package Koha::Token;
-# Created as wrapper for CSRF tokens, but designed for more general use
+# Created as wrapper for CSRF and JWT tokens, but designed for more general use
# Copyright 2016 Rijksmuseum
#
use Bytes::Random::Secure;
use String::Random;
use WWW::CSRF;
+use Mojo::JWT;
use Digest::MD5 qw( md5_base64 );
use Encode;
use C4::Context;
my $csrf_token = $tokenizer->generate({
type => 'CSRF', id => $id, secret => $secret,
});
+ my $jwt = $tokenizer->generate({
+ type => 'JWT, id => $id, secret => $secret,
+ });
Generate several types of tokens. Now includes CSRF.
For non-CSRF tokens an optional pattern parameter overrides length.
my ( $self, $params ) = @_;
if( $params->{type} && $params->{type} eq 'CSRF' ) {
$self->{lasttoken} = _gen_csrf( $params );
+ } elsif( $params->{type} && $params->{type} eq 'JWT' ) {
+ $self->{lasttoken} = _gen_jwt( $params );
} else {
$self->{lasttoken} = _gen_rand( $params );
}
return $self->generate({ %$params, type => 'CSRF' });
}
+=head2 generate_jwt
+
+ Like: generate({ type => 'JWT', ... })
+ Note that JWT is designed to encode a structure but here we are actually only allowing a value
+ that will be store in the key 'id'.
+
+=cut
+
+sub generate_jwt {
+ my ( $self, $params ) = @_;
+ return if !$params->{id};
+ $params = _add_default_jwt_params( $params );
+ return $self->generate({ %$params, type => 'JWT' });
+}
+
=head2 check
my $result = $tokenizer->check({
if( $params->{type} && $params->{type} eq 'CSRF' ) {
return _chk_csrf( $params );
}
+ elsif( $params->{type} && $params->{type} eq 'JWT' ) {
+ return _chk_jwt( $params );
+ }
return;
}
return $self->check({ %$params, type => 'CSRF' });
}
+=head2 check_jwt
+
+ Like: check({ type => 'JWT', id => $id, token => $token })
+
+ Will return true if the token contains the passed id
+
+=cut
+
+sub check_jwt {
+ my ( $self, $params ) = @_;
+ $params = _add_default_jwt_params( $params );
+ return $self->check({ %$params, type => 'JWT' });
+}
+
+=head2 decode_jwt
+
+ $tokenizer->decode_jwt({ type => 'JWT', token => $token })
+
+ Will return the value of the id stored in the token.
+
+=cut
+sub decode_jwt {
+ my ( $self, $params ) = @_;
+ $params = _add_default_jwt_params( $params );
+ return _decode_jwt( $params );
+}
+
# --- Internal routines ---
sub _add_default_csrf_params {
return $token;
}
+sub _add_default_jwt_params {
+ my ( $params ) = @_;
+ my $pw = C4::Context->config('pass');
+ $params->{secret} //= md5_base64( Encode::encode( 'UTF-8', $pw ) ),
+ return $params;
+}
+
+sub _gen_jwt {
+ my ( $params ) = @_;
+ return if !$params->{id} || !$params->{secret};
+
+ return Mojo::JWT->new(
+ claims => { id => $params->{id} },
+ secret => $params->{secret}
+ )->encode;
+}
+
+sub _chk_jwt {
+ my ( $params ) = @_;
+ return if !$params->{id} || !$params->{secret} || !$params->{token};
+
+ my $claims = Mojo::JWT->new(secret => $params->{secret})->decode($params->{token});
+
+ return 1 if exists $claims->{id} && $claims->{id} == $params->{id};
+}
+
+sub _decode_jwt {
+ my ( $params ) = @_;
+ return if !$params->{token} || !$params->{secret};
+
+ my $claims = Mojo::JWT->new(secret => $params->{secret})->decode($params->{token});
+
+ return $claims->{id};
+}
+
=head1 AUTHOR
Marcel de Rooy, Rijksmuseum Amsterdam, The Netherlands
# along with Koha; if not, see <http://www.gnu.org/licenses>.
use Modern::Perl;
-use Test::More tests => 11;
+use Test::More tests => 12;
use Test::Exception;
use Time::HiRes qw|usleep|;
use C4::Context;
ok( $id !~ /[^A-Z]/, 'Only uppercase letters' );
throws_ok( sub { $tokenizer->generate({ pattern => 'abc{d,e}', }) }, 'Koha::Exceptions::Token::BadPattern', 'Exception should be thrown when wrong pattern is used');
};
+
+subtest 'JWT' => sub {
+ plan tests => 3;
+
+ my $id = 42;
+ my $jwt = $tokenizer->generate_jwt({ id => $id });
+
+ my $is_valid = $tokenizer->check_jwt({ id => $id, token => $jwt });
+ is( $is_valid, 1, 'valid token should return 1' );
+
+ $is_valid = $tokenizer->check_jwt({ id => 24, token => $jwt });
+ isnt( $is_valid, 1, 'invalid token should not return 1' );
+
+ my $retrieved_id = $tokenizer->decode_jwt({ token => $jwt });
+ is( $retrieved_id, $id, 'id stored in jwt should be correct' );
+};