $this->user = $user;
151			}
152
153			public function setUser(Authenticatable $user)
154			{
155			$this->user = $user;
156			$this->token = $this->createTokenForUser($this->user);
157
158			return $this;
159			}
160
161			public function login(Authenticatable $user)
162			{
163			return $this->setUser($user);
164			}
165
166			/**
167			* Get the token for the current request.
168			*
169			* @return \Lcobucci\JWT\Token
170			*/
171			protected function getTokenForRequest()
172			{
173			$token = $this->request->bearerToken();
174
175			if (empty($token)) {
176			return null;
177			}
178
179			try {
180			$token = (new Parser())->parse($token);
181
182			if (!$this->signer->verify($token)) {
183			return null;
184			}
185			} catch (InvalidArgumentException $e) {
186			return null;
187			}
188
189			return $token;
190			}
191
192			/**
193			* Validate a user's credentials.
194			*
195			* @param array $credentials
196			* @return bool
197			*/
198			public function validate(array $credentials = [])
199			{
200			$user = $this->provider->retrieveByCredentials($credentials);
201			if (!is_null($user) && $this->provider->validateCredentials($user, $credentials)) {
202			$this->user = $user;
203			return true;
204			}
205
206			return false;
207			}
208
209			/**
210			* @param array $credentials
211			* @return \Lcobucci\JWT\Token\|null
212			*/
213			public function attempt(array $credentials)
214			{
215			if (!$this->validate($credentials)) {
216			return null;
217			}
218
219			return $this->token = $this->createTokenForUser($this->user);
220			}
221
222			/**
223			* @param Authenticatable $user
224			* @return Token
225			*/
226			public function createTokenForUser(Authenticatable $user)
227			{
228			$builder = new Builder();
229
230			$id = $user->getAuthIdentifier();
231			$builder->setSubject($id);
232
233			if ($user instanceof ProvidesCredentials) {
234			$builder = $this->applyClaims($user->getCredentials(), true, $builder);
235			}
236
237			$builder->setExpiration($this->getExpirationTimestamp());
238
239			$builder->setId(Str::random());
240
241			return $this->signer->sign($builder)->getToken();
242			}
243
244			/**
245			* @return bool
246			*/
247			public function logout()
248			{
249			$token = $this->getTokenForRequest();
250
251			if (empty($token)) {
252			$result = true;
253			} else {
254			$result = $this->blacklist->add($token);
255			}
256
257			if ($result) {
258			$this->token = null;
259			$this->user = null;
260			}
261
262			return $result;
263			}
264
265			/**
266			* Set the current request instance.
267			*
268			* @param \Illuminate\Http\Request $request
269			* @return $this
270			*/
271			public function setRequest(Request $request)
272			{
273			$this->request = $request;
274
275			return $this;
276			}
277
278			/**
279			* Apply claims to builder.
280			*
281			* @param array $claims
282			* @param bool $protect
283			* @param \Lcobucci\JWT\Builder\|null $builder
284			* @return \Lcobucci\JWT\Builder
285			*/
286			protected function applyClaims(array $claims, $protect = false, Builder $builder = null)
287			{
288			if (is_null($builder)) {
289			$builder = new Builder();
290			}
291
292			foreach ($claims as $key => $value) {
293
294			if ($value instanceof Claim) {
295			$key = $value->getName();
296			$value = $value->getValue();
297			}
298
299			if (array_key_exists($key, $this->claims)) {
300			if (!$protect) {
301			$builder->{'set' . $this->claims[$key]}($value);
302			}
303			} else {
304			$builder->set($key, $value);
305			}
306			}
307
308			return $builder;
309			}
310
311			/**
312			* Get token expiration timestamp.
313			*
314			* @return int
315			*/
316			protected function getExpirationTimestamp()
317			{
318			return Carbon::now()->addDay()->timestamp;
319			}
320			}
321

framgia / laravel-jwt

Issues (5)

Security Analysis no request data

src/Guard.php (1 issue)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Duplication Side-by-Side

Filter issues like