From 6a34c924dcac220dd42a77bc3b730e9dbd728e2f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ji=C5=99=C3=AD=20Zapletal?= Date: Fri, 13 Oct 2023 12:56:49 -0600 Subject: [PATCH] Added editable token expiration & on/off strict resources --- src/Http/Request/Auth/EmailAuthRequest.php | 6 +++-- src/Subscriber/AuthRequest.php | 27 +++++++++++++--------- 2 files changed, 20 insertions(+), 13 deletions(-) diff --git a/src/Http/Request/Auth/EmailAuthRequest.php b/src/Http/Request/Auth/EmailAuthRequest.php index 8a6e0ae..390e5bd 100644 --- a/src/Http/Request/Auth/EmailAuthRequest.php +++ b/src/Http/Request/Auth/EmailAuthRequest.php @@ -20,7 +20,7 @@ class EmailAuthRequest extends Request { - const EXPIRATION_TIME = '+4 hours'; + const EXPIRATION_TIME = '4hours'; public function __construct( private readonly EntityManager $em, @@ -66,7 +66,9 @@ public function process(array $data): Response $token->setSourceId($user->getId()); $this->em->persist($token); - $expiration = (new \DateTime())->modify(self::EXPIRATION_TIME); + $time = array_key_exists('AUTH_EXPIRATION', $_ENV) ? $_ENV['AUTH_EXPIRATION'] : self::EXPIRATION_TIME; + + $expiration = (new \DateTime())->modify('+' . $time); $immutable = \DateTimeImmutable::createFromMutable($expiration); $claims = $this->claims->format($user, $token); $jwt = $this->jwt->createToken($immutable, $claims); diff --git a/src/Subscriber/AuthRequest.php b/src/Subscriber/AuthRequest.php index f50f291..d44d96d 100644 --- a/src/Subscriber/AuthRequest.php +++ b/src/Subscriber/AuthRequest.php @@ -132,17 +132,22 @@ public function onRequest(RequestEvent $event): void /** @var IAuthenticable $user */ $this->authUser->setAuthUser($user); - $claimsResources = $claims->get('user')['resources']; - $authResources = $this->authUser->getResources(); - - sort($claimsResources); - sort($authResources); - - $requestResources = implode('|', $claimsResources); - $userResources = implode('|', $authResources); - - if ($userResources !== $requestResources) { - $this->sendError('User permissions have been changed'); + // Don't watch only if strict mode is off + $watch = !(array_key_exists('AUTH_STRICT_RESOURCES', $_ENV) && $_ENV['AUTH_STRICT_RESOURCES'] === 'false'); + + if ($watch) { + $claimsResources = $claims->get('user')['resources']; + $authResources = $this->authUser->getResources(); + + sort($claimsResources); + sort($authResources); + + $requestResources = implode('|', $claimsResources); + $userResources = implode('|', $authResources); + + if ($userResources !== $requestResources) { + $this->sendError('User permissions have been changed'); + } } }