PATH:
home
/
lab2454c
/
carbonbullion.net
/
wp-content
/
plugins
/
jwt-authentication-for-wp-rest-api
/
public
<?php /** Require the JWT library. */ use Firebase\JWT\JWT; use Firebase\JWT\Key; /** * The public-facing functionality of the plugin. * * @link https://enriquechavez.co * @since 1.0.0 */ /** * The public-facing functionality of the plugin. * * Defines the plugin name, version, and two examples hooks for how to * enqueue the admin-specific stylesheet and JavaScript. * * @author Enrique Chavez <noone@tmeister.net> */ class Jwt_Auth_Public { /** * The ID of this plugin. * * @since 1.0.0 * * @var string The ID of this plugin. */ private $plugin_name; /** * The version of this plugin. * * @since 1.0.0 * * @var string The current version of this plugin. */ private $version; /** * The namespace to add to the api calls. * * @var string The namespace to add to the api call */ private $namespace; /** * Store errors to display if the JWT is wrong * * @var WP_Error */ private $jwt_error = null; /** * Initialize the class and set its properties. * * @since 1.0.0 * * @param string $plugin_name The name of the plugin. * @param string $version The version of this plugin. */ public function __construct($plugin_name, $version) { $this->plugin_name = $plugin_name; $this->version = $version; $this->namespace = $this->plugin_name . '/v' . intval($this->version); } /** * Add the endpoints to the API */ public function add_api_routes() { register_rest_route($this->namespace, 'token', array( 'methods' => 'POST', 'callback' => array($this, 'generate_token'), 'permission_callback' => '__return_true', )); register_rest_route($this->namespace, 'token/validate', array( 'methods' => 'POST', 'callback' => array($this, 'validate_token'), 'permission_callback' => '__return_true', )); } /** * Add CORs support to the request. */ public function add_cors_support() { $enable_cors = defined('JWT_AUTH_CORS_ENABLE') ? JWT_AUTH_CORS_ENABLE : false; if ($enable_cors) { $headers = apply_filters('jwt_auth_cors_allow_headers', 'Access-Control-Allow-Headers, Content-Type, Authorization'); header(sprintf('Access-Control-Allow-Headers: %s', $headers)); } } /** * Get the user and password in the request body and generate a JWT * * @param [type] $request [description] * * @return mixed|WP_Error|null [type] [description] */ public function generate_token($request) { $secret_key = defined('JWT_AUTH_SECRET_KEY') ? JWT_AUTH_SECRET_KEY : false; $username = $request->get_param('username'); $password = $request->get_param('password'); /** First thing, check the secret key if not exist return a error*/ if (!$secret_key) { return new WP_Error( 'jwt_auth_bad_config', __('JWT is not configured properly, please contact the admin', 'wp-api-jwt-auth'), array( 'status' => 403, ) ); } /** Try to authenticate the user with the passed credentials*/ $user = wp_authenticate($username, $password); /** If the authentication fails return an error*/ if (is_wp_error($user)) { $error_code = $user->get_error_code(); return new WP_Error( '[jwt_auth] ' . $error_code, $user->get_error_message($error_code), array( 'status' => 403, ) ); } /** Valid credentials, the user exists create the according Token */ $issuedAt = time(); $notBefore = apply_filters('jwt_auth_not_before', $issuedAt, $issuedAt); $expire = apply_filters('jwt_auth_expire', $issuedAt + (DAY_IN_SECONDS * 7), $issuedAt); $token = array( 'iss' => get_bloginfo('url'), 'iat' => $issuedAt, 'nbf' => $notBefore, 'exp' => $expire, 'data' => array( 'user' => array( 'id' => $user->data->ID, ), ), ); /** Let the user modify the token data before the sign. */ $token = JWT::encode( apply_filters('jwt_auth_token_before_sign', $token, $user), $secret_key, apply_filters('jwt_auth_algorithm', 'HS256') ); /** The token is signed, now create the object with no sensible user data to the client*/ $data = array( 'token' => $token, 'user_email' => $user->data->user_email, 'user_nicename' => $user->data->user_nicename, 'user_display_name' => $user->data->display_name, ); /** Let the user modify the data before send it back */ return apply_filters('jwt_auth_token_before_dispatch', $data, $user); } /** * This is our Middleware to try to authenticate the user according to the * token send. * * @param (int|bool) $user Logged User ID * * @return (int|bool) */ public function determine_current_user($user) { /** * This hook only should run on the REST API requests to determine * if the user in the Token (if any) is valid, for any other * normal call ex. wp-admin/.* return the user. * * @since 1.2.3 **/ $rest_api_slug = rest_get_url_prefix(); $valid_api_uri = strpos($_SERVER['REQUEST_URI'], $rest_api_slug); // if already valid user or invalid url, don't attempt to validate token if ( !$valid_api_uri || $user ) { return $user; } /* * if the request URI is for validate the token don't do anything, * this avoids double calls to the validate_token function. */ $validate_uri = strpos($_SERVER['REQUEST_URI'], 'token/validate'); if ($validate_uri > 0) { return $user; } $token = $this->validate_token(false); if (is_wp_error($token)) { if ($token->get_error_code() != 'jwt_auth_no_auth_header') { /** If there is an error, store it to show it after see rest_pre_dispatch */ $this->jwt_error = $token; return $user; } else { return $user; } } /** Everything is ok, return the user ID stored in the token*/ return $token->data->user->id; } /** * Main validation function, this function try to get the Authentication * headers and decoded. * * @param bool $output * * @return WP_Error | Object | Array */ public function validate_token($output = true) { /* * Looking for the HTTP_AUTHORIZATION header, if not present just * return the user. */ $auth = isset($_SERVER['HTTP_AUTHORIZATION']) ? $_SERVER['HTTP_AUTHORIZATION'] : false; /* Double check for different auth header string (server dependent) */ if (!$auth) { $auth = isset($_SERVER['REDIRECT_HTTP_AUTHORIZATION']) ? $_SERVER['REDIRECT_HTTP_AUTHORIZATION'] : false; } if (!$auth) { return new WP_Error( 'jwt_auth_no_auth_header', 'Authorization header not found.', array( 'status' => 403, ) ); } /* * The HTTP_AUTHORIZATION is present verify the format * if the format is wrong return the user. */ list($token) = sscanf($auth, 'Bearer %s'); if (!$token) { return new WP_Error( 'jwt_auth_bad_auth_header', 'Authorization header malformed.', array( 'status' => 403, ) ); } /** Get the Secret Key */ $secret_key = defined('JWT_AUTH_SECRET_KEY') ? JWT_AUTH_SECRET_KEY : false; if (!$secret_key) { return new WP_Error( 'jwt_auth_bad_config', 'JWT is not configured properly, please contact the admin', array( 'status' => 403, ) ); } /** Try to decode the token */ try { $token = JWT::decode( $token, new Key($secret_key, apply_filters('jwt_auth_algorithm', 'HS256')) ); /** The Token is decoded now validate the iss */ if ($token->iss != get_bloginfo('url')) { /** The iss do not match, return error */ return new WP_Error( 'jwt_auth_bad_iss', 'The iss do not match with this server', array( 'status' => 403, ) ); } /** So far so good, validate the user id in the token */ if (!isset($token->data->user->id)) { /** No user id in the token, abort!! */ return new WP_Error( 'jwt_auth_bad_request', 'User ID not found in the token', array( 'status' => 403, ) ); } /** Everything looks good return the decoded token if the $output is false */ if (!$output) { return $token; } /** If the output is true return an answer to the request to show it */ return array( 'code' => 'jwt_auth_valid_token', 'data' => array( 'status' => 200, ), ); } catch (Exception $e) { /** Something is wrong trying to decode the token, send back the error */ return new WP_Error( 'jwt_auth_invalid_token', $e->getMessage(), array( 'status' => 403, ) ); } } /** * Filter to hook the rest_pre_dispatch, if the is an error in the request * send it, if there is no error just continue with the current request. * * @param $request * * @return mixed|WP_Error|null */ public function rest_pre_dispatch($request) { if (is_wp_error($this->jwt_error)) { return $this->jwt_error; } return $request; } }
[-] index.php
[edit]
[+]
..
[-] class-jwt-auth-public.php
[edit]