Edit File by line

<?php

[0] Fix | Delete

[1] Fix | Delete

namespace Automattic\WooCommerce\StoreApi\Utilities;

[2] Fix | Delete

[3] Fix | Delete

/**

[4] Fix | Delete

* JsonWebToken class.

[5] Fix | Delete

[6] Fix | Delete

* Simple Json Web Token generator & verifier static utility class, currently supporting only HS256 signatures.

[7] Fix | Delete

[8] Fix | Delete

final class JsonWebToken {

[9] Fix | Delete

[10] Fix | Delete

/**

[11] Fix | Delete

* JWT header type.

[12] Fix | Delete

[13] Fix | Delete

* @var string

[14] Fix | Delete

[15] Fix | Delete

private static $type = 'JWT';

[16] Fix | Delete

[17] Fix | Delete

/**

[18] Fix | Delete

* JWT algorithm to generate signature.

[19] Fix | Delete

[20] Fix | Delete

* @var string

[21] Fix | Delete

[22] Fix | Delete

private static $algorithm = 'HS256';

[23] Fix | Delete

[24] Fix | Delete

/**

[25] Fix | Delete

* Generates a token from provided data and secret.

[26] Fix | Delete

[27] Fix | Delete

* @param array $payload Payload data.

[28] Fix | Delete

* @param string $secret The secret used to generate the signature.

[29] Fix | Delete

[30] Fix | Delete

* @return string

[31] Fix | Delete

[32] Fix | Delete

public static function create( array $payload, string $secret ) {

[33] Fix | Delete

$header = self::to_base_64_url( self::generate_header() );

[34] Fix | Delete

$payload = self::to_base_64_url( self::generate_payload( $payload ) );

[35] Fix | Delete

$signature = self::to_base_64_url( self::generate_signature( $header . '.' . $payload, $secret ) );

[36] Fix | Delete

[37] Fix | Delete

return $header . '.' . $payload . '.' . $signature;

[38] Fix | Delete

}

[39] Fix | Delete

[40] Fix | Delete

/**

[41] Fix | Delete

* Validates a provided token against the provided secret.

[42] Fix | Delete

* Checks for format, valid header for our class, expiration claim validity and signature.

[43] Fix | Delete

* https://datatracker.ietf.org/doc/html/rfc7519#section-7.2

[44] Fix | Delete

[45] Fix | Delete

* @param string $token Full token string.

[46] Fix | Delete

* @param string $secret The secret used to generate the signature.

[47] Fix | Delete

[48] Fix | Delete

* @return bool

[49] Fix | Delete

[50] Fix | Delete

public static function validate( string $token, string $secret ) {

[51] Fix | Delete

if ( ! self::shallow_validate( $token ) ) {

[52] Fix | Delete

return false;

[53] Fix | Delete

}

[54] Fix | Delete

[55] Fix | Delete

$parts = self::get_parts( $token );

[56] Fix | Delete

[57] Fix | Delete

/**

[58] Fix | Delete

* Check if the token is based on our secret.

[59] Fix | Delete

[60] Fix | Delete

$encoded_regenerated_signature = self::to_base_64_url(

[61] Fix | Delete

self::generate_signature( $parts->header_encoded . '.' . $parts->payload_encoded, $secret )

[62] Fix | Delete

);

[63] Fix | Delete

[64] Fix | Delete

return hash_equals( $encoded_regenerated_signature, $parts->signature_encoded );

[65] Fix | Delete

}

[66] Fix | Delete

[67] Fix | Delete

/**

[68] Fix | Delete

* Shallow validate a token, it does not check the signature or expiration, but it checks the structure and expiry.

[69] Fix | Delete

[70] Fix | Delete

* @param string $token Full token string.

[71] Fix | Delete

[72] Fix | Delete

* @return bool

[73] Fix | Delete

[74] Fix | Delete

public static function shallow_validate( string $token ) {

[75] Fix | Delete

if ( ! $token ) {

[76] Fix | Delete

return false;

[77] Fix | Delete

}

[78] Fix | Delete

[79] Fix | Delete

/**

[80] Fix | Delete

* Confirm the structure of a JSON Web Token, it has three parts separated

[81] Fix | Delete

* by dots and complies with Base64URL standards.

[82] Fix | Delete

[83] Fix | Delete

if ( preg_match( '/^[a-zA-Z\d\-_=]+\.[a-zA-Z\d\-_=]+\.[a-zA-Z\d\-_=]+$/', $token ) !== 1 ) {

[84] Fix | Delete

return false;

[85] Fix | Delete

}

[86] Fix | Delete

[87] Fix | Delete

$parts = self::get_parts( $token );

[88] Fix | Delete

[89] Fix | Delete

/**

[90] Fix | Delete

* Check if header declares a supported JWT by this class.

[91] Fix | Delete

[92] Fix | Delete

if (

[93] Fix | Delete

! is_object( $parts->header ) ||

[94] Fix | Delete

! property_exists( $parts->header, 'typ' ) ||

[95] Fix | Delete

! property_exists( $parts->header, 'alg' ) ||

[96] Fix | Delete

self::$type !== $parts->header->typ ||

[97] Fix | Delete

self::$algorithm !== $parts->header->alg

[98] Fix | Delete

) {

[99] Fix | Delete

return false;

[100] Fix | Delete

}

[101] Fix | Delete

[102] Fix | Delete

/**

[103] Fix | Delete

* Check if token is expired.

[104] Fix | Delete

[105] Fix | Delete

if ( ! property_exists( $parts->payload, 'exp' ) || time() > (int) $parts->payload->exp ) {

[106] Fix | Delete

return false;

[107] Fix | Delete

}

[108] Fix | Delete

[109] Fix | Delete

return true;

[110] Fix | Delete

}

[111] Fix | Delete

[112] Fix | Delete

/**

[113] Fix | Delete

* Returns the decoded/encoded header, payload and signature from a token string.

[114] Fix | Delete

[115] Fix | Delete

* @param string $token Full token string.

[116] Fix | Delete

[117] Fix | Delete

* @return object

[118] Fix | Delete

[119] Fix | Delete

public static function get_parts( string $token ) {

[120] Fix | Delete

$parts = explode( '.', $token );

[121] Fix | Delete

[122] Fix | Delete

return (object) array(

[123] Fix | Delete

'header' => json_decode( self::from_base_64_url( $parts[0] ) ),

[124] Fix | Delete

'header_encoded' => $parts[0],

[125] Fix | Delete

'payload' => json_decode( self::from_base_64_url( $parts[1] ) ),

[126] Fix | Delete

'payload_encoded' => $parts[1],

[127] Fix | Delete

'signature' => self::from_base_64_url( $parts[2] ),

[128] Fix | Delete

'signature_encoded' => $parts[2],

[129] Fix | Delete

[130] Fix | Delete

);

[131] Fix | Delete

}

[132] Fix | Delete

[133] Fix | Delete

/**

[134] Fix | Delete

* Generates the json formatted header for our HS256 JWT token.

[135] Fix | Delete

[136] Fix | Delete

* @return string|bool

[137] Fix | Delete

[138] Fix | Delete

private static function generate_header() {

[139] Fix | Delete

return wp_json_encode(

[140] Fix | Delete

array(

[141] Fix | Delete

'alg' => self::$algorithm,

[142] Fix | Delete

'typ' => self::$type,

[143] Fix | Delete

)

[144] Fix | Delete

);

[145] Fix | Delete

}

[146] Fix | Delete

[147] Fix | Delete

/**

[148] Fix | Delete

* Generates a sha256 signature for the provided string using the provided secret.

[149] Fix | Delete

[150] Fix | Delete

* @param string $string Header + Payload token substring.

[151] Fix | Delete

* @param string $secret The secret used to generate the signature.

[152] Fix | Delete

[153] Fix | Delete

* @return false|string

[154] Fix | Delete

[155] Fix | Delete

private static function generate_signature( string $string, string $secret ) {

[156] Fix | Delete

return hash_hmac(

[157] Fix | Delete

'sha256',

[158] Fix | Delete

$string,

[159] Fix | Delete

$secret,

[160] Fix | Delete

true

[161] Fix | Delete

);

[162] Fix | Delete

}

[163] Fix | Delete

[164] Fix | Delete

/**

[165] Fix | Delete

* Generates the payload in json formatted string.

[166] Fix | Delete

[167] Fix | Delete

* @param array $payload Payload data.

[168] Fix | Delete

[169] Fix | Delete

* @return string|bool

[170] Fix | Delete

[171] Fix | Delete

private static function generate_payload( array $payload ) {

[172] Fix | Delete

return wp_json_encode( array_merge( $payload, [ 'iat' => time() ] ) );

[173] Fix | Delete

}

[174] Fix | Delete

[175] Fix | Delete

/**

[176] Fix | Delete

* Encodes a string to url safe base64.

[177] Fix | Delete

[178] Fix | Delete

* @param string $string The string to be encoded.

[179] Fix | Delete

[180] Fix | Delete

* @return string

[181] Fix | Delete

[182] Fix | Delete

private static function to_base_64_url( string $string ) {

[183] Fix | Delete

return str_replace(

[184] Fix | Delete

array( '+', '/', '=' ),

[185] Fix | Delete

array( '-', '_', '' ),

[186] Fix | Delete

base64_encode( $string ) // phpcs:ignore WordPress.PHP.DiscouragedPHPFunctions.obfuscation_base64_encode

[187] Fix | Delete

);

[188] Fix | Delete

}

[189] Fix | Delete

[190] Fix | Delete

/**

[191] Fix | Delete

* Decodes a string encoded using url safe base64, supporting auto padding.

[192] Fix | Delete

[193] Fix | Delete

* @param string $string the string to be decoded.

[194] Fix | Delete

[195] Fix | Delete

* @return string

[196] Fix | Delete

[197] Fix | Delete

private static function from_base_64_url( string $string ) {

[198] Fix | Delete

/**

[199] Fix | Delete

* Add padding to base64 strings which require it. Some base64 URL strings

[200] Fix | Delete

* which are decoded will have missing padding which is represented by the

[201] Fix | Delete

* equals sign.

[202] Fix | Delete

[203] Fix | Delete

if ( strlen( $string ) % 4 !== 0 ) {

[204] Fix | Delete

return self::from_base_64_url( $string . '=' );

[205] Fix | Delete

}

[206] Fix | Delete

[207] Fix | Delete

return base64_decode( // phpcs:ignore WordPress.PHP.DiscouragedPHPFunctions.obfuscation_base64_decode

[208] Fix | Delete

str_replace(

[209] Fix | Delete

array( '-', '_' ),

[210] Fix | Delete

array( '+', '/' ),

[211] Fix | Delete

$string

[212] Fix | Delete

)

[213] Fix | Delete

);

[214] Fix | Delete

}

[215] Fix | Delete

}

[216] Fix | Delete

[217] Fix | Delete