diff --git a/.gitlab-ci-files/package.yml b/.gitlab-ci-files/package.yml
index a80d56a..6e5cc77 100644
--- a/.gitlab-ci-files/package.yml
+++ b/.gitlab-ci-files/package.yml
@@ -2,6 +2,12 @@ rocky8-package:
extends: .package
image: gitlab.linphone.org:4567/bc/public/docker/rocky8-php:$ROCKY_8_IMAGE_VERSION
script:
+ # We install this dependency only for the pipeline
+ - dnf -y install https://rpms.remirepo.net/enterprise/remi-release-8.rpm
+ - dnf -y module reset php
+ - dnf -y module enable php:remi-8.0
+ - dnf -y update php\*
+ - dnf -y install php-sodium
- make rpm-el8
rocky9-package:
diff --git a/.gitlab-ci-files/test.yml b/.gitlab-ci-files/test.yml
index 66642be..eb8a3e4 100644
--- a/.gitlab-ci-files/test.yml
+++ b/.gitlab-ci-files/test.yml
@@ -15,7 +15,7 @@ rocky9-test:
script:
- yum -y localinstall build/*.rpm
- cd /opt/belledonne-communications/share/flexisip-account-manager/flexiapi
- - composer install
+ - composer install --ignore-platform-req=ext-sodium # Rocky 8 use the external library
- vendor/bin/phpcs
- vendor/bin/phpmd . ansi phpmd.xml
- php artisan key:generate
diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 3f06491..501208e 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -1,6 +1,6 @@
variables:
ROCKY_8_IMAGE_VERSION: 20230330_163028_remove_remi
- ROCKY_9_IMAGE_VERSION: 20231019_170719_rocky9_php80_cleanup
+ ROCKY_9_IMAGE_VERSION: 20240314_163316_add_php_sodium
DEBIAN_11_IMAGE_VERSION: 20240221_140459_package_upgrade_02_24
DEBIAN_12_IMAGE_VERSION: 20230925_143235_enable_debian12_packaging
PHP_REDIS_REMI_VERSION: php-pecl-redis5-5.3.6-1
diff --git a/CHANGELOG.md b/CHANGELOG.md
index e30ce57..c92b2ee 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -10,6 +10,7 @@ v1.5
- FIX FLEXIAPI-146 Allow users to manage their own devices
- Fix FLEXIAPI-145 Put back the 'code' parameter as an alias for the 'confirmation_key' for the activateEmail and activatePhone endpoints
- Fix FLEXIAPI-144 Introduce APP_FLEXISIP_PUSHER_FIREBASE_KEYSMAP as a replacement for APP_FLEXISIP_PUSHER_FIREBASE_KEY
+- Fix FLEXIAPI-143 JWT Authentication layer on the API
- Fix FLEXIAPI-142 PUT /accounts endpoint doesn't allow overiding values anymore
- Fix FLEXIAPI-140 Fix the display_name attribute in the Vcard4 render
- Fix FLEXIAPI-139 Refactor the email and phone API documentation
diff --git a/Makefile b/Makefile
index e491328..9a0c120 100644
--- a/Makefile
+++ b/Makefile
@@ -57,6 +57,7 @@ package-end-common:
rm -rf $(OUTPUT_DIR)/rpmbuild/SPECS $(OUTPUT_DIR)/rpmbuild/SOURCES $(OUTPUT_DIR)/rpmbuild/SRPMS $(OUTPUT_DIR)/rpmbuild/BUILD $(OUTPUT_DIR)/rpmbuild/BUILDROOT
rpm-el8-only:
+ sed -i 's/Requires:.*/Requires: php >= 8.0, php-gd, php-pdo, php-redis, php-mysqlnd, php-mbstring/g' $(OUTPUT_DIR)/rpmbuild/SPECS/flexisip-account-manager.spec
rpmbuild -v -bb --define 'dist .el8' --define '_topdir $(OUTPUT_DIR)/rpmbuild' --define "_rpmdir $(OUTPUT_DIR)/rpmbuild" $(OUTPUT_DIR)/rpmbuild/SPECS/flexisip-account-manager.spec
@echo "📦✅ RPM el8 Package Created"
diff --git a/flexiapi/.env.example b/flexiapi/.env.example
index 3086ea3..3e4a203 100644
--- a/flexiapi/.env.example
+++ b/flexiapi/.env.example
@@ -110,4 +110,7 @@ OVH_APP_SENDER=
# HCaptcha
HCAPTCHA_SECRET=secret-key
-HCAPTCHA_SITEKEY=site-key
\ No newline at end of file
+HCAPTCHA_SITEKEY=site-key
+
+# JWT
+JWT_RSA_PUBLIC_KEY_PEM=
diff --git a/flexiapi/app/Http/Kernel.php b/flexiapi/app/Http/Kernel.php
index 9530eed..7470fe9 100644
--- a/flexiapi/app/Http/Kernel.php
+++ b/flexiapi/app/Http/Kernel.php
@@ -72,6 +72,7 @@ class Kernel extends HttpKernel
'auth.admin' => \App\Http\Middleware\AuthenticateAdmin::class,
'auth.basic' => \Illuminate\Auth\Middleware\AuthenticateWithBasicAuth::class,
'auth.digest_or_key' => \App\Http\Middleware\AuthenticateDigestOrKey::class,
+ 'auth.jwt' => \App\Http\Middleware\AuthenticateJWT::class,
'auth.check_blocked' => \App\Http\Middleware\CheckBlocked::class,
'web_panel_enabled' => \App\Http\Middleware\IsWebPanelEnabled::class,
'bindings' => \Illuminate\Routing\Middleware\SubstituteBindings::class,
diff --git a/flexiapi/app/Http/Middleware/AuthenticateDigestOrKey.php b/flexiapi/app/Http/Middleware/AuthenticateDigestOrKey.php
index 26f6e09..32b27d4 100644
--- a/flexiapi/app/Http/Middleware/AuthenticateDigestOrKey.php
+++ b/flexiapi/app/Http/Middleware/AuthenticateDigestOrKey.php
@@ -39,6 +39,10 @@ class AuthenticateDigestOrKey
*/
public function handle($request, Closure $next)
{
+ if ($request->bearerToken() && Auth::check()) {
+ return $next($request);
+ }
+
// Key authentication
if ($request->header('x-api-key') || $request->cookie('x-api-key')) {
diff --git a/flexiapi/app/Http/Middleware/AuthenticateJWT.php b/flexiapi/app/Http/Middleware/AuthenticateJWT.php
new file mode 100644
index 0000000..6009c6c
--- /dev/null
+++ b/flexiapi/app/Http/Middleware/AuthenticateJWT.php
@@ -0,0 +1,73 @@
+bearerToken() && config('services.jwt.rsa_public_key_pem')) {
+ if (!extension_loaded('sodium')) {
+ abort(403, "Your PHP setup doesn't have the Sodium extension loaded");
+ }
+
+ $publicKey = InMemory::plainText(config('services.jwt.rsa_public_key_pem'));
+ $token = (new Parser(new JoseEncoder()))->parse($request->bearerToken());
+
+ $signer = null;
+
+ switch ($token->headers()->get('alg')) {
+ case 'RS256':
+ $signer = new Sha256;
+ break;
+
+ case 'RS384':
+ $signer = new Sha384;
+ break;
+
+ case 'RS512':
+ $signer = new Sha512;
+ break;
+ }
+
+ if ($signer == null) {
+ abort(403, 'Unsupported RSA signature');
+ }
+
+ if (!(new Validator())->validate($token, new SignedWith($signer, $publicKey))) {
+ abort(403, 'Invalid JWT token signature');
+ }
+
+ if ($token->isExpired(new DateTimeImmutable())) {
+ abort(403, 'Expired JWT token');
+ }
+
+ $account = Account::withoutGlobalScopes()
+ ->where('email', $token->claims()->get('email'))
+ ->first();
+
+ if (!$account) {
+ abort(403, 'The JWT token is not related to someone in the system');
+ }
+
+ Auth::login($account);
+ }
+
+ return $next($request);
+ }
+}
diff --git a/flexiapi/composer.json b/flexiapi/composer.json
index 5120c28..687bcec 100644
--- a/flexiapi/composer.json
+++ b/flexiapi/composer.json
@@ -15,6 +15,7 @@
"fakerphp/faker": "^1.23",
"laravel/framework": "^9.52",
"laravel/tinker": "^2.8",
+ "lcobucci/jwt": "^4.3",
"namoshek/laravel-redis-sentinel": "^0.1",
"ovh/ovh": "^3.2",
"parsedown/laravel": "^1.2",
diff --git a/flexiapi/composer.lock b/flexiapi/composer.lock
index be65384..831dbae 100644
--- a/flexiapi/composer.lock
+++ b/flexiapi/composer.lock
@@ -4,7 +4,7 @@
"Read more about it at https://getcomposer.org/doc/01-basic-usage.md#installing-dependencies",
"This file is @generated automatically"
],
- "content-hash": "255a77afa50eaa780b140f0b760339af",
+ "content-hash": "daf1c028cc9a6eb9b5d28ba1bd25cec5",
"packages": [
{
"name": "awobaz/compoships",
@@ -2186,6 +2186,141 @@
},
"time": "2024-01-04T16:10:04+00:00"
},
+ {
+ "name": "lcobucci/clock",
+ "version": "2.2.0",
+ "source": {
+ "type": "git",
+ "url": "https://github.com/lcobucci/clock.git",
+ "reference": "fb533e093fd61321bfcbac08b131ce805fe183d3"
+ },
+ "dist": {
+ "type": "zip",
+ "url": "https://api.github.com/repos/lcobucci/clock/zipball/fb533e093fd61321bfcbac08b131ce805fe183d3",
+ "reference": "fb533e093fd61321bfcbac08b131ce805fe183d3",
+ "shasum": ""
+ },
+ "require": {
+ "php": "^8.0",
+ "stella-maris/clock": "^0.1.4"
+ },
+ "require-dev": {
+ "infection/infection": "^0.26",
+ "lcobucci/coding-standard": "^8.0",
+ "phpstan/extension-installer": "^1.1",
+ "phpstan/phpstan": "^0.12",
+ "phpstan/phpstan-deprecation-rules": "^0.12",
+ "phpstan/phpstan-phpunit": "^0.12",
+ "phpstan/phpstan-strict-rules": "^0.12",
+ "phpunit/phpunit": "^9.5"
+ },
+ "type": "library",
+ "autoload": {
+ "psr-4": {
+ "Lcobucci\\Clock\\": "src"
+ }
+ },
+ "notification-url": "https://packagist.org/downloads/",
+ "license": [
+ "MIT"
+ ],
+ "authors": [
+ {
+ "name": "LuÃs Cobucci",
+ "email": "lcobucci@gmail.com"
+ }
+ ],
+ "description": "Yet another clock abstraction",
+ "support": {
+ "issues": "https://github.com/lcobucci/clock/issues",
+ "source": "https://github.com/lcobucci/clock/tree/2.2.0"
+ },
+ "funding": [
+ {
+ "url": "https://github.com/lcobucci",
+ "type": "github"
+ },
+ {
+ "url": "https://www.patreon.com/lcobucci",
+ "type": "patreon"
+ }
+ ],
+ "time": "2022-04-19T19:34:17+00:00"
+ },
+ {
+ "name": "lcobucci/jwt",
+ "version": "4.3.0",
+ "source": {
+ "type": "git",
+ "url": "https://github.com/lcobucci/jwt.git",
+ "reference": "4d7de2fe0d51a96418c0d04004986e410e87f6b4"
+ },
+ "dist": {
+ "type": "zip",
+ "url": "https://api.github.com/repos/lcobucci/jwt/zipball/4d7de2fe0d51a96418c0d04004986e410e87f6b4",
+ "reference": "4d7de2fe0d51a96418c0d04004986e410e87f6b4",
+ "shasum": ""
+ },
+ "require": {
+ "ext-hash": "*",
+ "ext-json": "*",
+ "ext-mbstring": "*",
+ "ext-openssl": "*",
+ "ext-sodium": "*",
+ "lcobucci/clock": "^2.0 || ^3.0",
+ "php": "^7.4 || ^8.0"
+ },
+ "require-dev": {
+ "infection/infection": "^0.21",
+ "lcobucci/coding-standard": "^6.0",
+ "mikey179/vfsstream": "^1.6.7",
+ "phpbench/phpbench": "^1.2",
+ "phpstan/extension-installer": "^1.0",
+ "phpstan/phpstan": "^1.4",
+ "phpstan/phpstan-deprecation-rules": "^1.0",
+ "phpstan/phpstan-phpunit": "^1.0",
+ "phpstan/phpstan-strict-rules": "^1.0",
+ "phpunit/php-invoker": "^3.1",
+ "phpunit/phpunit": "^9.5"
+ },
+ "type": "library",
+ "autoload": {
+ "psr-4": {
+ "Lcobucci\\JWT\\": "src"
+ }
+ },
+ "notification-url": "https://packagist.org/downloads/",
+ "license": [
+ "BSD-3-Clause"
+ ],
+ "authors": [
+ {
+ "name": "LuÃs Cobucci",
+ "email": "lcobucci@gmail.com",
+ "role": "Developer"
+ }
+ ],
+ "description": "A simple library to work with JSON Web Token and JSON Web Signature",
+ "keywords": [
+ "JWS",
+ "jwt"
+ ],
+ "support": {
+ "issues": "https://github.com/lcobucci/jwt/issues",
+ "source": "https://github.com/lcobucci/jwt/tree/4.3.0"
+ },
+ "funding": [
+ {
+ "url": "https://github.com/lcobucci",
+ "type": "github"
+ },
+ {
+ "url": "https://www.patreon.com/lcobucci",
+ "type": "patreon"
+ }
+ ],
+ "time": "2023-01-02T13:28:00+00:00"
+ },
{
"name": "league/commonmark",
"version": "2.4.2",
@@ -3826,16 +3961,16 @@
},
{
"name": "phpunit/phpunit",
- "version": "9.6.17",
+ "version": "9.6.18",
"source": {
"type": "git",
"url": "https://github.com/sebastianbergmann/phpunit.git",
- "reference": "1a156980d78a6666721b7e8e8502fe210b587fcd"
+ "reference": "32c2c2d6580b1d8ab3c10b1e9e4dc263cc69bb04"
},
"dist": {
"type": "zip",
- "url": "https://api.github.com/repos/sebastianbergmann/phpunit/zipball/1a156980d78a6666721b7e8e8502fe210b587fcd",
- "reference": "1a156980d78a6666721b7e8e8502fe210b587fcd",
+ "url": "https://api.github.com/repos/sebastianbergmann/phpunit/zipball/32c2c2d6580b1d8ab3c10b1e9e4dc263cc69bb04",
+ "reference": "32c2c2d6580b1d8ab3c10b1e9e4dc263cc69bb04",
"shasum": ""
},
"require": {
@@ -3909,7 +4044,7 @@
"support": {
"issues": "https://github.com/sebastianbergmann/phpunit/issues",
"security": "https://github.com/sebastianbergmann/phpunit/security/policy",
- "source": "https://github.com/sebastianbergmann/phpunit/tree/9.6.17"
+ "source": "https://github.com/sebastianbergmann/phpunit/tree/9.6.18"
},
"funding": [
{
@@ -3925,7 +4060,7 @@
"type": "tidelift"
}
],
- "time": "2024-02-23T13:14:51+00:00"
+ "time": "2024-03-21T12:07:32+00:00"
},
{
"name": "psr/cache",
@@ -6287,6 +6422,53 @@
],
"time": "2020-09-28T06:39:44+00:00"
},
+ {
+ "name": "stella-maris/clock",
+ "version": "0.1.7",
+ "source": {
+ "type": "git",
+ "url": "https://github.com/stella-maris-solutions/clock.git",
+ "reference": "fa23ce16019289a18bb3446fdecd45befcdd94f8"
+ },
+ "dist": {
+ "type": "zip",
+ "url": "https://api.github.com/repos/stella-maris-solutions/clock/zipball/fa23ce16019289a18bb3446fdecd45befcdd94f8",
+ "reference": "fa23ce16019289a18bb3446fdecd45befcdd94f8",
+ "shasum": ""
+ },
+ "require": {
+ "php": "^7.0|^8.0",
+ "psr/clock": "^1.0"
+ },
+ "type": "library",
+ "autoload": {
+ "psr-4": {
+ "StellaMaris\\Clock\\": "src"
+ }
+ },
+ "notification-url": "https://packagist.org/downloads/",
+ "license": [
+ "MIT"
+ ],
+ "authors": [
+ {
+ "name": "Andreas Heigl",
+ "role": "Maintainer"
+ }
+ ],
+ "description": "A pre-release of the proposed PSR-20 Clock-Interface",
+ "homepage": "https://gitlab.com/stella-maris/clock",
+ "keywords": [
+ "clock",
+ "datetime",
+ "point in time",
+ "psr20"
+ ],
+ "support": {
+ "source": "https://github.com/stella-maris-solutions/clock/tree/0.1.7"
+ },
+ "time": "2022-11-25T16:15:06+00:00"
+ },
{
"name": "symfony/console",
"version": "v6.0.19",
@@ -8916,16 +9098,16 @@
},
{
"name": "composer/pcre",
- "version": "3.1.2",
+ "version": "3.1.3",
"source": {
"type": "git",
"url": "https://github.com/composer/pcre.git",
- "reference": "4775f35b2d70865807c89d32c8e7385b86eb0ace"
+ "reference": "5b16e25a5355f1f3afdfc2f954a0a80aec4826a8"
},
"dist": {
"type": "zip",
- "url": "https://api.github.com/repos/composer/pcre/zipball/4775f35b2d70865807c89d32c8e7385b86eb0ace",
- "reference": "4775f35b2d70865807c89d32c8e7385b86eb0ace",
+ "url": "https://api.github.com/repos/composer/pcre/zipball/5b16e25a5355f1f3afdfc2f954a0a80aec4826a8",
+ "reference": "5b16e25a5355f1f3afdfc2f954a0a80aec4826a8",
"shasum": ""
},
"require": {
@@ -8967,7 +9149,7 @@
],
"support": {
"issues": "https://github.com/composer/pcre/issues",
- "source": "https://github.com/composer/pcre/tree/3.1.2"
+ "source": "https://github.com/composer/pcre/tree/3.1.3"
},
"funding": [
{
@@ -8983,7 +9165,7 @@
"type": "tidelift"
}
],
- "time": "2024-03-07T15:38:35+00:00"
+ "time": "2024-03-19T10:26:25+00:00"
},
{
"name": "composer/xdebug-handler",
@@ -9241,16 +9423,16 @@
},
{
"name": "mockery/mockery",
- "version": "1.6.9",
+ "version": "1.6.10",
"source": {
"type": "git",
"url": "https://github.com/mockery/mockery.git",
- "reference": "0cc058854b3195ba21dc6b1f7b1f60f4ef3a9c06"
+ "reference": "47065d1be1fa05def58dc14c03cf831d3884ef0b"
},
"dist": {
"type": "zip",
- "url": "https://api.github.com/repos/mockery/mockery/zipball/0cc058854b3195ba21dc6b1f7b1f60f4ef3a9c06",
- "reference": "0cc058854b3195ba21dc6b1f7b1f60f4ef3a9c06",
+ "url": "https://api.github.com/repos/mockery/mockery/zipball/47065d1be1fa05def58dc14c03cf831d3884ef0b",
+ "reference": "47065d1be1fa05def58dc14c03cf831d3884ef0b",
"shasum": ""
},
"require": {
@@ -9262,8 +9444,8 @@
"phpunit/phpunit": "<8.0"
},
"require-dev": {
- "phpunit/phpunit": "^8.5 || ^9.6.10",
- "symplify/easy-coding-standard": "^12.0.8"
+ "phpunit/phpunit": "^8.5 || ^9.6.17",
+ "symplify/easy-coding-standard": "^12.1.14"
},
"type": "library",
"autoload": {
@@ -9320,7 +9502,7 @@
"security": "https://github.com/mockery/mockery/security/advisories",
"source": "https://github.com/mockery/mockery"
},
- "time": "2023-12-10T02:24:34+00:00"
+ "time": "2024-03-19T16:15:45+00:00"
},
{
"name": "nunomaduro/collision",
diff --git a/flexiapi/config/services.php b/flexiapi/config/services.php
index 2a1d616..0750948 100644
--- a/flexiapi/config/services.php
+++ b/flexiapi/config/services.php
@@ -30,4 +30,8 @@ return [
'region' => env('AWS_DEFAULT_REGION', 'us-east-1'),
],
+ 'jwt' => [
+ 'rsa_public_key_pem' => env('JWT_RSA_PUBLIC_KEY_PEM'),
+ ],
+
];
diff --git a/flexiapi/resources/views/api/documentation_markdown.blade.php b/flexiapi/resources/views/api/documentation_markdown.blade.php
index cec7f03..fcd6a90 100644
--- a/flexiapi/resources/views/api/documentation_markdown.blade.php
+++ b/flexiapi/resources/views/api/documentation_markdown.blade.php
@@ -45,6 +45,20 @@ Or using a cookie:
> …
```
+### Using a JWT token
+
+You can use a JWT token to authenticate on the API.
+
+To do so you MUST inject it as an `Authorization: Bearer` header and configure the API with the public key of the token emitter.
+
+```
+> GET /api/{endpoint}
+> Authorization: Bearer {your-jwt-token}
+> …
+```
+
+The API will then check if the token was signed properly, is still valid and authenticate a user that is actually available in the system.
+
### Using DIGEST
To discover the available hashing algorythm you MUST send an unauthenticated request to one of the restricted endpoints.
diff --git a/flexiapi/resources/views/provisioning/documentation_markdown.blade.php b/flexiapi/resources/views/provisioning/documentation_markdown.blade.php
index 65f8514..41fe3e2 100644
--- a/flexiapi/resources/views/provisioning/documentation_markdown.blade.php
+++ b/flexiapi/resources/views/provisioning/documentation_markdown.blade.php
@@ -2,6 +2,10 @@
Provisioning is a core concept of the FlexiAPI - Linphone clients flow.
+## Authentication
+
+Please check the About & Auth section of the API.
+
## About
To request the following URLs client MUST add a specific `x-linphone-provisioning` header.
diff --git a/flexiapi/routes/api.php b/flexiapi/routes/api.php
index 5656622..b94b363 100644
--- a/flexiapi/routes/api.php
+++ b/flexiapi/routes/api.php
@@ -56,7 +56,7 @@ Route::post('accounts/auth_token', 'Api\Account\AuthTokenController@store');
Route::get('accounts/me/api_key/{auth_token}', 'Api\Account\ApiKeyController@generateFromToken')->middleware('cookie', 'cookie.encrypt');
-Route::group(['middleware' => ['auth.digest_or_key', 'auth.check_blocked']], function () {
+Route::group(['middleware' => ['auth.jwt', 'auth.digest_or_key', 'auth.check_blocked']], function () {
Route::get('accounts/auth_token/{auth_token}/attach', 'Api\Account\AuthTokenController@attach');
Route::prefix('accounts/me')->group(function () {
diff --git a/flexiapi/routes/web.php b/flexiapi/routes/web.php
index 6367231..0157cef 100644
--- a/flexiapi/routes/web.php
+++ b/flexiapi/routes/web.php
@@ -39,13 +39,14 @@ use App\Http\Controllers\Admin\AccountStatisticsController;
use App\Http\Controllers\Admin\ContactsListController;
use App\Http\Controllers\Admin\ContactsListContactController;
use App\Http\Controllers\Admin\StatisticsController;
+use Laravel\Socialite\Facades\Socialite;
use Illuminate\Support\Facades\Route;
Route::redirect('/', 'login')->name('account.home');
Route::get('documentation', 'Account\AccountController@documentation')->name('account.documentation');
Route::get('about', 'AboutController@about')->name('about');
-Route::middleware(['web_panel_enabled'])->group(function () {
+Route::group(['middleware' => 'web_panel_enabled'], function () {
Route::get('login', 'Account\AuthenticateController@login')->name('account.login');
Route::post('authenticate', 'Account\AuthenticateController@authenticate')->name('account.authenticate');
Route::get('authenticate/qrcode/{token?}', 'Account\AuthenticateController@loginAuthToken')->name('account.authenticate.auth_token');
@@ -56,7 +57,7 @@ Route::middleware(['web_panel_enabled'])->group(function () {
});
});
-Route::group(['middleware' => 'auth.digest_or_key'], function () {
+Route::group(['middleware' => ['auth.jwt', 'auth.digest_or_key']], function () {
Route::get('provisioning/me', 'Account\ProvisioningController@me')->name('provisioning.me');
// Vcard 4.0
@@ -72,7 +73,7 @@ Route::name('provisioning.')->prefix('provisioning')->controller(ProvisioningCon
Route::get('/', 'show')->name('show');
});
-Route::middleware(['web_panel_enabled'])->group(function () {
+Route::group(['middleware' => 'web_panel_enabled'], function () {
if (config('app.public_registration')) {
Route::redirect('register', 'register/email')->name('account.register');
diff --git a/flexiapi/tests/Feature/AccountJWTAuthenticationTest.php b/flexiapi/tests/Feature/AccountJWTAuthenticationTest.php
new file mode 100644
index 0000000..2777c09
--- /dev/null
+++ b/flexiapi/tests/Feature/AccountJWTAuthenticationTest.php
@@ -0,0 +1,142 @@
+ 4096,"private_key_type" => OPENSSL_KEYTYPE_RSA));
+ $this->serverPublicKeyPem = openssl_pkey_get_details($keys)['key'];
+ openssl_pkey_export($keys, $this->serverPrivateKeyPem);
+ }
+
+ public function testBaseProvisioning()
+ {
+ # JWT is disabled if Sodium is not loaded
+ if (!extension_loaded('sodium')) return;
+
+ $password = Password::factory()->create();
+
+ config()->set('services.jwt.rsa_public_key_pem', $this->serverPublicKeyPem);
+
+ $this->get($this->route)->assertStatus(400);
+
+ $clock = new FrozenClock(new DateTimeImmutable());
+
+ $token = (new JwtFacade(null, $clock))->issue(
+ new Sha256(),
+ InMemory::plainText($this->serverPrivateKeyPem),
+ static fn (
+ Builder $builder,
+ DateTimeImmutable $issuedAt
+ ): Builder => $builder->withClaim('email', $password->account->email)
+ );
+
+ $this->withHeaders([
+ 'Authorization' => 'Bearer ' . $token->toString(),
+ 'x-linphone-provisioning' => true,
+ ])
+ ->get($this->accountRoute)
+ ->assertStatus(200)
+ ->assertHeader('Content-Type', 'application/xml')
+ ->assertSee('ha1');
+
+ // Sha512
+ $token = (new JwtFacade(null, $clock))->issue(
+ new Sha512(),
+ InMemory::plainText($this->serverPrivateKeyPem),
+ static fn (
+ Builder $builder,
+ DateTimeImmutable $issuedAt
+ ): Builder => $builder->withClaim('email', $password->account->email)
+ );
+
+ $this->withHeaders([
+ 'Authorization' => 'Bearer ' . $token->toString(),
+ 'x-linphone-provisioning' => true,
+ ])
+ ->get($this->accountRoute)
+ ->assertStatus(200)
+ ->assertHeader('Content-Type', 'application/xml')
+ ->assertSee('ha1');
+
+ // Expired token
+
+ $oldClock = new FrozenClock(new DateTimeImmutable('2022-06-24 22:51:10'));
+
+ $token = (new JwtFacade(null, $oldClock))->issue(
+ new Sha256(),
+ InMemory::plainText($this->serverPrivateKeyPem),
+ static fn (
+ Builder $builder,
+ DateTimeImmutable $issuedAt
+ ): Builder => $builder->withClaim('email', $password->account->email)
+ );
+
+ $this->withHeaders([
+ 'Authorization' => 'Bearer ' . $token->toString(),
+ 'x-linphone-provisioning' => true,
+ ])
+ ->get($this->accountRoute)
+ ->assertStatus(403);
+
+ // Expired token
+
+ $token = (new JwtFacade(null, $clock))->issue(
+ new Sha256(),
+ InMemory::plainText($this->serverPrivateKeyPem),
+ static fn (
+ Builder $builder,
+ DateTimeImmutable $issuedAt
+ ): Builder => $builder->withClaim('email', 'unknow@man.org')
+ );
+
+ $this->withHeaders([
+ 'Authorization' => 'Bearer ' . $token->toString(),
+ 'x-linphone-provisioning' => true,
+ ])
+ ->get($this->accountRoute)
+ ->assertStatus(403);
+
+ // Wrong signature key
+
+ $keys = openssl_pkey_new(array("private_key_bits" => 4096,"private_key_type" => OPENSSL_KEYTYPE_RSA));
+ openssl_pkey_export($keys, $wrongServerPrivateKeyPem);
+
+ $wrongToken = (new JwtFacade(null, $clock))->issue(
+ new Sha256(),
+ InMemory::plainText($wrongServerPrivateKeyPem),
+ static fn (
+ Builder $builder,
+ DateTimeImmutable $issuedAt
+ ): Builder => $builder->withClaim('email', $password->account->email)
+ );
+
+ $this->withHeaders([
+ 'Authorization' => 'Bearer ' . $wrongToken->toString(),
+ 'x-linphone-provisioning' => true,
+ ])
+ ->get($this->accountRoute)
+ ->assertStatus(403);
+ }
+}
diff --git a/flexisip-account-manager.spec b/flexisip-account-manager.spec
index 4b518a6..9e2b274 100644
--- a/flexisip-account-manager.spec
+++ b/flexisip-account-manager.spec
@@ -33,7 +33,7 @@ License: GPL
URL: http://www.linphone.org
Source0: flexisip-account-manager.tar.gz
-Requires: php >= 8.0, php-gd, php-pdo, php-redis, php-mysqlnd, php-mbstring
+Requires: php >= 8.0, php-gd, php-pdo, php-redis, php-mysqlnd, php-mbstring, php-sodium
%description
PHP server for Linphone and Flexisip providing module for account creation.