codeigniter4
diff --git a/‎src/Authentication/Authenticators/JWT.php‎
Lines changed: 244 additions & 0 deletions b/‎src/Authentication/Authenticators/JWT.php‎
Lines changed: 244 additions & 0 deletions
diff --git a/‎src/Authentication/Authenticators/JWT/Firebase.php‎
Lines changed: 41 additions & 0 deletions b/‎src/Authentication/Authenticators/JWT/Firebase.php‎
Lines changed: 41 additions & 0 deletions
diff --git a/‎src/Authentication/Authenticators/JWT/JWTDecoderInterface.php‎
Lines changed: 15 additions & 0 deletions b/‎src/Authentication/Authenticators/JWT/JWTDecoderInterface.php‎
Lines changed: 15 additions & 0 deletions
diff --git a/‎src/Authentication/TokenGenerator/JWT/Firebase.php‎
Lines changed: 18 additions & 0 deletions b/‎src/Authentication/TokenGenerator/JWT/Firebase.php‎
Lines changed: 18 additions & 0 deletions
diff --git a/‎src/Authentication/TokenGenerator/JWT/JWTGeneratorInterface.php‎
Lines changed: 13 additions & 0 deletions b/‎src/Authentication/TokenGenerator/JWT/JWTGeneratorInterface.php‎
Lines changed: 13 additions & 0 deletions
diff --git a/‎src/Authentication/TokenGenerator/JWTGenerator.php‎
Lines changed: 41 additions & 0 deletions b/‎src/Authentication/TokenGenerator/JWTGenerator.php‎
Lines changed: 41 additions & 0 deletions
@@ -0,0 +1,244 @@
+<?php
+
+namespace CodeIgniter\Shield\Authentication\Authenticators;
+
+use CodeIgniter\HTTP\IncomingRequest;
+use CodeIgniter\I18n\Time;
+use CodeIgniter\Shield\Authentication\AuthenticationException;
+use CodeIgniter\Shield\Authentication\AuthenticatorInterface;
+use CodeIgniter\Shield\Authentication\Authenticators\JWT\Firebase;
+use CodeIgniter\Shield\Authentication\Authenticators\JWT\JWTDecoderInterface;
+use CodeIgniter\Shield\Entities\User;
+use CodeIgniter\Shield\Exceptions\RuntimeException;
+use CodeIgniter\Shield\Models\TokenLoginModel;
+use CodeIgniter\Shield\Models\UserModel;
+use CodeIgniter\Shield\Result;
+use InvalidArgumentException;
+use stdClass;
+
+/**
+ * Stateless JWT Authenticator
+ */
+class JWT implements AuthenticatorInterface
+{
+    /**
+     * @var string Special ID Type.
+     *             This Authenticator is stateless, so no `auth_identities` record.
+     */
+    public const ID_TYPE_JWT = 'jwt';
+
+    /**
+     * The persistence engine
+     */
+    protected UserModel $provider;
+
+    protected ?User $user = null;
+    protected JWTDecoderInterface $jwtDecoder;
+    protected TokenLoginModel $loginModel;
+    protected ?stdClass $payload = null;
+
+    public function __construct(UserModel $provider, ?JWTDecoderInterface $jwtDecoder = null)
+    {
+        $this->provider   = $provider;
+        $this->jwtDecoder = $jwtDecoder ?? new Firebase();
+
+        $this->loginModel = model(TokenLoginModel::class); // @phpstan-ignore-line
+    }
+
+    /**
+     * Attempts to authenticate a user with the given $credentials.
+     * Logs the user in with a successful check.
+     *
+     * @param array{token?: string} $credentials
+     */
+    public function attempt(array $credentials): Result
+    {
+        /** @var IncomingRequest $request */
+        $request = service('request');
+
+        $ipAddress = $request->getIPAddress();
+        $userAgent = $request->getUserAgent();
+
+        $result = $this->check($credentials);
+
+        if (! $result->isOK()) {
+            // Always record a login attempt, whether success or not.
+            $this->loginModel->recordLoginAttempt(
+                self::ID_TYPE_JWT,
+                $credentials['token'] ?? '',
+                false,
+                $ipAddress,
+                $userAgent
+            );
+
+            return $result;
+        }
+
+        $user = $result->extraInfo();
+
+        $this->login($user);
+
+        $this->loginModel->recordLoginAttempt(
+            self::ID_TYPE_JWT,
+            $credentials['token'] ?? '',
+            true,
+            $ipAddress,
+            $userAgent,
+            $this->user->id
+        );
+
+        return $result;
+    }
+
+    /**
+     * Checks a user's $credentials to see if they match an
+     * existing user.
+     *
+     * In this case, $credentials has only a single valid value: token,
+     * which is the plain text token to return.
+     *
+     * @param array{token?: string} $credentials
+     */
+    public function check(array $credentials): Result
+    {
+        if (! array_key_exists('token', $credentials) || $credentials['token'] === '') {
+            return new Result([
+                'success' => false,
+                'reason'  => lang('Auth.noToken'),
+            ]);
+        }
+
+        if (strpos($credentials['token'], 'Bearer') === 0) {
+            $credentials['token'] = trim(substr($credentials['token'], 6));
+        }
+
+        // Check JWT
+        try {
+            $this->payload = $this->decodeJWT($credentials['token']);
+        } catch (RuntimeException $e) {
+            return new Result([
+                'success' => false,
+                'reason'  => $e->getMessage(),
+            ]);
+        }
+
+        $userId = $this->payload->sub ?? null;
+
+        if ($userId === null) {
+            return new Result([
+                'success' => false,
+                'reason'  => 'Invalid JWT: no user_id',
+            ]);
+        }
+
+        // Find User
+        $user = $this->provider->findById($userId);
+
+        if ($user === null) {
+            return new Result([
+                'success' => false,
+                'reason'  => lang('Auth.invalidUser'),
+            ]);
+        }
+
+        return new Result([
+            'success'   => true,
+            'extraInfo' => $user,
+        ]);
+    }
+
+    /**
+     * Checks if the user is currently logged in.
+     * Since AccessToken usage is inherently stateless,
+     * it runs $this->attempt on each usage.
+     */
+    public function loggedIn(): bool
+    {
+        if ($this->user !== null) {
+            return true;
+        }
+
+        /** @var IncomingRequest $request */
+        $request = service('request');
+
+        return $this->attempt([
+            'token' => $request->getHeaderLine(config('Auth')->authenticatorHeader['jwt']),
+        ])->isOK();
+    }
+
+    /**
+     * Logs the given user in by saving them to the class.
+     */
+    public function login(User $user): void
+    {
+        $this->user = $user;
+    }
+
+    /**
+     * Logs a user in based on their ID.
+     *
+     * @param int|string $userId
+     *
+     * @throws AuthenticationException
+     */
+    public function loginById($userId): void
+    {
+        $user = $this->provider->findById($userId);
+
+        if ($user === null) {
+            throw AuthenticationException::forInvalidUser();
+        }
+
+        $this->login($user);
+    }
+
+    /**
+     * Logs the current user out.
+     */
+    public function logout(): bool
+    {
+        $this->user = null;
+
+        return true;
+    }
+
+    /**
+     * Returns the currently logged in user.
+     */
+    public function getUser(): ?User
+    {
+        return $this->user;
+    }
+
+    /**
+     * Updates the user's last active date.
+     */
+    public function recordActiveDate(): void
+    {
+        if (! $this->user instanceof User) {
+            throw new InvalidArgumentException(
+                __METHOD__ . '() requires logged in user before calling.'
+            );
+        }
+
+        $this->user->last_active = Time::now();
+
+        $this->provider->save($this->user);
+    }
+
+    /**
+     * Returns payload of the JWT
+     */
+    public function decodeJWT(string $encodedToken): stdClass
+    {
+        return $this->jwtDecoder->decode($encodedToken);
+    }
+
+    /**
+     * Returns payload
+     */
+    public function getPayload(): ?stdClass
+    {
+        return $this->payload;
+    }
+}
@@ -0,0 +1,41 @@
+<?php
+
+namespace CodeIgniter\Shield\Authentication\Authenticators\JWT;
+
+use CodeIgniter\Shield\Exceptions\RuntimeException;
+use DomainException;
+use Firebase\JWT\BeforeValidException;
+use Firebase\JWT\ExpiredException;
+use Firebase\JWT\JWT;
+use Firebase\JWT\Key;
+use Firebase\JWT\SignatureInvalidException;
+use InvalidArgumentException;
+use stdClass;
+use UnexpectedValueException;
+
+class Firebase implements JWTDecoderInterface
+{
+    /**
+     * Decode JWT
+     *
+     * @return stdClass Payload
+     */
+    public static function decode(string $encodedToken): stdClass
+    {
+        $config = setting('Auth.jwtConfig');
+
+        $key       = $config['secretKey'];
+        $algorithm = $config['algorithm'];
+
+        try {
+            return JWT::decode($encodedToken, new Key($key, $algorithm));
+        } catch (BeforeValidException|ExpiredException $e) {
+            throw new RuntimeException('Expired JWT: ' . $e->getMessage(), 0, $e);
+        } catch (
+            InvalidArgumentException|DomainException|UnexpectedValueException
+            |SignatureInvalidException $e
+        ) {
+            throw new RuntimeException('Invalid JWT: ' . $e->getMessage(), 0, $e);
+        }
+    }
+}
@@ -0,0 +1,15 @@
+<?php
+
+namespace CodeIgniter\Shield\Authentication\Authenticators\JWT;
+
+use stdClass;
+
+interface JWTDecoderInterface
+{
+    /**
+     * Decode JWT
+     *
+     * @return stdClass Payload
+     */
+    public static function decode(string $encodedToken): stdClass;
+}
@@ -0,0 +1,18 @@
+<?php
+
+namespace CodeIgniter\Shield\Authentication\TokenGenerator\JWT;
+
+use Firebase\JWT\JWT;
+
+class Firebase implements JWTGeneratorInterface
+{
+    /**
+     * Issues JWT
+     *
+     * @param string $key
+     */
+    public static function generate(array $payload, $key, string $algorithm): string
+    {
+        return JWT::encode($payload, $key, $algorithm);
+    }
+}
@@ -0,0 +1,13 @@
+<?php
+
+namespace CodeIgniter\Shield\Authentication\TokenGenerator\JWT;
+
+interface JWTGeneratorInterface
+{
+    /**
+     * Issues JWT
+     *
+     * @param string $key The secret key.
+     */
+    public static function generate(array $payload, $key, string $algorithm): string;
+}
@@ -0,0 +1,41 @@
+<?php
+
+namespace CodeIgniter\Shield\Authentication\TokenGenerator;
+
+use CodeIgniter\I18n\Time;
+use CodeIgniter\Shield\Authentication\TokenGenerator\JWT\Firebase;
+use CodeIgniter\Shield\Authentication\TokenGenerator\JWT\JWTGeneratorInterface;
+use CodeIgniter\Shield\Entities\User;
+
+class JWTGenerator
+{
+    private Time $currentTime;
+    private JWTGeneratorInterface $jwtGenerator;
+
+    public function __construct(?Time $currentTime = null, ?JWTGeneratorInterface $jwtGenerator = null)
+    {
+        $this->currentTime  = $currentTime ?? new Time();
+        $this->jwtGenerator = $jwtGenerator ?? new Firebase();
+    }
+
+    /**
+     * Issues JWT Access Token
+     */
+    public function generateAccessToken(User $user): string
+    {
+        $config = setting('Auth.jwtConfig');
+
+        $iat = $this->currentTime->getTimestamp();
+        $exp = $iat + $config['timeToLive'];
+
+        $payload = [
+            'iss' => $config['issuer'],     // issuer
+            'aud' => $config['audience'],   // audience
+            'sub' => (string) $user->id,    // subject
+            'iat' => $iat,                  // issued at
+            'exp' => $exp,                  // expiration time
+        ];
+
+        return $this->jwtGenerator->generate($payload, $config['secretKey'], $config['algorithm']);
+    }
+}