-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathstateless-auth.php
108 lines (98 loc) · 3.12 KB
/
stateless-auth.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
<?php
/* Copyright 2013 Dan Wolff (danwolff.se)
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*/
/**
* Creates a token that the server can authenticate. This is completely
* stateless, and all necessary information is stored inside the token.
* This means that once a token is created, it can only be invalidated
* by expiring.
*/
function stateless_auth_create($secret_key, $context, $time = 60) {
$expiry_time = time() + $time;
// Use HMAC to prevent length extension attacks
$hash = hash_hmac('sha256', "$expiry_time:$context", $secret_key, true);
// It will only be decoded by this library, so strip extra '='
$encoded_hash = rtrim(base64_encode($hash), '=');
// $context may contain ':', so place it last
return "$encoded_hash:$expiry_time:$context";
}
/**
* Checks whether a token is valid. If it is misformatted, the expiry
* time has passed, or the token is valid only for another context, it
* is considered invalid.
*/
function stateless_auth_verify($secret_key, $context, $token) {
if (!is_string($token)) {
return false;
}
$token_parts = explode(':', $token, 3);
if (count($token_parts) !== 3) {
// misformatted token
return false;
}
list($token_encoded_hash, $token_expiry_time, $token_context) = $token_parts;
if (!is_numeric($token_expiry_time) || $token_expiry_time < time()) {
// already expired (or incorrect expiry time given)
return false;
}
if ($token_context !== (string) $context) {
// context mismatch
return false;
}
$token_hash = base64_decode($token_encoded_hash, true);
$calculated_hash = hash_hmac('sha256', "$token_expiry_time:$context", $secret_key, true);
return $token_hash === $calculated_hash;
}
/**
* Gets the expiry time for a given token. False is returned if it
* cannot be extracted.
*/
function stateless_auth_get_expiry($token) {
$parts = explode(':', $token, 3);
if (count($parts) !== 3) {
// misformatted token
return false;
}
$expiry_time = $parts[1];
if (!is_numeric($expiry_time)) {
return false;
}
return +$expiry_time;
}
/**
* Gets the context for a given token. False is returned if it cannot
* be extracted.
*/
function stateless_auth_get_context($token) {
$parts = explode(':', $token, 3);
if (count($parts) !== 3) {
// misformatted token
return false;
}
return $parts[2];
}
/**
* Creates a form input, used as an XSRF guard, by default with the
* name 'xsrf_token'.
*/
function stateless_auth_xsrf_create($secret_key, $context, $time = 600,
$name = 'xsrf_token', $xhtml = true) {
return sprintf('<input type="hidden" name="%s" value="%s"%s>',
htmlspecialchars($name),
htmlspecialchars(stateless_auth_create($secret_key, $context, $time)),
($xhtml ? ' /' : ''));
}
/**
* Verifies that the correct XSRF token was used. If $token is not
* given, $_POST['xsrf_token'] is used.
*/
function stateless_auth_xsrf_verify($secret_key, $context, $token = null) {
if (func_num_args() === 2) {
$token = @$_POST['xsrf_token'];
}
return stateless_auth_verify($secret_key, $context, $token);
}