First iteration of using cookies to store session/securetoken

2019-01-24 17:17:53 +01:00 · 2019-01-24 17:17:53 +01:00 · 118e45db9c
parent 579403c127
commit 118e45db9c
4 changed files with 20 additions and 16 deletions
--- a/include/lucidAuth.functions.php
+++ b/include/lucidAuth.functions.php
@ -62,11 +62,11 @@ function retrieveTokenFromDB (string $username, string $foo) {
 	
 }

-function validateToken (array $cookieData) {
+function validateToken (string $secureToken) {
 	global $settings;

 	try {
-		$jwtPayload = JWT::decode($cookieData['token'], base64_decode($settings->JWT['PrivateKey_base64']), $settings->JWT['Algorithm']);
+		$jwtPayload = JWT::decode($secureToken, base64_decode($settings->JWT['PrivateKey_base64']), $settings->JWT['Algorithm']);
 	} catch (Exception $e) {
 		// Invalid token, inform client (client should handle discarding invalid token)
 		return ['status' => 'Fail', 'reason' => '3'];
@ -80,17 +80,19 @@ function validateToken (array $cookieData) {
 		WHERE User.Username = :username
 	');
 	$pdoQuery->execute([
-			'username'	=>	($_COOKIE['Sub'] ?? "Danny")
+			'username'	=>	$jwtPayload['sub']
 		]);
 	foreach($pdoQuery->fetchAll(PDO::FETCH_ASSOC) as $row) {
-		$tokens[] = $row['Payload'];
+		$storedTokens[] = $row['Payload'];
 	}
-	print_r($tokens);
-#	if ($pdoResult['Username'])
+	
+	print_r($storedTokens);
+#	if (!empty($storedTokens) && <in_array or array_walk to determine if any of the stored tokens match>) {

+#	}

-	If ($cookieData['Exp'] < time()) {
-		// Expired cookie (shouldn't the browser disregard it?)
+	If ($secureToken['iat'] < (time() - $settings->Session['Duration'])) {
+		// Expired token (shouldn't the browser disregard it?)
 		return ['status' => 'Fail', 'reason' => '3'];
 	}
 	
--- a/lucidAuth.config.php.example
+++ b/lucidAuth.config.php.example
@ -29,16 +29,17 @@ return (object) array(
 	// File containing your <externalresource> token
  
 	'JWT'	=> [
-		'PrivateKey_base64'	=> 'result of base64_encode(<longrandomstring>)',
+		'PrivateKey_base64'	=> '',
+		// A base64-encoded string of a random string (see https://www.base64encode.org/)
 		'Algorithm'			=> [
 			'HS256',
 		]
 	],

-	'Cookie'	=> [
-		'Duration'	=> 2592000,
+	'Session'	=> [
+		'Duration'		=> 2592000,
 		// In seconds (2592000 is equivalent to 30 days)
-#		'Prefix'		=> 'lucidAuth_'
+#		'CookiePrefix'	=> 'lucidAuth_'
 	],
 	
 	'Debug'	=> [
--- a/public/lucidAuth.login.php
+++ b/public/lucidAuth.login.php
@ -6,6 +6,9 @@
 	if ($_POST['do'] == 'login') {
 		$result = authenticateLDAP($_POST['username'], $_POST['password']);
 		if ($result['status'] == 'Success') {
+			// Save secure token in cookie
+            setcookie('JWT', $result['token'], (time() + $settings->Session['Duration']));
+            
 			// Convert base64 encoded string back from JSON;
 			//   forcing it into an associative array (instead of javascript's default StdClass object)
 			try {
@ -16,7 +19,7 @@
 				echo '{"Result":"Fail","Reason":"Original request URI lost in transition"}' . PHP_EOL;
 				exit;
 			}
-			$originalUri = !empty($proxyHeaders) ? $proxyHeaders['XForwardedProto'] . '://' . $proxyHeaders['XForwardedHost'] . $proxyHeaders['XForwardedUri'] : '#';
+			$originalUri = !empty($proxyHeaders) ? $proxyHeaders['XForwardedProto'] . '://' . $proxyHeaders['XForwardedHost'] . $proxyHeaders['XForwardedUri'] : 'lucidAuth.manage.php';

 			// Since this request is only ever called through an AJAX-request; return JSON object
 			echo '{"Result":"Success","Location":"' . $originalUri . '"}' . PHP_EOL;
--- a/public/lucidAuth.validateRequest.php
+++ b/public/lucidAuth.validateRequest.php
@ -28,9 +28,7 @@
 		exit;
 	}

-	if ((!empty($_COOKIE['Exp']) && !empty($_COOKIE['Sub']) && !empty($_COOKIE['JWT'])) && validateToken([
-		'Exp' => $_COOKIE['Exp'],
-		'Sub' => $_COOKIE['Sub'],
+	if (!empty($_COOKIE['JWT']) && validateToken([
 		'JWT' => $_COOKIE['JWT']
 	])['status'] == "Success") {
 		// Valid authentication token found