-
Notifications
You must be signed in to change notification settings - Fork 0
/
Approov.php
129 lines (110 loc) · 4.54 KB
/
Approov.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
<?php declare(strict_types=1);
namespace App\Http\Middleware;
use Closure;
use Firebase\JWT\JWT;
use Symfony\Component\HttpFoundation\HeaderBag;
class Approov
{
/**
* Handle an incoming request.
*
* @param \Illuminate\Http\Request $request
* @param \Closure $next
* @return mixed
*/
public function handle($request, Closure $next)
{
$approov_token_claims = $this->verifyApproovToken($request->headers);
if (!$approov_token_claims) {
return response()->json(new \stdClass(), 401);
}
if (!$this->verifyApproovTokenBinding($request->headers, $approov_token_claims)) {
return response()->json(new \stdClass(), 401);
}
return $next($request);
}
/**
* Verifies the Approov token in the incoming request.
*
* Returns the Approov token claims on success or null on failure.
*
* @param Symfony\Component\HttpFoundation\HeaderBag $headers
* @return ?\stdClass
*/
private function verifyApproovToken(HeaderBag $headers): ?\stdClass {
try {
$approov_token = $headers->get('Approov-Token');
if (empty($approov_token)) {
// You may want to add some logging here
// \Log::debug("MISSING APPROOV TOKEN");
return null;
}
$approov_secret = config('approov.secret');
if (empty($approov_secret)) {
// You may want to add some logging here
// \Log::debug("MISSING APPROOV SECRET");
return null;
}
// The Approov secret cannot be given as part of a JWKS key set,
// therefore you cannot use the Approov CLI to set a key id for it.
//
// If you set the key id then the token check will fail due to the
// presence of a `kid` key in the header of the Approov token, that
// will not be found in the `$approov_secret` variable, because this
// variable contains the secret as a binary string, not as a JWKs
// key set.
$approov_token_claims = JWT::decode($approov_token, $approov_secret, ['HS256']);
return $approov_token_claims;
} catch(\UnexpectedValueException $exception) {
// You may want to add some logging here
// \Log::debug($exception->getMessage());
return null;
} catch(\InvalidArgumentException $exception) {
// You may want to add some logging here
// \Log::debug($exception->getMessage());
return null;
} catch(\DomainException $exception) {
// You may want to add some logging here
// \Log::debug($exception->getMessage());
return null;
}
// You may want to add some logging here
return null;
}
/**
* Verifies the Approov token binding for the Approov token in the incoming
* request.
*
* The value in the `pay` claim of the Approov token must match the token
* binding header being used, the `Authorization` header.
*
* @param Symfony\Component\HttpFoundation\HeaderBag $headers
* @param \stdClass $approov_token_claims
* @return bool
*/
private function verifyApproovTokenBinding(HeaderBag $headers, \stdClass $approov_token_claims): bool {
if (empty($approov_token_claims->pay)) {
// You may want to add some logging here
// \Log::debug("MISSING APPROOV TOKEN BINDING CLAIM");
return false;
}
// We use the Authorization token, but feel free to use another header in
// the request. Bear in mind that it needs to be the same header used in the
// mobile app to bind the request with the Approov token.
$token_binding_header = $headers->get('Authorization');
if (empty($token_binding_header)) {
// You may want to add some logging here
// \Log::debug("MISSING APPROOV TOKEN BINDING HEADER");
return false;
}
// We need to hash and base64 encode the token binding header, because that's
// how it was included in the Approov token on the mobile app.
$token_binding_header_encoded = base64_encode(hash("sha256", $token_binding_header, true));
if($approov_token_claims->pay !== $token_binding_header_encoded) {
// You may want to add some logging here
// \Log::debug("APPROOV TOKEN BINDING MISMATCH");
return false;
}
return true;
}
}