From c4e4db7a45e9519a608c4619a20256057c0349d6 Mon Sep 17 00:00:00 2001
From: Dave Mc Nicoll <dave.mcnicoll@cslsj.qc.ca>
Date: Fri, 31 May 2024 12:27:07 +0000
Subject: [PATCH] -WIP on Bearer token

---
 src/Authorize/Bearer/Algorithms/HmacSha.php   | 15 ++++
 .../Bearer/JsonWebTokenAlgorithmEnum.php      | 68 +++++++++++++++
 src/Authorize/Bearer/JsonWebTokenDecoder.php  | 82 +++++++++++++++++++
 .../Bearer/JsonWebTokenDecodingError.php      |  8 ++
 src/Authorize/Bearer/JsonWebTokenEncoder.php  | 12 +++
 .../Bearer/JsonWebTokenException.php          |  8 ++
 .../JsonWebTokenInvalidSignatureError.php     |  8 ++
 src/Authorize/Bearer/JsonWebTokenTypeEnum.php | 18 ++++
 src/Authorize/Bearer/JsonWebTokenValidate.php | 56 +++++++++++++
 src/Authorize/Header/BearerMethod.php         | 46 ++++++++++-
 src/Authorize/Header/BearerTokenTypeEnum.php  | 10 +++
 src/Authorize/HeaderAuthentication.php        |  8 +-
 src/Lib/Authenticate.php                      | 73 +++++++++--------
 13 files changed, 377 insertions(+), 35 deletions(-)
 create mode 100644 src/Authorize/Bearer/Algorithms/HmacSha.php
 create mode 100644 src/Authorize/Bearer/JsonWebTokenAlgorithmEnum.php
 create mode 100644 src/Authorize/Bearer/JsonWebTokenDecoder.php
 create mode 100644 src/Authorize/Bearer/JsonWebTokenDecodingError.php
 create mode 100644 src/Authorize/Bearer/JsonWebTokenEncoder.php
 create mode 100644 src/Authorize/Bearer/JsonWebTokenException.php
 create mode 100644 src/Authorize/Bearer/JsonWebTokenInvalidSignatureError.php
 create mode 100644 src/Authorize/Bearer/JsonWebTokenTypeEnum.php
 create mode 100644 src/Authorize/Bearer/JsonWebTokenValidate.php
 create mode 100644 src/Authorize/Header/BearerTokenTypeEnum.php

diff --git a/src/Authorize/Bearer/Algorithms/HmacSha.php b/src/Authorize/Bearer/Algorithms/HmacSha.php
new file mode 100644
index 0000000..dde8c7a
--- /dev/null
+++ b/src/Authorize/Bearer/Algorithms/HmacSha.php
@@ -0,0 +1,15 @@
+<?php
+
+namespace Ulmus\User\Authorize\Bearer\Algorithms;
+
+use Ulmus\User\Authorize\Bearer\JsonWebTokenException;
+
+class HmacSha
+{
+    public static function encode(string $encodedHeader, string $encodedPayload, string $secretKey) : string
+    {
+
+    }
+
+
+}
\ No newline at end of file
diff --git a/src/Authorize/Bearer/JsonWebTokenAlgorithmEnum.php b/src/Authorize/Bearer/JsonWebTokenAlgorithmEnum.php
new file mode 100644
index 0000000..6ed4433
--- /dev/null
+++ b/src/Authorize/Bearer/JsonWebTokenAlgorithmEnum.php
@@ -0,0 +1,68 @@
+<?php
+
+namespace Ulmus\User\Authorize\Bearer;
+
+enum JsonWebTokenAlgorithmEnum
+{
+    case HS256;
+
+    case HS384;
+
+    case HS512;
+
+    case RS256;
+
+    case RS384;
+
+    case RS512;
+
+    case ES256;
+
+    case ES384;
+
+    case ES512;
+
+    case PS256;
+
+    case PS384;
+
+    case PS512;
+
+    public static function list() : array
+    {
+        return array_map(fn(JsonWebTokenAlgorithmEnum $case) => $case->name, static::cases());
+    }
+
+    public static function fromString(string $name) : self
+    {
+        foreach (static::cases() as $item) {
+            if ($item->name === $name) {
+                return $item;
+            }
+        }
+    }
+
+    public static function exists(string $key) : bool
+    {
+        return in_array($key, static::list());
+    }
+
+    public function assessOperability() : void
+    {
+        $method = $this->phpAlgoMethods();
+
+        if (empty($method) || ! in_array($method[0], $method[2])) {
+            throw new JsonWebTokenException(sprintf("Choosen algorithm do not seems to be supported by your PHP version '%s'", $this->name));
+        }
+    }
+
+    public function phpAlgoMethods() : false|array
+    {
+        return match($this) {
+            self::HS256 => [ 'sha256', 'hash_hmac', hash_hmac_algos() ],
+            self::HS384 => [ 'sha384', 'hash_hmac', hash_hmac_algos() ],
+            self::HS512 => [ 'sha512', 'hash_hmac', hash_hmac_algos() ],
+            # Support for other algorithms not implemented yet...
+        } ?? false;
+    }
+}
diff --git a/src/Authorize/Bearer/JsonWebTokenDecoder.php b/src/Authorize/Bearer/JsonWebTokenDecoder.php
new file mode 100644
index 0000000..34215f2
--- /dev/null
+++ b/src/Authorize/Bearer/JsonWebTokenDecoder.php
@@ -0,0 +1,82 @@
+<?php
+
+namespace Ulmus\User\Authorize\Bearer;
+
+class JsonWebTokenDecoder
+{
+    protected array $header;
+
+    protected array $payload;
+
+    protected JsonWebTokenAlgorithmEnum $algrithm;
+
+    public function __construct(
+        public string $encoded
+    ) {}
+
+    protected function parse() : bool
+    {
+        try {
+            list($encodedHeader, $encodedPayload, $signature) = explode('.', $this->encoded);
+
+            foreach([ 'header' => $encodedHeader, 'payload' => $encodedPayload ] as $key => $value) {
+                $decoded = static::base64url_decode($value) ;
+
+                if ( $decoded !== false ){
+                    $jsonArray = json_decode($decoded, true);
+
+                    if ( is_array($jsonArray) ) {
+                        if ($key === 'header') {
+                            JsonWebTokenValidate::validateHeaderType($jsonArray);
+                            JsonWebTokenValidate::validateHeaderAlgorithm($jsonArray);
+                        }
+
+                        $this->$key = $jsonArray;
+                    }
+                    else {
+                        throw new JsonWebTokenDecodingError(sprintf("Invalid JSON returned while decoding section %s ; an array must be provided", $key));
+                    }
+                }
+                else {
+                    throw new JsonWebTokenDecodingError(sprintf("An error occured while decoding a base64 string from section %s", $key));
+                }
+            }
+
+            JsonWebTokenValidate::validateSignature($this->header['alg'], getenv('LEAN_RANDOM'), $encodedHeader, $encodedPayload, $signature);
+        }
+        catch(\Throwable $t) {
+            throw new JsonWebTokenDecodingError($t->getMessage(), $t->getCode(), $t);
+        }
+
+        return true;
+    }
+
+    public static function base64url_decode($data) : string|false
+    {
+        return base64_decode(strtr($data, '-_', '+/'));
+    }
+
+    public function decode() : bool
+    {
+        return $this->parse();
+    }
+
+    /**
+     * Basic validation of JWT encoded string
+     * @return bool
+     */
+    public function isJWT() : bool
+    {
+        try {
+            return $this->parse();
+        }
+        catch(\Throwable $t) {}
+
+        return false;
+    }
+
+    public function getPayload() : array
+    {
+        return $this->payload;
+    }
+}
\ No newline at end of file
diff --git a/src/Authorize/Bearer/JsonWebTokenDecodingError.php b/src/Authorize/Bearer/JsonWebTokenDecodingError.php
new file mode 100644
index 0000000..1b18d92
--- /dev/null
+++ b/src/Authorize/Bearer/JsonWebTokenDecodingError.php
@@ -0,0 +1,8 @@
+<?php
+
+namespace Ulmus\User\Authorize\Bearer;
+
+class JsonWebTokenDecodingError extends JsonWebTokenException
+{
+
+}
\ No newline at end of file
diff --git a/src/Authorize/Bearer/JsonWebTokenEncoder.php b/src/Authorize/Bearer/JsonWebTokenEncoder.php
new file mode 100644
index 0000000..f510a8c
--- /dev/null
+++ b/src/Authorize/Bearer/JsonWebTokenEncoder.php
@@ -0,0 +1,12 @@
+<?php
+
+namespace Ulmus\User\Authorize\Bearer;
+
+class JsonWebTokenEncoder
+{
+
+    public static function base64url_encode($data) : string
+    {
+        return rtrim(strtr(base64_encode($data), '+/', '-_'), '=');
+    }
+}
\ No newline at end of file
diff --git a/src/Authorize/Bearer/JsonWebTokenException.php b/src/Authorize/Bearer/JsonWebTokenException.php
new file mode 100644
index 0000000..d6db231
--- /dev/null
+++ b/src/Authorize/Bearer/JsonWebTokenException.php
@@ -0,0 +1,8 @@
+<?php
+
+namespace Ulmus\User\Authorize\Bearer;
+
+class JsonWebTokenException extends \Exception
+{
+
+}
\ No newline at end of file
diff --git a/src/Authorize/Bearer/JsonWebTokenInvalidSignatureError.php b/src/Authorize/Bearer/JsonWebTokenInvalidSignatureError.php
new file mode 100644
index 0000000..5f39878
--- /dev/null
+++ b/src/Authorize/Bearer/JsonWebTokenInvalidSignatureError.php
@@ -0,0 +1,8 @@
+<?php
+
+namespace Ulmus\User\Authorize\Bearer;
+
+class JsonWebTokenInvalidSignatureError extends JsonWebTokenException
+{
+
+}
\ No newline at end of file
diff --git a/src/Authorize/Bearer/JsonWebTokenTypeEnum.php b/src/Authorize/Bearer/JsonWebTokenTypeEnum.php
new file mode 100644
index 0000000..3344a47
--- /dev/null
+++ b/src/Authorize/Bearer/JsonWebTokenTypeEnum.php
@@ -0,0 +1,18 @@
+<?php
+
+namespace Ulmus\User\Authorize\Bearer;
+
+enum JsonWebTokenTypeEnum
+{
+    case JWT;
+
+    public static function list() : array
+    {
+        return array_map(fn(JsonWebTokenTypeEnum $case) => $case->name, static::cases());
+    }
+
+    public static function exists(string $key) : bool
+    {
+        return in_array($key, static::list());
+    }
+}
diff --git a/src/Authorize/Bearer/JsonWebTokenValidate.php b/src/Authorize/Bearer/JsonWebTokenValidate.php
new file mode 100644
index 0000000..eb513a6
--- /dev/null
+++ b/src/Authorize/Bearer/JsonWebTokenValidate.php
@@ -0,0 +1,56 @@
+<?php
+
+namespace Ulmus\User\Authorize\Bearer;
+
+abstract class JsonWebTokenValidate
+{
+    public static function validateHeaderAlgorithm(array $header) : void
+    {
+        if (! array_key_exists('alg', $header)) {
+            throw new JsonWebTokenDecodingError("Your header data is missing a valid algorithm (alg).");
+        }
+
+        if ( ! JsonWebTokenAlgorithmEnum::exists($header['alg']) ) {
+            throw new JsonWebTokenDecodingError(
+                sprintf("Given algorithm '%s' is not supported. Please try with one of the above : %s", $header['alg'], implode(', ', JsonWebTokenAlgorithmEnum::list()))
+            );
+        }
+    }
+
+    public static function validateHeaderType(array $header) : void
+    {
+        if ( array_key_exists('typ', $header) && ! JsonWebTokenTypeEnum::exists($header['typ']) ) {
+            throw new JsonWebTokenDecodingError(
+                sprintf("Given type '%s' is not supported. Please try with one of the above : %s", $header['typ'], implode(', ', JsonWebTokenTypeEnum::list()))
+            );
+        }
+    }
+
+    public static function validateSignature(string $alg, string $secret, string $encodedHeader, string $encodedPayload, string $encodedSignature) : void
+    {
+        $algorithm = JsonWebTokenAlgorithmEnum::fromString($alg);
+
+        static::validateAlgorithm($algorithm);
+
+        $decodedSignature = JsonWebTokenDecoder::base64url_decode($encodedSignature);
+
+        list($algo, $method, ) = $algorithm->phpAlgoMethods();
+
+        switch($method) {
+            case 'hash_hmac':
+                $compare = hash_hmac($algo, sprintf("%s.%s", $encodedHeader, $encodedPayload), $secret, true);
+            break;
+        }
+
+        if ( ($compare ?? null) !== $decodedSignature) {
+            throw new JsonWebTokenDecodingError(
+                sprintf("Given signature (%s) do not match computed signature (%s)", $encodedSignature, JsonWebTokenEncoder::base64url_encode($compare))
+            );
+        }
+    }
+
+    public static function validateAlgorithm(JsonWebTokenAlgorithmEnum $algorithm) : void
+    {
+        $algorithm->assessOperability();
+    }
+}
\ No newline at end of file
diff --git a/src/Authorize/Header/BearerMethod.php b/src/Authorize/Header/BearerMethod.php
index 9b627ae..53be05c 100644
--- a/src/Authorize/Header/BearerMethod.php
+++ b/src/Authorize/Header/BearerMethod.php
@@ -3,10 +3,15 @@
 namespace Ulmus\User\Authorize\Header;
 
 use Psr\Http\Message\ServerRequestInterface;
+use Ulmus\User\Authorize\Bearer\JsonWebToken;
+use Ulmus\User\Authorize\Bearer\JsonWebTokenDecoder;
 use Ulmus\User\Entity\UserInterface;
+use Ulmus\User\Lib\Authorize;
 
 class BearerMethod implements MethodInterface
 {
+    protected JsonWebTokenDecoder $jwt;
+
     public function __construct(
         protected UserInterface $user,
         protected string $token
@@ -14,6 +19,45 @@ class BearerMethod implements MethodInterface
 
     public function execute(ServerRequestInterface $request) : bool
     {
-        return false;
+        switch($this->autodetectTokenType()) {
+            case BearerTokenTypeEnum::JsonWebToken:
+                $authorize = new Authorize($this->user);
+
+                $payload = $this->jwt->getPayload();
+
+                if ($payload['sub'] ?? false) {
+                    if ( ! $authorize->logUser((int) $payload['sub']) ) {
+                        throw new \Exception("Given user id do not match with an existing/active user");
+                    }
+                }
+                else {
+                    throw new \InvalidArgumentException("Given JsonWebToken is missing a 'sub' key (which concords to user id)");
+                }
+
+                break;
+
+            case BearerTokenTypeEnum::UniqueKey:
+                # @TODO
+                break;
+        }
+
+
+        return $this->user->loggedIn();
+    }
+
+    public function autodetectTokenType() : BearerTokenTypeEnum
+    {
+        $this->jwt = new JsonWebTokenDecoder($this->token);
+
+        if ( $this->jwt->isJWT() ) {
+            return BearerTokenTypeEnum::JsonWebToken;
+        }
+
+        return BearerTokenTypeEnum::UniqueKey;
+    }
+
+    protected function userFromJWT() : UserInterface
+    {
+
     }
 }
\ No newline at end of file
diff --git a/src/Authorize/Header/BearerTokenTypeEnum.php b/src/Authorize/Header/BearerTokenTypeEnum.php
new file mode 100644
index 0000000..8314672
--- /dev/null
+++ b/src/Authorize/Header/BearerTokenTypeEnum.php
@@ -0,0 +1,10 @@
+<?php
+
+namespace Ulmus\User\Authorize\Header;
+
+enum BearerTokenTypeEnum : string
+{
+    case JsonWebToken = "JWT";
+
+    case UniqueKey = "UniqueKey";
+}
diff --git a/src/Authorize/HeaderAuthentication.php b/src/Authorize/HeaderAuthentication.php
index fc4c80e..7eb4d45 100644
--- a/src/Authorize/HeaderAuthentication.php
+++ b/src/Authorize/HeaderAuthentication.php
@@ -23,11 +23,15 @@ class HeaderAuthentication implements AuthorizeMethodInterface
                         throw new \RuntimeException("Your user entity must provide a valid hash of `user:realm:password` ");
                     }
 
-                    $method = new Header\DigestMethod($user, $value);
+                    $methodObj = new Header\DigestMethod($user, $value);
                 break;
 
                 case "bearer":
-                    $method = new Header\BearerMethod($user, $value);
+                    $methodObj = new Header\BearerMethod($user, $value);
+                break;
+
+                case "token":
+
                 break;
 
                 default:
diff --git a/src/Lib/Authenticate.php b/src/Lib/Authenticate.php
index 0a97e02..b114a63 100644
--- a/src/Lib/Authenticate.php
+++ b/src/Lib/Authenticate.php
@@ -26,29 +26,12 @@ class Authenticate {
 
     public function rememberMe() : ? UserInterface
     {
-        $logUser = function(? int $id) {
-            try {
-                if ($id === null || null === ($user = $this->user::repository()->loadFromPk($id))) {
-                    throw new \InvalidArgumentException(sprintf("User having id '%s' was not found.", $id));
-                }
-            }
-            catch(\Exception $ex) {
-                return null;
-            }
-
-            $this->user->fromArray($user);
-
-            $this->user->logged = true;
-
-            return $this->user;
-        };
-
         if ( $this->session && $this->session->has("user.id") ) {
-            return $logUser($this->session->get("user.id"));
+            return $this->logUser($this->session->get("user.id"));
         }
 
         if ( $this->cookie && $this->cookie->has("user.id") ) {
-            return $logUser($this->cookie->get("user.id"));
+            return $this->logUser($this->cookie->get("user.id"));
         }
 
         return null;
@@ -86,15 +69,7 @@ class Authenticate {
             $response = call_user_func_array($this->authenticationEvent, [ false, 'verifyPassword', $this->user, [ 'password' => $password ] ]);
 
             if ( $response !== null ? $response : $this->user->verifyPassword($password) ) {
-                $this->user->logged = true;
-
-                if ( $this->session ) {
-                    $this->session->set("user.id", $this->user->id);
-                }
-
-                if ( $this->cookie ) {
-                    $this->cookie->set("user.id", $this->user->id);
-                }
+                $this->login();
 
                 call_user_func_array($this->authenticationEvent, [ true, 'success', $this->user ]);
             }
@@ -112,8 +87,28 @@ class Authenticate {
         return $this->user->logged;
     }
 
+
+    public function login() : void
+    {
+        if ( !$this->user->isLoaded() ) {
+            return;
+        }
+
+        $this->user->logged = true;
+
+        if ( $this->session ) {
+            $this->session->set("user.id", $this->user->id);
+        }
+
+        if ( $this->cookie ) {
+            $this->cookie->set("user.id", $this->user->id);
+        }
+    }
+
     public function logout() : self
     {
+        $this->user->logged = false;
+
         if ( $this->session ) {
             $this->session->delete('user.id');
         }
@@ -122,10 +117,24 @@ class Authenticate {
             $this->cookie->delete('user.id');
         }
 
-        if ( isset($this->user) ) {
-            $this->user->logged = false;
-        }
-
         return $this;
     }
+
+    public function logUser(?int $id) : ? UserInterface
+    {
+        try {
+            if ($id === null || null === ($entity = $this->user::repository()->loadFromPk($id))) {
+                return null;
+            }
+        }
+        catch(\Exception $ex) {
+            return null;
+        }
+
+        $this->user->fromArray($entity);
+
+        $this->user->logged = true;
+
+        return $this->user;
+    }
 }
\ No newline at end of file