dmkit / phalcon-jwt-auth Goto Github PK

View Code? Open in Web Editor NEW

36.0 3.0 22.0 54 KB

Basic jwt authentication class for Phalcon framework

License: MIT License

PHP 100.00%

middleware phalcon-jwt phalcon jwt-authentication

phalcon-jwt-auth's Introduction

phalcon-jwt-auth

A simple JWT middleware for Phalcon Micro to handle stateless authentication.

Installation

$ composer require dmkit/phalcon-jwt-auth

or in your composer.json

{
    "require": {
		"dmkit/phalcon-jwt-auth" : "dev-master"
    }
}

then run

$ composer update

Usage

Configuration - Loading the config service

in config.ini or in any config file

[jwtAuth]

; JWT Secret Key
secretKey = 923753F2317FC1EE5B52DF23951B

; JWT default Payload

;; expiry time in minutes
payload[exp] = 1440
payload[iss] = phalcon-jwt-auth

; Micro Applications do not have a controller or dispatcher
; so to know the resource being called we have to check the actual URL.

; If you want to disable the middleware on certain routes or resource:
;; index
ignoreUri[] = /

;; regex pattern with http methods
ignoreUri[] = regex:/application/
ignoreUri[] = regex:/users/:POST,PUT

;; literal strings
ignoreUri[] = /auth/user:POST,PUT
ignoreUri[] = /auth/application

in bootstrap or index file

use Phalcon\Mvc\Micro;
use Phalcon\Config\Adapter\Ini as ConfigIni;
use Phalcon\Di\FactoryDefault;
use Dmkit\Phalcon\Auth\Middleware\Micro as AuthMicro;

// set default services
$di = new FactoryDefault();

/**
 * IMPORTANT:
 * You must set "config" service that will load the configuration file.
 */
$config = new ConfigIni( APP_PATH . "app/config/config.ini");
$di->set(
    "config",
    function () use($config) {
        return $config;
    }
);

$app = new Micro($di);

// AUTH MICRO
$auth = new AuthMicro($app);

$app->handle();

Configuration - Don't want to use a config file? then pass the config instead

in bootstrap or index file

use Phalcon\Mvc\Micro;
use Phalcon\Config\Adapter\Ini as ConfigIni;
use Phalcon\Di\FactoryDefault;
use Dmkit\Phalcon\Auth\Middleware\Micro as AuthMicro;

// set default services
$di = new FactoryDefault();

$app = new Micro($di);

// SETUP THE CONFIG
$authConfig = [
    'secretKey' => '923753F2317FC1EE5B52DF23951B1',
    'payload' => [
            'exp' => 1440,
            'iss' => 'phalcon-jwt-auth'
        ],
     'ignoreUri' => [
            '/',
            'regex:/application/',
            'regex:/users/:POST,PUT',
            '/auth/user:POST,PUT',
            '/auth/application'
        ]
];

// AUTH MICRO
$auth = new AuthMicro($app, $authConfig);

$app->handle();

Authentication

To make authenticated requests via http, you will need to set an authorization headers as follows:

Authorization: Bearer {yourtokenhere}

or pass the token as a query string

?_token={yourtokenhere}

Callbacks

By default if the authentication fails, the middleware will stop the execution of routes and will immediately return a response of 401 Unauthorized. If you want to add your own handler:

$auth->onUnauthorized(function($authMicro, $app) {

    $response = $app["response"];
    $response->setStatusCode(401, 'Unauthorized');
    $response->setContentType("application/json");

    // to get the error messages
    $response->setContent(json_encode([$authMicro->getMessages()[0]]));
    $response->send();

    // return false to stop the execution
    return false;
});

If you want an additional checking on the authentication, like intentionally expiring a token based on the payload issued date, you may do so:

$auth->onCheck(function($auth) {
 // to get the payload
 $data = $auth->data();

 if($data['iat'] <= strtotime('-1 day')) ) {
    // return false to invalidate the authentication
    return false;
 }

});

The Auth service

You can access the middleware by calling the "auth" service.

print_r( $app['auth']->data() );

print_r( $app->getDI()->get('auth')->data('email') );

// in your contoller
print_r( $this->auth->data() );

If you want to change the service name:

AuthMicro::$diName = 'jwtAuth';

Creating a token

In your controller or route handler

$payload = [
    'sub'   => $user->id,
    'email' => $user->email,
    'username' =>  $user->username,
    'role'  => 'admin',
    'iat' => time(),
];
$token = $this->auth->make($payload);

Accessing the authenticated user / data

In your controller or route handler

echo $this->auth->id(); // will look for sub or id payload

echo $this->auth->data(); // return all payload

echo $this->auth->data('email');

Extending

If you want to add your own middleware or play around:

Dmkit\Phalcon\Auth\Auth.php and its adapters - does all the authentication

Dmkit\Phalcon\Auth\TokenGetter\TokenGetter.php and its adapters - does the parsing or getting of token

JWT

Phalcon JWT Auth uses the Firebase JWT library. To learn more about it and JSON Web Tokens in general, visit: https://github.com/firebase/php-jwt https://jwt.io/introduction/

Tests

Install PHPUnit https://phpunit.de/getting-started.html

$ phpunit --configuration phpunit.xml.dist
PHPUnit 5.6.5 by Sebastian Bergmann and contributors.

......["missing token"].["members option"].["members put"].["members put"].["Expired token"].["members post"]....                                                   15 / 15 (100%)

Time: 73 ms, Memory: 10.00MB

OK (15 tests, 27 assertions)

phalcon-jwt-auth's People

Contributors

Stargazers

Watchers

phalcon-jwt-auth's Issues

Error

Hello I am having problems implementing jwt in phalcon, I am importing as described: "use Dmkit \ Phalcon \ Auth \ Middleware \ Micro as AuthMicro;" but I have the return: "Uncaught Error: Class 'Dmkit \ Phalcon \ Auth \ Middleware \ Micro' not found in /var/www/html/b9Back/public/index.php:63" Here is line 63: "$ auth = new AuthMicro ($ app, $ authConfig); "

Missing License

I'd like to use this, but I'd need to be able to tick the licensing box. Is it possible to add a license? MIT/BSD or similar would be good (Phalcon itself uses New BSD)

Add the package to packagist.org

hey @dmkit any plans on adding on doing this?

  [InvalidArgumentException]
  Could not find package dmkit/phalcon-jwt-auth at any version for your minimum-stability (stable). Check the package spelling or your minimum-stability

had to install the package by adding the git link to my composer.json

Thanks and I'll be submitting PR to update the package to jwt 5 ;)

Add support for nbf field

Add nbf standard field to check method.
Not before (nbf): Identifies the time on which the JWT will start to be accepted for processing.

Remove all files that aren't user in the package.

Remove all HTML, js, and dirs that aren't part of the package.

Phalcon 4.x

Hi, first of all thanks for this project.
Can you update the composer requirements to allow for this version to be used on phalcon version 4.x?
I've tested this version with the current version of the project and it still works as suppose to.

Thanks once again

IgnoreUri regex match bug

Dmkit\Phalcon\Auth\Middleware\Micro.php Line :166

Should be
preg_match('#'.$pattern.'#', $requestUri)

my config
'ignoreUri' => [
'regex:/user/[0-9]+/profile:POST',
]

resuestUri : /user/1/profile

Add steps to run the tests in the readme file.

Signature verification failed

Hi @dmkit ,

I just started learning PhalconPHP and decided to create a simple API, using jwt auth.
I can generate the token without any problem, but when I try to access a protected route I always have a "Signature verification failed". I went on https://jwt.io/#debugger and pasted my token and my secret and it verified properly.

Any help appreciated!

Here is my index:

<?php

require __DIR__ . '/../vendor/autoload.php';

use Dmkit\Phalcon\Auth\Middleware\Micro as AuthMicro;
use Phalcon\Config\Adapter\Ini as ConfigIni;
use Phalcon\Db\Adapter\Pdo\Mysql as PdoMysql;
use Phalcon\Di\FactoryDefault;
use Phalcon\Http\Response;
use Phalcon\Loader;
use Phalcon\Mvc\Micro;
use Phalcon\Mvc\Micro\Collection as MicroCollection;

// Use Loader() to autoload our model
$loader = new Loader();
$loader->registerNamespaces([
    "App\Controller" => __DIR__ . "/../controllers/",
    "App\Model" => __DIR__ . "/../models/",
]);

$loader->register();

$di = new FactoryDefault();
$config = new ConfigIni(__DIR__ . "/../config.ini");

// Set config
$di->set("config", function () use ($config) {
    return $config;
});

// Set up the database service
$di->set("db", function () {
    return new PdoMysql([
        "host" => "localhost",
        "username" => "...",
        "password" => "...",
        "dbname" => "...",
    ]);
});

$app = new Micro($di);
$auth = new AuthMicro($app);

/* Registering routes for each controller */
$test = new MicroCollection();
$test->setHandler('App\Controller\TestController', true);
$test->setPrefix('/tests');
$test->get('/', 'list');
$test->get('/{id:[0-9]+}', 'get');

$user = new MicroCollection();
$user->setHandler('App\Controller\UserController', true);
$user->setPrefix('/users');
$user->post('/token', 'token');

$app->mount($test);
$app->mount($user);

$app->handle();

The config.ini is the one in the README with just this line added:
ignoreUri[] = /users/token:POST

And the method used to generate the token:

    public function token()
    {
        $response = new Response();
        $data = [
            'success' => false,
        ];
        $content = $this->request->getJsonRawBody();

        if (property_exists($content, "username") && property_exists($content, "password")) {
            $phql = "SELECT * FROM " . User::class . " WHERE username = :username:";
            $user = $this->modelsManager->executeQuery($phql, [
                "username" => $content->username,
            ])->getFirst();

            if ($user && $user instanceof User) {
                if (password_verify($content->password, $user->getPassword())) {
                    $payload = [
                        'sub' => $user->getId(),
                        'email' => $user->getEmail(),
                        'username' => $user->getUsername(),
                        'role' => 'admin',
                        'iat' => time(),
                    ];
                    $token = $this->auth->make($payload);

                    $data = [
                        'success' => true,
                        'token' => $token,
                    ];
                }
            }
        }

        $response->setJsonContent($data);

        return $response;
    }

I'm working with PHP 7.0 and PhalconPHP 3.2.0.

Did I miss something?

PHP 5.5 Compatibility

Do you plan to make a php5.6 compatibility ?

Avoid checking the JWT if the URI is ignored

Why we have to check if the JWT is valid if the URI is ignored already?
I was about to do a PR with the changes but I realized that you have done this on purpose.