diff --git a/include/lucidAuth.functions.php b/include/lucidAuth.functions.php index 805268b..5c1ba8c 100644 --- a/include/lucidAuth.functions.php +++ b/include/lucidAuth.functions.php @@ -62,11 +62,11 @@ function retrieveTokenFromDB (string $username, string $foo) { } -function validateToken (array $cookieData) { +function validateToken (string $secureToken) { global $settings; try { - $jwtPayload = JWT::decode($cookieData['token'], base64_decode($settings->JWT['PrivateKey_base64']), $settings->JWT['Algorithm']); + $jwtPayload = JWT::decode($secureToken, base64_decode($settings->JWT['PrivateKey_base64']), $settings->JWT['Algorithm']); } catch (Exception $e) { // Invalid token, inform client (client should handle discarding invalid token) return ['status' => 'Fail', 'reason' => '3']; @@ -80,17 +80,19 @@ function validateToken (array $cookieData) { WHERE User.Username = :username '); $pdoQuery->execute([ - 'username' => ($_COOKIE['Sub'] ?? "Danny") + 'username' => $jwtPayload['sub'] ]); foreach($pdoQuery->fetchAll(PDO::FETCH_ASSOC) as $row) { - $tokens[] = $row['Payload']; + $storedTokens[] = $row['Payload']; } - print_r($tokens); -# if ($pdoResult['Username']) + + print_r($storedTokens); +# if (!empty($storedTokens) && ) { +# } - If ($cookieData['Exp'] < time()) { - // Expired cookie (shouldn't the browser disregard it?) + If ($secureToken['iat'] < (time() - $settings->Session['Duration'])) { + // Expired token (shouldn't the browser disregard it?) return ['status' => 'Fail', 'reason' => '3']; } diff --git a/lucidAuth.config.php.example b/lucidAuth.config.php.example index 46768b6..a4b42fd 100644 --- a/lucidAuth.config.php.example +++ b/lucidAuth.config.php.example @@ -29,16 +29,17 @@ return (object) array( // File containing your token 'JWT' => [ - 'PrivateKey_base64' => 'result of base64_encode()', + 'PrivateKey_base64' => '', + // A base64-encoded string of a random string (see https://www.base64encode.org/) 'Algorithm' => [ 'HS256', ] ], - 'Cookie' => [ - 'Duration' => 2592000, + 'Session' => [ + 'Duration' => 2592000, // In seconds (2592000 is equivalent to 30 days) -# 'Prefix' => 'lucidAuth_' +# 'CookiePrefix' => 'lucidAuth_' ], 'Debug' => [ diff --git a/public/lucidAuth.login.php b/public/lucidAuth.login.php index 0024bdf..b8285d2 100644 --- a/public/lucidAuth.login.php +++ b/public/lucidAuth.login.php @@ -6,6 +6,9 @@ if ($_POST['do'] == 'login') { $result = authenticateLDAP($_POST['username'], $_POST['password']); if ($result['status'] == 'Success') { + // Save secure token in cookie + setcookie('JWT', $result['token'], (time() + $settings->Session['Duration'])); + // Convert base64 encoded string back from JSON; // forcing it into an associative array (instead of javascript's default StdClass object) try { @@ -16,7 +19,7 @@ echo '{"Result":"Fail","Reason":"Original request URI lost in transition"}' . PHP_EOL; exit; } - $originalUri = !empty($proxyHeaders) ? $proxyHeaders['XForwardedProto'] . '://' . $proxyHeaders['XForwardedHost'] . $proxyHeaders['XForwardedUri'] : '#'; + $originalUri = !empty($proxyHeaders) ? $proxyHeaders['XForwardedProto'] . '://' . $proxyHeaders['XForwardedHost'] . $proxyHeaders['XForwardedUri'] : 'lucidAuth.manage.php'; // Since this request is only ever called through an AJAX-request; return JSON object echo '{"Result":"Success","Location":"' . $originalUri . '"}' . PHP_EOL; diff --git a/public/lucidAuth.validateRequest.php b/public/lucidAuth.validateRequest.php index 336d594..572aba5 100644 --- a/public/lucidAuth.validateRequest.php +++ b/public/lucidAuth.validateRequest.php @@ -28,9 +28,7 @@ exit; } - if ((!empty($_COOKIE['Exp']) && !empty($_COOKIE['Sub']) && !empty($_COOKIE['JWT'])) && validateToken([ - 'Exp' => $_COOKIE['Exp'], - 'Sub' => $_COOKIE['Sub'], + if (!empty($_COOKIE['JWT']) && validateToken([ 'JWT' => $_COOKIE['JWT'] ])['status'] == "Success") { // Valid authentication token found