Improved jwt logic

* No longer stores full token, but only payload.
2024-03-11 22:29:17 +01:00
parent 99b5710c59
commit 0513ab0999
5 changed files with 33 additions and 32 deletions
--- a/src/Http/Middleware/MercureHandler.php
+++ b/src/Http/Middleware/MercureHandler.php
@@ -88,17 +88,13 @@ class MercureHandler
        }

        // Grab the JWT token from the requests authorization attribute
-        $tok = $request->getAttribute('authorization');
-        if ($tok instanceof JWTToken) {
-            $claims = $tok->claims->getAll();
-            if (isset($claims['mercure']['subscribe'])) {
-                $subscribeClaims = $claims['mercure']['subscribe'];
-                if (!$this->checkTopicClaims($topics, $subscribeClaims)) {
-                    throw new SecurityException(
-                        message: "Insufficient permissions for subscribe", 
-                        code: SecurityException::ERR_NO_PERMISSION
-                    );
-                }
+        if ($request->getAttribute('authorized')) {
+            $claims = $request->getAttribute('mercure.subscribe');
+            if (!$this->checkTopicClaims($topics, $claims)) {
+                throw new SecurityException(
+                    message: "Insufficient permissions for subscribe", 
+                    code: SecurityException::ERR_NO_PERMISSION
+                );
            }
        } else {
            // Disallow if we don't allow anonymous subscribers. Note that anonymous
@@ -153,18 +149,14 @@ class MercureHandler
        }

        // Grab the JWT token from the requests authorization attribute
-        $tok = $request->getAttribute('authorization');
-        if ($tok instanceof JWTToken) {
-            $claims = $tok->claims->getAll();
-            if (isset($claims['mercure']['publish'])) {
-                $publishClaims = $claims['mercure']['publish'];
-                // check topic against publishClaims
-                if (!$this->checkTopicClaims($data['topic']??[], $publishClaims)) {
-                    throw new SecurityException(
-                        message: "Insufficient permissions for publish", 
-                        code: SecurityException::ERR_NO_PERMISSION
-                    );
-                }
+        if ($request->getAttribute('authorized')) {
+            $claims = $request->getAttribute('mercure.publish');
+            // check topic against publishClaims
+            if (!$this->checkTopicClaims($data['topic']??[], $claims)) {
+                throw new SecurityException(
+                    message: "Insufficient permissions for publish", 
+                    code: SecurityException::ERR_NO_PERMISSION
+                );
            }
        } else {
            // reject if access denied