Add contents

Author: AKINORI Ishii

.gitignore

@@ -0,0 +1,8 @@
+# Managed by Composer
+/vendor/
+
+# composer.lock
+composer.lock
+
+# ideavim
+.idea

README.md

@@ -1,2 +1,36 @@
 # JWTBundle
 Generating and Interpreting JWT token.
+
+## Usage
+
+### JWTService
+
+1. Set JWK information via .yml file.
+```
+# key_info.yml
+parameters:
+jwt_keys:
+# for HS256
+  key_name_for_HS256_key:
+    kid: current_kid
+    alg: HS256
+    secret: 'secret string with more than 32 chars.'
+# for RS256 or ES256
+  key_name_for_RS256_or_ES256_key:
+    kid: current_kid
+    alg: RS256 or ES256
+    filename: 'public or private key filename'
+    passphrase: 'passphrase to decode key'
+```
+
+2. Place .yml and key files in the same directory.
+
+3. Set arguments
+```
+# jwt.yml
+services:
+  Toyokumo\JWTBundle\JWTService:
+    arguments:
+      $keyDirPath: 'path/to/key_info.yml and key files'
+      $jwkInfos: '%jwt_keys%' # JWK information defined in key_info.yml
+```

Resources/config/services.yml

@@ -0,0 +1,2 @@
+services:
+  Toyokumo\JWTBundle\JWTService: ~

composer.json

@@ -0,0 +1,21 @@
+{
+  "name": "toyokumo/jwt-bundle",
+  "description": "Symfony support for generating and interpreting JWT token.",
+  "keywords": ["symfony", "bundle"],
+  "homepage": "https://github.com/toyokumo/JWTBundle",
+  "license": "MIT",
+  "require": {
+    "php": "^7.4",
+    "symfony/config": "~3.0|~4.0",
+    "symfony/dependency-injection": "~3.0|~4.0",
+    "sensio/framework-extra-bundle": "~3.0|~4.0|~5.0",
+    "web-token/jwt-framework": "^2.2"
+  }
+  ,
+  "require-dev": {
+    "roave/security-advisories": "dev-master"
+  },
+  "autoload": {
+    "psr-4": { "Toyokumo\\JWTBundle\\": "src/" }
+  }
+}

src/DependencyInjection/ToyokumoJWTServiceExtension.php

@@ -0,0 +1,23 @@
+<?php
+
+namespace Toyokumo\JWTBundle\DependencyInjection;
+
+use Exception;
+use Symfony\Component\Config\FileLocator;
+use Symfony\Component\DependencyInjection\ContainerBuilder;
+use Symfony\Component\HttpKernel\DependencyInjection\Extension;
+use Symfony\Component\DependencyInjection\Loader;
+
+class ToyokumoJWTServiceExtension extends Extension
+{
+    /**
+     * @param array $configs
+     * @param ContainerBuilder $container
+     * @throws Exception
+     */
+    public function load(array $configs, ContainerBuilder $container):void
+    {
+        $loader = new Loader\YamlFileLoader($container, new FileLocator(__DIR__ . '/../../Resources/config'));
+        $loader->load('services.yml');
+    }
+}

src/Exception/InvalidJWTException.php

@@ -0,0 +1,29 @@
+<?php
+
+namespace Toyokumo\JWTBundle\Exception;
+
+use Exception;
+
+/**
+ * Class InvalidJWTException
+ * Verified JWT containing invalid contents
+ * ex：
+ * - exceeding exp claim
+ * @package AppBundle\Exception
+ */
+class InvalidJWTException extends Exception
+{
+    /**
+     * InvalidJWTException constructor.
+     * @param string $message
+     * @param int $code
+     * @param Exception|null $previous
+     */
+    public function __construct(
+        string $message,
+        $code = 0,
+        Exception $previous = null
+    ) {
+        parent::__construct($message, $code, $previous);
+    }
+}

src/Exception/NotVerifiedJWTException.php

@@ -0,0 +1,30 @@
+<?php
+
+namespace Toyokumo\JWTBundle\Exception;
+
+use Exception;
+
+/**
+ * Class NotVerifiedJWTException
+ * Broken JWT
+ * ex：
+ * - fail to parse token
+ * - invalid signature / no signature
+ * @package AppBundle\Exception
+ */
+class NotVerifiedJWTException extends Exception
+{
+    /**
+     * NotVerifiedJWTException constructor.
+     * @param string $message
+     * @param int $code
+     * @param Exception|null $previous
+     */
+    public function __construct(
+        string $message,
+        $code = 0,
+        Exception $previous = null
+    ) {
+        parent::__construct($message, $code, $previous);
+    }
+}

src/JWTService.php

@@ -0,0 +1,145 @@
+<?php
+
+namespace Toyokumo\JWTBundle;
+
+use Exception;
+use InvalidArgumentException;
+use Toyokumo\JWTBundle\Exception\InvalidJWTException;
+use Toyokumo\JWTBundle\Exception\NotVerifiedJWTException;
+use Jose\Component\Checker\InvalidClaimException;
+use Jose\Component\Checker\InvalidHeaderException;
+use Jose\Component\Core\JWKSet;
+use Jose\Component\KeyManagement\JWKFactory;
+use Jose\Component\Signature\Serializer\CompactSerializer;
+use Jose\Easy\Build;
+use Jose\Easy\Load;
+
+/**
+ * Class JWTService
+ * @package Toyokumo\JWTBundle
+ */
+class JWTService
+{
+    private JWKSet $jwkSet;
+
+    /**
+     * JWTService constructor.
+     * @param string $keyDirPath
+     * @param array $jwkInfos
+     */
+    public function __construct(string $keyDirPath, array $jwkInfos)
+    {
+        if ('/' !== substr($keyDirPath, -1)) {
+            $keyDirPath .= '/';
+        }
+        $jwks = [];
+        foreach ($jwkInfos as $jwkInfo) {
+            $kid = $jwkInfo['kid'];
+            $alg = $jwkInfo['alg'];
+            if ($alg === 'HS256') {
+                $secret = $jwkInfo['secret'];
+                $jwks[] = JWKFactory::createFromSecret($secret, [
+                    'use' => 'sig',
+                    'alg' => $alg,
+                    'kid' => $kid,
+                ]);
+            } else {
+                $filename = $jwkInfo['filename'];
+                $passphrase = $jwkInfo['passphrase'];
+                $jwks[] = JWKFactory::createFromKeyFile(
+                    $keyDirPath . $filename,
+                    $passphrase,
+                    [
+                        'use' => 'sig',
+                        'alg' => $alg,
+                        'kid' => $kid,
+                    ]
+                );
+            }
+        }
+        $this->jwkSet = new JWKSet($jwks);
+    }
+
+    /**
+     * @param array $claims
+     * @param string $kid
+     * @param int $exp
+     * @return string
+     */
+    public function generateJWSToken(
+        array $claims,
+        string $kid,
+        int $exp
+    ): string {
+        $now = time();
+
+        $jwk = $this->jwkSet->get($kid);
+        $jws = Build::jws()
+            ->alg($jwk->get('alg'))
+            ->header('kid', $kid)
+            ->exp($now + $exp)
+            ->iat($now)
+            ->nbf($now);
+        foreach ($claims as $key => $value) {
+            $jws->claim($key, $value);
+        }
+        return $jws->sign($jwk);
+    }
+
+    /**
+     * @param string $token
+     * @param string $claimKey
+     * @return mixed
+     * @throws NotVerifiedJWTException
+     * @throws InvalidJWTException
+     * @throws Exception
+     */
+    public function extractValueFromToken(string $token, string $claimKey)
+    {
+        try {
+            // Get kid for identifying jwk
+            $signatures = (new CompactSerializer())
+                ->unserialize($token)
+                ->getSignatures();
+            $signature = $signatures[0];
+            if (!$signature->hasProtectedHeaderParameter('kid')) {
+                throw new NotVerifiedJWTException('Token is not verified.');
+            }
+            $kid = $signature->getProtectedHeaderParameter('kid');
+            if (!$this->jwkSet->has($kid)) {
+                throw new NotVerifiedJWTException('Token is not verified.');
+            }
+            $jwk = $this->jwkSet->get($kid);
+
+            $jwt = Load::jws($token)
+                ->alg($jwk->get('alg'))
+                ->exp()
+                ->nbf()
+                ->key($jwk)
+                ->run();
+        } catch (InvalidClaimException $e) {
+            // token expiration etc..
+            throw new InvalidJWTException('Token is invalid.');
+        } catch (InvalidHeaderException $e) {
+            // alg=none tampering etc..
+            throw new NotVerifiedJWTException('Token is not verified.');
+        } catch (InvalidArgumentException $e) {
+            if ($e->getMessage() === 'Unsupported input') {
+                // failed to decode token
+                throw new NotVerifiedJWTException('Token is not verified.');
+            }
+            if ($e->getMessage() === 'Undefined index') {
+                // there is no JWK corresponding to kid
+                throw new NotVerifiedJWTException('Token is not verified.');
+            }
+            throw $e;
+        } catch (Exception $e) {
+            if ($e->getMessage() === 'Invalid signature') {
+                throw new NotVerifiedJWTException('Token is not verified.');
+            }
+            throw $e;
+        }
+
+        return $jwt->claims->get($claimKey);
+    }
+}

src/ToyokumoJWTBundle.php

@@ -0,0 +1,9 @@
+<?php
+
+namespace Toyokumo\JWTBundle;
+
+use Symfony\Component\HttpKernel\Bundle\Bundle;
+
+class ToyokumoJWTBundle extends Bundle
+{
+}