|
1
|
|
|
<?php |
|
2
|
|
|
|
|
3
|
|
|
/* |
|
4
|
|
|
* SPDX-License-Identifier: AGPL-3.0-only |
|
5
|
|
|
* SPDX-FileCopyrightText: Copyright 2023 grommunio GmbH |
|
6
|
|
|
* |
|
7
|
|
|
* Object class to parse a JSON Web Token. |
|
8
|
|
|
*/ |
|
9
|
|
|
|
|
10
|
|
|
class Token { |
|
11
|
|
|
public ?array $token_header = null; |
|
12
|
|
|
public ?array $token_payload = null; |
|
13
|
|
|
public false|string|null $token_signature = null; |
|
14
|
|
|
public ?string $signed = null; |
|
15
|
|
|
|
|
16
|
|
|
/** |
|
17
|
|
|
* Constructor loading a token string received from Keycloak. |
|
18
|
|
|
* |
|
19
|
|
|
* @param string $_raw holding |
|
20
|
|
|
*/ |
|
21
|
|
|
public function __construct(protected $_raw) { |
|
22
|
|
|
// Initialize with default empty payload |
|
23
|
|
|
$this->token_payload = ['expires_at' => 0]; |
|
24
|
|
|
|
|
25
|
|
|
if ($this->_raw) { |
|
26
|
|
|
try { |
|
27
|
|
|
$parts = explode('.', (string) $this->_raw); |
|
28
|
|
|
if (count($parts) !== 3) { |
|
29
|
|
|
throw new Exception('Invalid token format'); |
|
30
|
|
|
} |
|
31
|
|
|
$th = base64_decode($parts[0]); |
|
32
|
|
|
$tp = base64_decode($parts[1]); |
|
33
|
|
|
$ts = base64_decode($parts[2]); |
|
34
|
|
|
$this->token_header = json_decode($th, true); |
|
35
|
|
|
$payload = json_decode($tp, true); |
|
36
|
|
|
// Only use decoded payload if it's valid |
|
37
|
|
|
if (is_array($payload)) { |
|
38
|
|
|
$this->token_payload = $payload; |
|
39
|
|
|
} |
|
40
|
|
|
$this->token_signature = $ts; |
|
41
|
|
|
$this->signed = $parts[0] . '.' . $parts[1]; |
|
42
|
|
|
} |
|
43
|
|
|
catch (Exception) { |
|
44
|
|
|
// Keep default payload on error |
|
45
|
|
|
} |
|
46
|
|
|
} |
|
47
|
|
|
} |
|
48
|
|
|
|
|
49
|
|
|
/** |
|
50
|
|
|
* Returns the signature of the token. |
|
51
|
|
|
*/ |
|
52
|
|
|
public function get_signature(): false|string|null { |
|
53
|
|
|
return $this->token_signature; |
|
54
|
|
|
} |
|
55
|
|
|
|
|
56
|
|
|
/** |
|
57
|
|
|
* Indicates if the token was signed. |
|
58
|
|
|
*/ |
|
59
|
|
|
public function get_signed(): ?string { |
|
60
|
|
|
return $this->signed; |
|
61
|
|
|
} |
|
62
|
|
|
|
|
63
|
|
|
/** |
|
64
|
|
|
* Returns raw payload. |
|
65
|
|
|
*/ |
|
66
|
|
|
public function get_payload(): mixed { |
|
67
|
|
|
return $this->_raw; |
|
68
|
|
|
} |
|
69
|
|
|
|
|
70
|
|
|
/** |
|
71
|
|
|
* Returns the value of a claim if it's defined in the payload. |
|
72
|
|
|
* Otherwise returns an empty string. |
|
73
|
|
|
*/ |
|
74
|
|
|
public function get_claims(string $claim): mixed { |
|
75
|
|
|
return array_key_exists($claim, $this->token_payload) ? $this->token_payload[$claim] : ''; |
|
76
|
|
|
} |
|
77
|
|
|
|
|
78
|
|
|
/** |
|
79
|
|
|
* Checks if a token is expired comparing to the current time. |
|
80
|
|
|
*/ |
|
81
|
|
|
public function is_expired(): bool { |
|
82
|
|
|
return ($this->token_payload['exp'] ?? 0) <= time(); |
|
83
|
|
|
} |
|
84
|
|
|
} |
|
85
|
|
|
|
grommunio /
mapi-header-php
