namshi/jose 问题修复 & 功能扩展

解决BUG、新增功能、兼容多环境部署,快速响应你的开发需求

邮箱:yvsm@zunyunkeji.com | QQ:316430983 | 微信:yvsm316

namshi/jose

Composer 安装命令:

composer require namshi/jose

包简介

JSON Object Signing and Encryption library for PHP.

README 文档

README

Deprecation notice

Hi there,

as much as we'd like to be able to work on all of the OSS in the world, we don't actively use this library anymore This means that new features / bugfixes / etc will only be merged based on pull requests from external contributors, and we strongly recommend you look for a long-term alternative.

If you're looking for an actively maintained library check firebase/php-jwt out!

Build Status Latest Stable Version Total Downloads License

This library provides a lightweight implementation of the JWS (JSON Web Signature) specification.

Prerequisites

This library needs PHP 5.5+ and the library OpenSSL.

It has been tested using PHP5.5 to PHP7.0 and HHVM.

Installation

You can install the library directly from composer / packagist:

"namshi/jose": "7.0.*"

Usage

Using it is pretty straightforward: imagine that you want to offer a service the ability to authenticate a user via a cookie, and the service is built with javascript; what you would need to do is to generate a JWS (after verifying the credentials once), store it as a cookie and then pass it from your JavaScript app everytime you want to authenticate that user.

First, generate the JWS:

<?php

use Namshi\JOSE\SimpleJWS;

if ($username == 'correctUsername' && $pass == 'ok') {
	$user = Db::loadUserByUsername($username);

	$jws  = new SimpleJWS(array(
		'alg' => 'RS256'
	));
	$jws->setPayload(array(
		'uid' => $user->getid(),
	));

    $privateKey = openssl_pkey_get_private("file://path/to/private.key", self::SSL_KEY_PASSPHRASE);
    $jws->sign($privateKey);
    setcookie('identity', $jws->getTokenString());
}

Then your JS app can use the available cookie to execute authenticated calls, without sending passwords or credentials.

Once a request is submitted, you only have to verify that it is a valid call:

<?php

use Namshi\JOSE\SimpleJWS;

$jws        = SimpleJWS::load($_COOKIE['identity']);
$public_key = openssl_pkey_get_public("/path/to/public.key");

// verify that the token is valid and had the same values
// you emitted before while setting it as a cookie
if ($jws->isValid($public_key, 'RS256')) {
	$payload = $jws->getPayload();

	echo sprintf("Hey, my JS app just did an action authenticated as user #%s", $payload['uid']);
}

PROTIP: you can omit the second argument of the isValid() method, so jose will try to validate the token with the algorithm specified in the token's header, though this might expose you to some security issues.

For now we recommend to always explicitely set the algorithm you want to use to validate tokens.

PHPSECLIB For RSA Verification

You may find that you need to use this library in an environment where PHP's wrappers for OpenSSL do not work, or OpenSSL simply is not installed. This library uses OpenSSL to encrypt by default, but you can specify that you want to use PHPSecLib for a pure PHP implementation of RSA encryption.

In these cases, simply add the optional 'SecLib' parameter when constructing a JWS:

$jws = new JWS(array('alg' => 'RS256'), 'SecLib');

You can now use the PHPSecLib implementation of RSA signing. If you use a password protected private key, you can still submit the private key to use for signing as a string, as long as you pass the password as the second parameter into the sign method:

$jws->sign(file_get_contents(SSL_KEYS_PATH . "private.key"), 'tests');

You may also load a JWS using the PHPSecLib implementation of RSA verification:

$jws = JWS::load($tokenString, false, $encoder, 'SecLib');

Under the hood

In order to validate the JWS, the signature is first verified with a public key and then we will check whether the token is expired.

To give a JWS a TTL, just use the standard exp value in the payload:

$date    	= new DateTime('tomorrow');
$this->jws  = new SimpleJWS(array('alg' => 'RS256'));
$this->jws->setPayload(array(
	'exp' => $date->format('U'),
));

Unsecure JWSes

You can allow unsecure JWSes by setting the $allowUnsecure flag while loading JWSes:

JWS::load($this->jws->getTokenString(), true);

This allows tokens signed with the 'none' algorithms to go through, which is something you probably don't want to do. Proceed with caution :)

Unsecure JWSes are disabled by default since version 2.2.2. You should not use previous versions other than 2.2.2 as they have a security vulnerability. More info here.

Using a custom encoder

If, for some reason, you need to encode the token in a different way, you can inject any implementation of Namshi\JOSE\Base64\Encoder in a JWS instance. Likewise, JWS::load() accepts such an implementation as a second argument.

Implementation Specifics

The library provides a base JWT Class that implements what is needed just for JSON Web Tokens. The JWS Class then extends the JWT class and adds the implementation for signing and verifying using JSON Web Signatures. The SimpleJWS class extends the base JWS class and adds validation of a TTL and inclusion of automatic claims.

Major Versions

2.x.x to 3.x.x

Introduced the ability to specify an encryption engine. Added support of PHPSecLib to the existing OpenSSL implementation.

3.x.x to 4.x.x - Not Backwards Compatible

Added the ability to set custom properties in the header. Moved automatic inclusion of certain claims into an SimpleJWS class from the base JWS class.

6.x.x - Not Backwards Compatible

6.1.x

  • Dropped support for PHP 5.4
  • phpseclib 2.0

6.0.x

  • Dropped support for PHP 5.3
  • Don't escape slashes when generating signin input. This may render tokens generated with earlier versions of Jose incompatible.

7.x.x

7.0.x

Moved phpseclib and the openssl extension as suggested dependencies.

Tests

Tests are written using PHPUnit for this library. After doing composer install you can execute the following command to run tests:

./vendor/bin/phpunit

Credits

This library has been inspired by the initial work done by @ritou.

namshi/jose 适用场景与选型建议

namshi/jose 是一款 基于 PHP 开发的 Composer 扩展包,目前已累计 102.75M 次下载、GitHub Stars 达 1.81k, 最近一次更新时间为 2013 年 06 月 03 日, 在 PHP 生态内属于活跃度较高的组件。

它主要适用于以下技术方向: 「json」 「token」 「jwt」 「JSON Web Token」 「JSON Web Signature」 「JWS」 等业务场景。在实际项目中,围绕这些方向常见需要落地的问题包括:接口对接、性能调优、并发安全、与既有框架(Laravel / ThinkPHP / Yii / Webman 等)的兼容适配,以及生产环境的日志埋点与稳定性保障。

我们在过去多个企业项目中使用过 namshi/jose 或与其功能相近的方案,如果你在选型或落地过程中遇到问题,例如 版本兼容、二次改造、私有化封装、与内部系统对接、生产 BUG 排查,欢迎联系我们协助评估。

围绕 namshi/jose 我们能提供哪些服务?
定制开发 / 二次开发

基于 namshi/jose 在你已有业务上做功能扩展、字段裁剪、UI 适配、与内部账号 / 权限 / 日志系统的深度对接。

BUG 修复 & 性能优化

线上偶发问题、内存泄漏、慢查询、并发异常等排查修复;针对高流量场景做缓存、队列、索引层面的调优。

项目外包 & 长期维护

承接完整的项目从需求 → 设计 → 开发 → 上线 → 长期运维;也可按月提供技术保姆服务。

yvsm@zunyunkeji.com QQ:316430983 微信:yvsm316 西安尊云信息科技 · 专注 PHP / Go / 分布式系统研发

统计信息

  • 总下载量: 102.75M
  • 月度下载量: 0
  • 日度下载量: 0
  • 收藏数: 1817
  • 点击次数: 25
  • 依赖项目数: 119
  • 推荐数: 0

GitHub 信息

  • Stars: 1807
  • Watchers: 61
  • Forks: 130
  • 开发语言: PHP

其他信息

  • 授权协议: MIT
  • 更新时间: 2013-06-03