ykiakao/api-ranking-jogos
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
c4776437819fa32780593e2d62aaf6198fa2e28d
api-ranking-jogos/app/Http/Middleware/JwtAuthMiddleware.php

157 lines
4.5 KiB
PHP
Raw Blame History

<?php
namespace App\Http\Middleware;
use Closure;
use Illuminate\Http\Request;
class JwtAuthMiddleware
{
public function handle(Request $request, Closure $next)
{
try {
$authHeader = $request->header('Authorization');
if (!$authHeader) {
return response()->json(['message' => 'Missing Authorization header'], 401);
}
if (!preg_match('/Bearer\s(\S+)/', $authHeader, $matches)) {
return response()->json(['message' => 'Invalid token format'], 401);
}
$token = $matches[1];
[$header, $payload, $signature] = $this->decodeToken($token);
if (($header['alg'] ?? null) !== 'RS256') {
return response()->json(['message' => 'Invalid token algorithm'], 401);
}
if (!$this->signatureIsValid($token, $signature)) {
return response()->json(['message' => 'Invalid token signature'], 401);
}
if (($payload['iss'] ?? null) !== config('jwt.issuer')) {
return response()->json(['message' => 'Invalid token issuer'], 401);
}
if (!$this->audienceIsValid($payload['aud'] ?? null)) {
return response()->json(['message' => 'Invalid token audience'], 401);
}
if (empty($payload['sub'])) {
return response()->json(['message' => 'Invalid token subject'], 401);
}
if ($this->tokenIsExpired($payload)) {
return response()->json(['message' => 'Invalid or expired token'], 401);
}
$request->attributes->set('auth', [
'id' => $payload['sub'],
'token' => $token
]);
return $next($request);
} catch (\InvalidArgumentException $e) {
return response()->json(['message' => 'Invalid or expired token'], 401);
} catch (\Throwable $e) {
return response()->json(['message' => $e->getMessage()], 500);
}
}
private function decodeToken(string $token): array
{
$parts = explode('.', $token);
if (count($parts) !== 3) {
throw new \InvalidArgumentException('Invalid token structure');
}
return [
$this->base64UrlDecodeJson($parts[0]),
$this->base64UrlDecodeJson($parts[1]),
$this->base64UrlDecode($parts[2]),
];
}
private function base64UrlDecodeJson(string $value): array
{
$decoded = json_decode($this->base64UrlDecode($value), true);
if (!is_array($decoded)) {
throw new \InvalidArgumentException('Invalid token payload');
}
return $decoded;
}
private function base64UrlDecode(string $value): string
{
$value .= str_repeat('=', (4 - strlen($value) % 4) % 4);
$decoded = base64_decode(strtr($value, '-_', '+/'), true);
if ($decoded === false) {
throw new \InvalidArgumentException('Invalid base64url value');
}
return $decoded;
}
private function signatureIsValid(string $token, string $signature): bool
{
[$header, $payload] = explode('.', $token, 3);
$publicKey = str_replace('\\n', "\n", (string) config('jwt.public_key'));
if ($publicKey === '') {
throw new \RuntimeException('JWT public key is empty');
}
$keyResource = openssl_pkey_get_public($publicKey);
if ($keyResource === false) {
throw new \RuntimeException(openssl_error_string() ?: 'OpenSSL could not read JWT public key');
}
$result = openssl_verify(
$header . '.' . $payload,
$signature,
$keyResource,
OPENSSL_ALGO_SHA256
);
if ($result === false) {
throw new \RuntimeException(openssl_error_string() ?: 'OpenSSL could not verify JWT signature');
}
return $result === 1;
}
private function tokenIsExpired(array $payload): bool
{
if (!isset($payload['exp']) || !is_numeric($payload['exp'])) {
return true;
}
return time() >= (int) $payload['exp'];
}
private function audienceIsValid(mixed $audience): bool
{
$expectedAudience = config('jwt.audience');
if (is_string($audience)) {
return $audience === $expectedAudience;
}
if (is_array($audience)) {
return in_array($expectedAudience, $audience, true);
}
return false;
}
}
Reference in New Issue View Git Blame Copy Permalink