Added editable token expiration & on/off strict resources

strategio-digital · Oct 13, 2023 · 6a34c92 · 6a34c92
1 parent 06a8415
commit 6a34c92
Show file tree

Hide file tree

Showing 2 changed files with 20 additions and 13 deletions.
diff --git a/src/Http/Request/Auth/EmailAuthRequest.php b/src/Http/Request/Auth/EmailAuthRequest.php
@@ -20,7 +20,7 @@
 
 class EmailAuthRequest extends Request
 {
-    const EXPIRATION_TIME = '+4 hours';
+    const EXPIRATION_TIME = '4hours';
 
     public function __construct(
         private readonly EntityManager   $em,
@@ -66,7 +66,9 @@ public function process(array $data): Response
         $token->setSourceId($user->getId());
         $this->em->persist($token);
 
-        $expiration = (new \DateTime())->modify(self::EXPIRATION_TIME);
+        $time = array_key_exists('AUTH_EXPIRATION', $_ENV) ? $_ENV['AUTH_EXPIRATION'] : self::EXPIRATION_TIME;
+
+        $expiration = (new \DateTime())->modify('+' . $time);
         $immutable = \DateTimeImmutable::createFromMutable($expiration);
         $claims = $this->claims->format($user, $token);
         $jwt = $this->jwt->createToken($immutable, $claims);

diff --git a/src/Subscriber/AuthRequest.php b/src/Subscriber/AuthRequest.php
@@ -132,17 +132,22 @@ public function onRequest(RequestEvent $event): void
         /** @var IAuthenticable $user */
         $this->authUser->setAuthUser($user);
 
-        $claimsResources = $claims->get('user')['resources'];
-        $authResources = $this->authUser->getResources();
-
-        sort($claimsResources);
-        sort($authResources);
-
-        $requestResources = implode('|', $claimsResources);
-        $userResources = implode('|', $authResources);
-
-        if ($userResources !== $requestResources) {
-            $this->sendError('User permissions have been changed');
+        // Don't watch only if strict mode is off
+        $watch = !(array_key_exists('AUTH_STRICT_RESOURCES', $_ENV) && $_ENV['AUTH_STRICT_RESOURCES'] === 'false');
+
+        if ($watch) {
+            $claimsResources = $claims->get('user')['resources'];
+            $authResources = $this->authUser->getResources();
+
+            sort($claimsResources);
+            sort($authResources);
+
+            $requestResources = implode('|', $claimsResources);
+            $userResources = implode('|', $authResources);
+
+            if ($userResources !== $requestResources) {
+                $this->sendError('User permissions have been changed');
+            }
         }
     }