tp4 18/11/2020

BackEnd/tp4/classes/AutoLoader.class.php

@@ -12,7 +12,7 @@ class AutoLoader {
     private function load($className) {
         $_model=["Model", "Role", "User"];
         $_classes=["DatabasePDO", "Dispatcher", "Request", "Response"];
-        $_controller=["Controller", "DefaultController", "UserController"];
+        $_controller=["Controller", "DefaultController", "UserController", "LoginController", "ValidateTokenController"];
         
         if(in_array($className, $_model)){
             require_once "model/$className.class.php";

BackEnd/tp4/classes/Request.class.php

@@ -69,13 +69,8 @@ class Request {
    }
 
    public function initData() {
-      if ($this->getHttpMethod() === 'PUT'){
-         $this->data = "";
-         $stream = fopen("php://input", "r");
-         $next_byte=fread($stream, '1024');
-         $this->data .= $next_byte;
-         fclose($stream);
-         $this->data=json_decode($this->data, TRUE);
+      if ($this->getHttpMethod() === 'PUT' || $this->getHttpMethod() === 'POST'){
+         $this->data = json_decode(file_get_contents("php://input"), true);   
       }
          
    }
@@ -89,6 +84,19 @@ class Request {
    public function getData() {
       return $this->data;
    }
+   // returns JWT token in Authorization header or throw an exception
+   public function getJwtToken() {
+      $headers = getallheaders();
+      $autorization = $headers['Authorization'];
+      $arr = explode(" ", $autorization);
+
+      if(count($arr)<2)
+         throw new Exception("Missing JWT token");
+
+      $jwt_token = $arr[1];
+
+      return $jwt_token;
+   }
 
    
 

BackEnd/tp4/classes/Response.class.php

@@ -31,6 +31,11 @@ class Response {
    {
       return new Response(400,$message);
    }
+   
+   public static function unauthorizedResponse($message = "")
+   {
+      return new Response(401,$message);
+   }
 
    public static function interceptEchos() {
       ob_start();

BackEnd/tp4/config/config.php

@@ -8,6 +8,9 @@ define('DB_PASSWORD','');
 // define('__DEBUG', false);
 define('__DEBUG', true);
 
+define( 'JWT_BACKEND_KEY', '6d8HbcZndVGNAbo4Ih1TGaKcuA1y2BKs-I5CmP' );
+define( 'JWT_ISSUER', $_SERVER['HTTP_HOST'] . $_SERVER['CONTEXT_PREFIX']);
+
 
 // ================================================================================
 // Debug utilities

BackEnd/tp4/controller/LoginController.class.php

+<?php
+include_once __ROOT_DIR . '/libs/php-jwt/src/BeforeValidException.php';
+include_once __ROOT_DIR . '/libs/php-jwt/src/ExpiredException.php';
+include_once __ROOT_DIR . '/libs/php-jwt/src/SignatureInvalidException.php';
+include_once __ROOT_DIR . '/libs/php-jwt/src/JWT.php';
+use \Firebase\JWT\JWT;
+
+class LoginController extends Controller {
+
+   public function __construct($name, $request) {
+      parent::__construct($name, $request);
+   }
+
+    public function processRequest() {
+      if($this->request->getHttpMethod() !== 'POST')
+         return Response::errorResponse('{ "message" : "Unsupported endpoint" }' );
+
+      $json = $this->request->getData();
+      if(!isset($json['login']) || !isset($json['login'])) {
+         $r = new Response(422,"login and pwd fields are mandatory");
+            $r->send();
+      }
+
+      $user = User::tryLogin($json['login']);
+      if(empty($user) || !hash_equals($json['pwd'],$user->password())) {
+            $r = new Response(422,"wrong credentials");
+            $r->send();
+      }
+
+      // generate json web token
+      $issued_at = time();
+      $expiration_time = $issued_at + (60 * 60); // valid for 1 hour
+
+      $token = array(
+         "iat" => $issued_at,
+         "exp" => $expiration_time,
+         "iss" => JWT_ISSUER,
+         "data" => array(
+            "id" => $user->id(),
+            "firstname" => $user->firstname(),
+            "lastname" => $user->lastname(),
+            "email" => $user->email()
+         )
+      );
+
+      $jwt = JWT::encode( $token, JWT_BACKEND_KEY );
+      $jsonResult = json_encode(
+            array(
+               "jwt_token" => $jwt
+            )
+      );
+
+        return Response::okResponse($jsonResult);
+    }
+}
\ No newline at end of file

BackEnd/tp4/controller/UserController.class.php

 <?php
-
+include_once __ROOT_DIR . '/libs/php-jwt/src/BeforeValidException.php';
+include_once __ROOT_DIR . '/libs/php-jwt/src/ExpiredException.php';
+include_once __ROOT_DIR . '/libs/php-jwt/src/SignatureInvalidException.php';
+include_once __ROOT_DIR . '/libs/php-jwt/src/JWT.php';
+use \Firebase\JWT\JWT;
 class UserController extends Controller {
 
     public function __construct($name, $request) {
@@ -20,8 +24,8 @@ class UserController extends Controller {
                 return $this->getAllUsers();
                 break;
             case 'PUT':
-                if ($this->request->getUriParams())
-                    return $this->updateUser($this->request->getUriParams()[0],$this->request->getData());
+                return $this->updateUser($this->request->getData());
+                    
                 break;
         }
         return Response::errorResponse("unsupported parameters or method in users");
@@ -41,32 +45,28 @@ class UserController extends Controller {
         $response = Response::okResponse(json_encode($user));
         return $response;
     }
-    protected function updateUser($id, $data){
-        $sets=[];
-        if(isset($data['login'])){
-            $sets[] = ['USER_LOGIN',$data['login']];
-        }
-        if(isset($data['email'])){
-            $sets[] = ['USER_EMAIL',$data['email']];
-        }
-        if(isset($data['role'])){
-            $sets[] = ['USER_ROLE',$data['role']];
-        }
-        if(isset($data['pwd'])){
-            $sets[] = ['USER_PWD',$data['pwd']];
-        }
-        if(isset($data['name'])){
-            $sets[] = ['USER_NAME',$data['name']];
-        }
-        if(isset($data['surname'])){
-            $sets[] = ['USER_SURNAME',$data['surname']];
-        }
-        //$sets = implode(', ', $sets);
-        $success = true;
-        foreach ($sets as $set ) {
-            $success &= User::update($id, $set);
-        }
-        $response = $success?Response::okResponse("Updated"):Response::errorResponse("failed");
-        return $response;
+    protected function updateUser($array){
+        try {
+            $jwt_token = $this->request->getJwtToken();
+            // echo "jwt = $jwt_token";
+            $decodedJWT = JWT::decode($jwt_token, JWT_BACKEND_KEY, array('HS256'));
+            
+            if($decodedJWT->data->id != $array['id']){
+                throw new Exception("You don't have access to this account.", 1);
+            } 
+            
+            User::updateUser($array);
+   
+         } catch (Exception $e){
+            header('WWW-Authenticate: Bearer realm="'.JWT_ISSUER.'"');
+   
+            $jsonResult =  json_encode(array(
+                "message" => "Access denied.",
+                "error" => $e->getMessage()
+            ));
+            return Response::unauthorizedResponse($jsonResult);
+         }
+         $response = Response::okResponse('User succesfully updated !');
+         return $response;
     }
 }
\ No newline at end of file

BackEnd/tp4/controller/ValidateTokenController.class.php

+<?php
+
+include_once __ROOT_DIR . '/libs/php-jwt/src/BeforeValidException.php';
+include_once __ROOT_DIR . '/libs/php-jwt/src/ExpiredException.php';
+include_once __ROOT_DIR . '/libs/php-jwt/src/SignatureInvalidException.php';
+include_once __ROOT_DIR . '/libs/php-jwt/src/JWT.php';
+use \Firebase\JWT\JWT;
+
+class ValidateTokenController extends Controller {
+
+   public function __construct($name, $request) {
+      parent::__construct($name, $request);
+   }
+
+    public function processRequest() {
+      try {
+         $jwt_token = $this->request->getJwtToken();
+         // echo "jwt = $jwt_token";
+         $decodedJWT = JWT::decode($jwt_token, JWT_BACKEND_KEY, array('HS256'));
+         $jsonResult = json_encode(array(
+             "message" => "Access granted.",
+             "data" => $decodedJWT
+         ));
+
+      } catch (Exception $e){
+         header('WWW-Authenticate: Bearer realm="'.JWT_ISSUER.'"');
+
+         $jsonResult =  json_encode(array(
+             "message" => "Access denied.",
+             "error" => $e->getMessage()
+         ));
+         return Response::unauthorizedResponse($jsonResult);
+      }
+      $response = Response::okResponse($jsonResult);
+      return $response;
+    }
+}
\ No newline at end of file

BackEnd/tp4/model/User.class.php

@@ -17,15 +17,30 @@ class User extends Model {
       return $stm->fetchAll();
    }
 
-   public static function update($id, $set) {
-      $stm = parent::exec('USER_UPDATE', ['id' => $id, 'set_field' => $set[0], 'set_value' => $set[1]]);
-      try {
-         return true;
-      } catch (\Throwable $th) {
-         die("dommage, fromage");
-      }
-      
+   public static function updateUser($array) {
+      $stm = parent::exec('USER_UPDATE', $array);
    }
 
+   public static function tryLogin($login){
+      $stm = parent::exec('USER_GET_WITH_LOGIN', ['login' => $login]);
+      return $stm->fetchAll(PDO::FETCH_CLASS, 'User')[0];
+   }
+
+   public function password(){
+      return trim($this->USER_PWD);
+   }
+   public function id(){
+      return trim($this->USER_ID);
+   }
+   public function firstname(){
+      return trim($this->USER_NAME);
+   }
+   public function lastname(){
+      return trim($this->USER_SURNAME);
+   }
+   public function email(){
+      return trim($this->USER_EMAIL);
+   }
+   
 
 }
\ No newline at end of file

BackEnd/tp4/sql/User.sql.php

@@ -16,4 +16,4 @@ User::addSqlQuery('USER_CONNECT',
     'SELECT * FROM USER WHERE USER_LOGIN=:login and USER_PWD=:password');
 
 User::addSqlQuery('USER_UPDATE',
-    'UPDATE `USER` SET :set_field = :set_value WHERE `USER_ID` = :id');
+    'UPDATE USER SET USER_EMAIL = :email WHERE USER_ID = :id');
\ No newline at end of file