mirrors/flexisip-account-manager
1
0
Fork 0
mirror of https://gitlab.linphone.org/BC/public/flexisip-account-manager.git synced 2026-01-17 10:08:05 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

Fix FLEXIAPI-143 Implement JWT authentification in the API

Browse source
This commit is contained in:
Timothée Jaussoin 2024-03-25 11:08:41 +00:00
parent 92e06df01f
commit d2316251d5
18 changed files with 465 additions and 28 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
.gitlab-ci-files/package.yml
View file

@ -2,6 +2,12 @@ rocky8-package:
extends: .package extends: .package
image: gitlab.linphone.org:4567/bc/public/docker/rocky8-php:$ROCKY_8_IMAGE_VERSION image: gitlab.linphone.org:4567/bc/public/docker/rocky8-php:$ROCKY_8_IMAGE_VERSION
script: script:
# We install this dependency only for the pipeline
- dnf -y install https://rpms.remirepo.net/enterprise/remi-release-8.rpm
- dnf -y module reset php
- dnf -y module enable php:remi-8.0
- dnf -y update php\*
- dnf -y install php-sodium
- make rpm-el8 - make rpm-el8
rocky9-package: rocky9-package:

2
.gitlab-ci-files/test.yml
View file

@ -15,7 +15,7 @@ rocky9-test:
script: script:
- yum -y localinstall build/*.rpm - yum -y localinstall build/*.rpm
- cd /opt/belledonne-communications/share/flexisip-account-manager/flexiapi - cd /opt/belledonne-communications/share/flexisip-account-manager/flexiapi
- composer install - composer install --ignore-platform-req=ext-sodium # Rocky 8 use the external library
- vendor/bin/phpcs - vendor/bin/phpcs
- vendor/bin/phpmd . ansi phpmd.xml - vendor/bin/phpmd . ansi phpmd.xml
- php artisan key:generate - php artisan key:generate

2
.gitlab-ci.yml
View file

@ -1,6 +1,6 @@
variables: variables:
ROCKY_8_IMAGE_VERSION: 20230330_163028_remove_remi ROCKY_8_IMAGE_VERSION: 20230330_163028_remove_remi
ROCKY_9_IMAGE_VERSION: 20231019_170719_rocky9_php80_cleanup ROCKY_9_IMAGE_VERSION: 20240314_163316_add_php_sodium
DEBIAN_11_IMAGE_VERSION: 20240221_140459_package_upgrade_02_24 DEBIAN_11_IMAGE_VERSION: 20240221_140459_package_upgrade_02_24
DEBIAN_12_IMAGE_VERSION: 20230925_143235_enable_debian12_packaging DEBIAN_12_IMAGE_VERSION: 20230925_143235_enable_debian12_packaging
PHP_REDIS_REMI_VERSION: php-pecl-redis5-5.3.6-1 PHP_REDIS_REMI_VERSION: php-pecl-redis5-5.3.6-1

1
CHANGELOG.md
View file

@ -10,6 +10,7 @@ v1.5
- FIX FLEXIAPI-146 Allow users to manage their own devices - FIX FLEXIAPI-146 Allow users to manage their own devices
- Fix FLEXIAPI-145 Put back the 'code' parameter as an alias for the 'confirmation_key' for the activateEmail and activatePhone endpoints - Fix FLEXIAPI-145 Put back the 'code' parameter as an alias for the 'confirmation_key' for the activateEmail and activatePhone endpoints
- Fix FLEXIAPI-144 Introduce APP_FLEXISIP_PUSHER_FIREBASE_KEYSMAP as a replacement for APP_FLEXISIP_PUSHER_FIREBASE_KEY - Fix FLEXIAPI-144 Introduce APP_FLEXISIP_PUSHER_FIREBASE_KEYSMAP as a replacement for APP_FLEXISIP_PUSHER_FIREBASE_KEY
- Fix FLEXIAPI-143 JWT Authentication layer on the API
- Fix FLEXIAPI-142 PUT /accounts endpoint doesn't allow overiding values anymore - Fix FLEXIAPI-142 PUT /accounts endpoint doesn't allow overiding values anymore
- Fix FLEXIAPI-140 Fix the display_name attribute in the Vcard4 render - Fix FLEXIAPI-140 Fix the display_name attribute in the Vcard4 render
- Fix FLEXIAPI-139 Refactor the email and phone API documentation - Fix FLEXIAPI-139 Refactor the email and phone API documentation

1
Makefile
View file

@ -57,6 +57,7 @@ package-end-common:
rm -rf $(OUTPUT_DIR)/rpmbuild/SPECS $(OUTPUT_DIR)/rpmbuild/SOURCES $(OUTPUT_DIR)/rpmbuild/SRPMS $(OUTPUT_DIR)/rpmbuild/BUILD $(OUTPUT_DIR)/rpmbuild/BUILDROOT rm -rf $(OUTPUT_DIR)/rpmbuild/SPECS $(OUTPUT_DIR)/rpmbuild/SOURCES $(OUTPUT_DIR)/rpmbuild/SRPMS $(OUTPUT_DIR)/rpmbuild/BUILD $(OUTPUT_DIR)/rpmbuild/BUILDROOT
rpm-el8-only: rpm-el8-only:
sed -i 's/Requires:.*/Requires: php >= 8.0, php-gd, php-pdo, php-redis, php-mysqlnd, php-mbstring/g' $(OUTPUT_DIR)/rpmbuild/SPECS/flexisip-account-manager.spec
rpmbuild -v -bb --define 'dist .el8' --define '_topdir $(OUTPUT_DIR)/rpmbuild' --define "_rpmdir $(OUTPUT_DIR)/rpmbuild" $(OUTPUT_DIR)/rpmbuild/SPECS/flexisip-account-manager.spec rpmbuild -v -bb --define 'dist .el8' --define '_topdir $(OUTPUT_DIR)/rpmbuild' --define "_rpmdir $(OUTPUT_DIR)/rpmbuild" $(OUTPUT_DIR)/rpmbuild/SPECS/flexisip-account-manager.spec
@echo "📦✅ RPM el8 Package Created" @echo "📦✅ RPM el8 Package Created"

5
flexiapi/.env.example
View file

@ -110,4 +110,7 @@ OVH_APP_SENDER=
# HCaptcha # HCaptcha
HCAPTCHA_SECRET=secret-key HCAPTCHA_SECRET=secret-key
HCAPTCHA_SITEKEY=site-key HCAPTCHA_SITEKEY=site-key
# JWT
JWT_RSA_PUBLIC_KEY_PEM=

1
flexiapi/app/Http/Kernel.php
View file

@ -72,6 +72,7 @@ class Kernel extends HttpKernel
'auth.admin' => \App\Http\Middleware\AuthenticateAdmin::class, 'auth.admin' => \App\Http\Middleware\AuthenticateAdmin::class,
'auth.basic' => \Illuminate\Auth\Middleware\AuthenticateWithBasicAuth::class, 'auth.basic' => \Illuminate\Auth\Middleware\AuthenticateWithBasicAuth::class,
'auth.digest_or_key' => \App\Http\Middleware\AuthenticateDigestOrKey::class, 'auth.digest_or_key' => \App\Http\Middleware\AuthenticateDigestOrKey::class,
'auth.jwt' => \App\Http\Middleware\AuthenticateJWT::class,
'auth.check_blocked' => \App\Http\Middleware\CheckBlocked::class, 'auth.check_blocked' => \App\Http\Middleware\CheckBlocked::class,
'web_panel_enabled' => \App\Http\Middleware\IsWebPanelEnabled::class, 'web_panel_enabled' => \App\Http\Middleware\IsWebPanelEnabled::class,
'bindings' => \Illuminate\Routing\Middleware\SubstituteBindings::class, 'bindings' => \Illuminate\Routing\Middleware\SubstituteBindings::class,

4
flexiapi/app/Http/Middleware/AuthenticateDigestOrKey.php
View file

@ -39,6 +39,10 @@ class AuthenticateDigestOrKey
*/ */
public function handle($request, Closure $next) public function handle($request, Closure $next)
{ {
if ($request->bearerToken() && Auth::check()) {
return $next($request);
}
// Key authentication // Key authentication
if ($request->header('x-api-key') || $request->cookie('x-api-key')) { if ($request->header('x-api-key') || $request->cookie('x-api-key')) {

73
flexiapi/app/Http/Middleware/AuthenticateJWT.php Normal file
View file

@ -0,0 +1,73 @@
<?php
namespace App\Http\Middleware;
use App\Account;
use Closure;
use DateTimeImmutable;
use Illuminate\Http\Request;
use Illuminate\Support\Facades\Auth;
use Lcobucci\JWT\Encoding\JoseEncoder;
use Lcobucci\JWT\Token\Parser;
use Lcobucci\JWT\Signer\Key\InMemory;
use Lcobucci\JWT\Signer\Rsa\Sha256;
use Lcobucci\JWT\Signer\Rsa\Sha384;
use Lcobucci\JWT\Signer\Rsa\Sha512;
use Lcobucci\JWT\Validation\Constraint\SignedWith;
use Lcobucci\JWT\Validation\Validator;
class AuthenticateJWT
{
public function handle(Request $request, Closure $next)
{
if ($request->bearerToken() && config('services.jwt.rsa_public_key_pem')) {
if (!extension_loaded('sodium')) {
abort(403, "Your PHP setup doesn't have the Sodium extension loaded");
}
$publicKey = InMemory::plainText(config('services.jwt.rsa_public_key_pem'));
$token = (new Parser(new JoseEncoder()))->parse($request->bearerToken());
$signer = null;
switch ($token->headers()->get('alg')) {
case 'RS256':
$signer = new Sha256;
break;
case 'RS384':
$signer = new Sha384;
break;
case 'RS512':
$signer = new Sha512;
break;
}
if ($signer == null) {
abort(403, 'Unsupported RSA signature');
}
if (!(new Validator())->validate($token, new SignedWith($signer, $publicKey))) {
abort(403, 'Invalid JWT token signature');
}
if ($token->isExpired(new DateTimeImmutable())) {
abort(403, 'Expired JWT token');
}
$account = Account::withoutGlobalScopes()
->where('email', $token->claims()->get('email'))
->first();
if (!$account) {
abort(403, 'The JWT token is not related to someone in the system');
}
Auth::login($account);
}
return $next($request);
}
}

1
flexiapi/composer.json
View file

@ -15,6 +15,7 @@
"fakerphp/faker": "^1.23", "fakerphp/faker": "^1.23",
"laravel/framework": "^9.52", "laravel/framework": "^9.52",
"laravel/tinker": "^2.8", "laravel/tinker": "^2.8",
"lcobucci/jwt": "^4.3",
"namoshek/laravel-redis-sentinel": "^0.1", "namoshek/laravel-redis-sentinel": "^0.1",
"ovh/ovh": "^3.2", "ovh/ovh": "^3.2",
"parsedown/laravel": "^1.2", "parsedown/laravel": "^1.2",

222
flexiapi/composer.lock generated
View file

@ -4,7 +4,7 @@
"Read more about it at https://getcomposer.org/doc/01-basic-usage.md#installing-dependencies", "Read more about it at https://getcomposer.org/doc/01-basic-usage.md#installing-dependencies",
"This file is @generated automatically" "This file is @generated automatically"
], ],
"content-hash": "255a77afa50eaa780b140f0b760339af", "content-hash": "daf1c028cc9a6eb9b5d28ba1bd25cec5",
"packages": [ "packages": [
{ {
"name": "awobaz/compoships", "name": "awobaz/compoships",
@ -2186,6 +2186,141 @@
}, },
"time": "2024-01-04T16:10:04+00:00" "time": "2024-01-04T16:10:04+00:00"
}, },
{
"name": "lcobucci/clock",
"version": "2.2.0",
"source": {
"type": "git",
"url": "https://github.com/lcobucci/clock.git",
"reference": "fb533e093fd61321bfcbac08b131ce805fe183d3"
},
"dist": {
"type": "zip",
"url": "https://api.github.com/repos/lcobucci/clock/zipball/fb533e093fd61321bfcbac08b131ce805fe183d3",
"reference": "fb533e093fd61321bfcbac08b131ce805fe183d3",
"shasum": ""
},
"require": {
"php": "^8.0",
"stella-maris/clock": "^0.1.4"
},
"require-dev": {
"infection/infection": "^0.26",
"lcobucci/coding-standard": "^8.0",
"phpstan/extension-installer": "^1.1",
"phpstan/phpstan": "^0.12",
"phpstan/phpstan-deprecation-rules": "^0.12",
"phpstan/phpstan-phpunit": "^0.12",
"phpstan/phpstan-strict-rules": "^0.12",
"phpunit/phpunit": "^9.5"
},
"type": "library",
"autoload": {
"psr-4": {
"Lcobucci\\Clock\\": "src"
}
},
"notification-url": "https://packagist.org/downloads/",
"license": [
"MIT"
],
"authors": [
{
"name": "Luís Cobucci",
"email": "lcobucci@gmail.com"
}
],
"description": "Yet another clock abstraction",
"support": {
"issues": "https://github.com/lcobucci/clock/issues",
"source": "https://github.com/lcobucci/clock/tree/2.2.0"
},
"funding": [
{
"url": "https://github.com/lcobucci",
"type": "github"
},
{
"url": "https://www.patreon.com/lcobucci",
"type": "patreon"
}
],
"time": "2022-04-19T19:34:17+00:00"
},
{
"name": "lcobucci/jwt",
"version": "4.3.0",
"source": {
"type": "git",
"url": "https://github.com/lcobucci/jwt.git",
"reference": "4d7de2fe0d51a96418c0d04004986e410e87f6b4"
},
"dist": {
"type": "zip",
"url": "https://api.github.com/repos/lcobucci/jwt/zipball/4d7de2fe0d51a96418c0d04004986e410e87f6b4",
"reference": "4d7de2fe0d51a96418c0d04004986e410e87f6b4",
"shasum": ""
},
"require": {
"ext-hash": "*",
"ext-json": "*",
"ext-mbstring": "*",
"ext-openssl": "*",
"ext-sodium": "*",
"lcobucci/clock": "^2.0 || ^3.0",
"php": "^7.4 || ^8.0"
},
"require-dev": {
"infection/infection": "^0.21",
"lcobucci/coding-standard": "^6.0",
"mikey179/vfsstream": "^1.6.7",
"phpbench/phpbench": "^1.2",
"phpstan/extension-installer": "^1.0",
"phpstan/phpstan": "^1.4",
"phpstan/phpstan-deprecation-rules": "^1.0",
"phpstan/phpstan-phpunit": "^1.0",
"phpstan/phpstan-strict-rules": "^1.0",
"phpunit/php-invoker": "^3.1",
"phpunit/phpunit": "^9.5"
},
"type": "library",
"autoload": {
"psr-4": {
"Lcobucci\\JWT\\": "src"
}
},
"notification-url": "https://packagist.org/downloads/",
"license": [
"BSD-3-Clause"
],
"authors": [
{
"name": "Luís Cobucci",
"email": "lcobucci@gmail.com",
"role": "Developer"
}
],
"description": "A simple library to work with JSON Web Token and JSON Web Signature",
"keywords": [
"JWS",
"jwt"
],
"support": {
"issues": "https://github.com/lcobucci/jwt/issues",
"source": "https://github.com/lcobucci/jwt/tree/4.3.0"
},
"funding": [
{
"url": "https://github.com/lcobucci",
"type": "github"
},
{
"url": "https://www.patreon.com/lcobucci",
"type": "patreon"
}
],
"time": "2023-01-02T13:28:00+00:00"
},
{ {
"name": "league/commonmark", "name": "league/commonmark",
"version": "2.4.2", "version": "2.4.2",
@ -3826,16 +3961,16 @@
}, },
{ {
"name": "phpunit/phpunit", "name": "phpunit/phpunit",
"version": "9.6.17", "version": "9.6.18",
"source": { "source": {
"type": "git", "type": "git",
"url": "https://github.com/sebastianbergmann/phpunit.git", "url": "https://github.com/sebastianbergmann/phpunit.git",
"reference": "1a156980d78a6666721b7e8e8502fe210b587fcd" "reference": "32c2c2d6580b1d8ab3c10b1e9e4dc263cc69bb04"
}, },
"dist": { "dist": {
"type": "zip", "type": "zip",
"url": "https://api.github.com/repos/sebastianbergmann/phpunit/zipball/1a156980d78a6666721b7e8e8502fe210b587fcd", "url": "https://api.github.com/repos/sebastianbergmann/phpunit/zipball/32c2c2d6580b1d8ab3c10b1e9e4dc263cc69bb04",
"reference": "1a156980d78a6666721b7e8e8502fe210b587fcd", "reference": "32c2c2d6580b1d8ab3c10b1e9e4dc263cc69bb04",
"shasum": "" "shasum": ""
}, },
"require": { "require": {
@ -3909,7 +4044,7 @@
"support": { "support": {
"issues": "https://github.com/sebastianbergmann/phpunit/issues", "issues": "https://github.com/sebastianbergmann/phpunit/issues",
"security": "https://github.com/sebastianbergmann/phpunit/security/policy", "security": "https://github.com/sebastianbergmann/phpunit/security/policy",
"source": "https://github.com/sebastianbergmann/phpunit/tree/9.6.17" "source": "https://github.com/sebastianbergmann/phpunit/tree/9.6.18"
}, },
"funding": [ "funding": [
{ {
@ -3925,7 +4060,7 @@
"type": "tidelift" "type": "tidelift"
} }
], ],
"time": "2024-02-23T13:14:51+00:00" "time": "2024-03-21T12:07:32+00:00"
}, },
{ {
"name": "psr/cache", "name": "psr/cache",
@ -6287,6 +6422,53 @@
], ],
"time": "2020-09-28T06:39:44+00:00" "time": "2020-09-28T06:39:44+00:00"
}, },
{
"name": "stella-maris/clock",
"version": "0.1.7",
"source": {
"type": "git",
"url": "https://github.com/stella-maris-solutions/clock.git",
"reference": "fa23ce16019289a18bb3446fdecd45befcdd94f8"
},
"dist": {
"type": "zip",
"url": "https://api.github.com/repos/stella-maris-solutions/clock/zipball/fa23ce16019289a18bb3446fdecd45befcdd94f8",
"reference": "fa23ce16019289a18bb3446fdecd45befcdd94f8",
"shasum": ""
},
"require": {
"php": "^7.0|^8.0",
"psr/clock": "^1.0"
},
"type": "library",
"autoload": {
"psr-4": {
"StellaMaris\\Clock\\": "src"
}
},
"notification-url": "https://packagist.org/downloads/",
"license": [
"MIT"
],
"authors": [
{
"name": "Andreas Heigl",
"role": "Maintainer"
}
],
"description": "A pre-release of the proposed PSR-20 Clock-Interface",
"homepage": "https://gitlab.com/stella-maris/clock",
"keywords": [
"clock",
"datetime",
"point in time",
"psr20"
],
"support": {
"source": "https://github.com/stella-maris-solutions/clock/tree/0.1.7"
},
"time": "2022-11-25T16:15:06+00:00"
},
{ {
"name": "symfony/console", "name": "symfony/console",
"version": "v6.0.19", "version": "v6.0.19",
@ -8916,16 +9098,16 @@
}, },
{ {
"name": "composer/pcre", "name": "composer/pcre",
"version": "3.1.2", "version": "3.1.3",
"source": { "source": {
"type": "git", "type": "git",
"url": "https://github.com/composer/pcre.git", "url": "https://github.com/composer/pcre.git",
"reference": "4775f35b2d70865807c89d32c8e7385b86eb0ace" "reference": "5b16e25a5355f1f3afdfc2f954a0a80aec4826a8"
}, },
"dist": { "dist": {
"type": "zip", "type": "zip",
"url": "https://api.github.com/repos/composer/pcre/zipball/4775f35b2d70865807c89d32c8e7385b86eb0ace", "url": "https://api.github.com/repos/composer/pcre/zipball/5b16e25a5355f1f3afdfc2f954a0a80aec4826a8",
"reference": "4775f35b2d70865807c89d32c8e7385b86eb0ace", "reference": "5b16e25a5355f1f3afdfc2f954a0a80aec4826a8",
"shasum": "" "shasum": ""
}, },
"require": { "require": {
@ -8967,7 +9149,7 @@
], ],
"support": { "support": {
"issues": "https://github.com/composer/pcre/issues", "issues": "https://github.com/composer/pcre/issues",
"source": "https://github.com/composer/pcre/tree/3.1.2" "source": "https://github.com/composer/pcre/tree/3.1.3"
}, },
"funding": [ "funding": [
{ {
@ -8983,7 +9165,7 @@
"type": "tidelift" "type": "tidelift"
} }
], ],
"time": "2024-03-07T15:38:35+00:00" "time": "2024-03-19T10:26:25+00:00"
}, },
{ {
"name": "composer/xdebug-handler", "name": "composer/xdebug-handler",
@ -9241,16 +9423,16 @@
}, },
{ {
"name": "mockery/mockery", "name": "mockery/mockery",
"version": "1.6.9", "version": "1.6.10",
"source": { "source": {
"type": "git", "type": "git",
"url": "https://github.com/mockery/mockery.git", "url": "https://github.com/mockery/mockery.git",
"reference": "0cc058854b3195ba21dc6b1f7b1f60f4ef3a9c06" "reference": "47065d1be1fa05def58dc14c03cf831d3884ef0b"
}, },
"dist": { "dist": {
"type": "zip", "type": "zip",
"url": "https://api.github.com/repos/mockery/mockery/zipball/0cc058854b3195ba21dc6b1f7b1f60f4ef3a9c06", "url": "https://api.github.com/repos/mockery/mockery/zipball/47065d1be1fa05def58dc14c03cf831d3884ef0b",
"reference": "0cc058854b3195ba21dc6b1f7b1f60f4ef3a9c06", "reference": "47065d1be1fa05def58dc14c03cf831d3884ef0b",
"shasum": "" "shasum": ""
}, },
"require": { "require": {
@ -9262,8 +9444,8 @@
"phpunit/phpunit": "<8.0" "phpunit/phpunit": "<8.0"
}, },
"require-dev": { "require-dev": {
"phpunit/phpunit": "^8.5 || ^9.6.10", "phpunit/phpunit": "^8.5 || ^9.6.17",
"symplify/easy-coding-standard": "^12.0.8" "symplify/easy-coding-standard": "^12.1.14"
}, },
"type": "library", "type": "library",
"autoload": { "autoload": {
@ -9320,7 +9502,7 @@
"security": "https://github.com/mockery/mockery/security/advisories", "security": "https://github.com/mockery/mockery/security/advisories",
"source": "https://github.com/mockery/mockery" "source": "https://github.com/mockery/mockery"
}, },
"time": "2023-12-10T02:24:34+00:00" "time": "2024-03-19T16:15:45+00:00"
}, },
{ {
"name": "nunomaduro/collision", "name": "nunomaduro/collision",

4
flexiapi/config/services.php
View file

@ -30,4 +30,8 @@ return [
'region' => env('AWS_DEFAULT_REGION', 'us-east-1'), 'region' => env('AWS_DEFAULT_REGION', 'us-east-1'),
], ],
'jwt' => [
'rsa_public_key_pem' => env('JWT_RSA_PUBLIC_KEY_PEM'),
],
]; ];

14
flexiapi/resources/views/api/documentation_markdown.blade.php
View file

@ -45,6 +45,20 @@ Or using a cookie:
> >
``` ```
### Using a JWT token
You can use a <a href="https://jwt.io/">JWT</a> token to authenticate on the API.
To do so you MUST inject it as an `Authorization: Bearer` header and configure the API with the public key of the token emitter.
```
> GET /api/{endpoint}
> Authorization: Bearer {your-jwt-token}
>
```
The API will then check if the token was signed properly, is still valid and authenticate a user that is actually available in the system.
### Using DIGEST ### Using DIGEST
To discover the available hashing algorythm you MUST send an unauthenticated request to one of the restricted endpoints.<br /> To discover the available hashing algorythm you MUST send an unauthenticated request to one of the restricted endpoints.<br />

4
flexiapi/resources/views/provisioning/documentation_markdown.blade.php
View file

@ -2,6 +2,10 @@
Provisioning is a core concept of the FlexiAPI - Linphone clients flow. Provisioning is a core concept of the FlexiAPI - Linphone clients flow.
## Authentication
Please check the <a href="{{ route('api') }}#about--auth">About & Auth</a> section of the API.
## About ## About
To request the following URLs client MUST add a specific `x-linphone-provisioning` header. To request the following URLs client MUST add a specific `x-linphone-provisioning` header.

2
flexiapi/routes/api.php
View file

@ -56,7 +56,7 @@ Route::post('accounts/auth_token', 'Api\Account\AuthTokenController@store');
Route::get('accounts/me/api_key/{auth_token}', 'Api\Account\ApiKeyController@generateFromToken')->middleware('cookie', 'cookie.encrypt'); Route::get('accounts/me/api_key/{auth_token}', 'Api\Account\ApiKeyController@generateFromToken')->middleware('cookie', 'cookie.encrypt');
Route::group(['middleware' => ['auth.digest_or_key', 'auth.check_blocked']], function () { Route::group(['middleware' => ['auth.jwt', 'auth.digest_or_key', 'auth.check_blocked']], function () {
Route::get('accounts/auth_token/{auth_token}/attach', 'Api\Account\AuthTokenController@attach'); Route::get('accounts/auth_token/{auth_token}/attach', 'Api\Account\AuthTokenController@attach');
Route::prefix('accounts/me')->group(function () { Route::prefix('accounts/me')->group(function () {

7
flexiapi/routes/web.php
View file

@ -39,13 +39,14 @@ use App\Http\Controllers\Admin\AccountStatisticsController;
use App\Http\Controllers\Admin\ContactsListController; use App\Http\Controllers\Admin\ContactsListController;
use App\Http\Controllers\Admin\ContactsListContactController; use App\Http\Controllers\Admin\ContactsListContactController;
use App\Http\Controllers\Admin\StatisticsController; use App\Http\Controllers\Admin\StatisticsController;
use Laravel\Socialite\Facades\Socialite;
use Illuminate\Support\Facades\Route; use Illuminate\Support\Facades\Route;
Route::redirect('/', 'login')->name('account.home'); Route::redirect('/', 'login')->name('account.home');
Route::get('documentation', 'Account\AccountController@documentation')->name('account.documentation'); Route::get('documentation', 'Account\AccountController@documentation')->name('account.documentation');
Route::get('about', 'AboutController@about')->name('about'); Route::get('about', 'AboutController@about')->name('about');
Route::middleware(['web_panel_enabled'])->group(function () { Route::group(['middleware' => 'web_panel_enabled'], function () {
Route::get('login', 'Account\AuthenticateController@login')->name('account.login'); Route::get('login', 'Account\AuthenticateController@login')->name('account.login');
Route::post('authenticate', 'Account\AuthenticateController@authenticate')->name('account.authenticate'); Route::post('authenticate', 'Account\AuthenticateController@authenticate')->name('account.authenticate');
Route::get('authenticate/qrcode/{token?}', 'Account\AuthenticateController@loginAuthToken')->name('account.authenticate.auth_token'); Route::get('authenticate/qrcode/{token?}', 'Account\AuthenticateController@loginAuthToken')->name('account.authenticate.auth_token');
@ -56,7 +57,7 @@ Route::middleware(['web_panel_enabled'])->group(function () {
}); });
}); });
Route::group(['middleware' => 'auth.digest_or_key'], function () { Route::group(['middleware' => ['auth.jwt', 'auth.digest_or_key']], function () {
Route::get('provisioning/me', 'Account\ProvisioningController@me')->name('provisioning.me'); Route::get('provisioning/me', 'Account\ProvisioningController@me')->name('provisioning.me');
// Vcard 4.0 // Vcard 4.0
@ -72,7 +73,7 @@ Route::name('provisioning.')->prefix('provisioning')->controller(ProvisioningCon
Route::get('/', 'show')->name('show'); Route::get('/', 'show')->name('show');
}); });
Route::middleware(['web_panel_enabled'])->group(function () { Route::group(['middleware' => 'web_panel_enabled'], function () {
if (config('app.public_registration')) { if (config('app.public_registration')) {
Route::redirect('register', 'register/email')->name('account.register'); Route::redirect('register', 'register/email')->name('account.register');

142
flexiapi/tests/Feature/AccountJWTAuthenticationTest.php Normal file
View file

@ -0,0 +1,142 @@
<?php
namespace Tests\Feature;
use App\Password;
use DateTimeImmutable;
use Illuminate\Foundation\Testing\DatabaseMigrations;
use Lcobucci\Clock\FrozenClock;
use Lcobucci\JWT\Builder;
use Lcobucci\JWT\JwtFacade;
use Lcobucci\JWT\Signer\Key\InMemory;
use Lcobucci\JWT\Signer\Rsa\Sha256;
use Lcobucci\JWT\Signer\Rsa\Sha512;
use Tests\TestCase;
class AccountJWTAuthenticationTest extends TestCase
{
protected $route = '/provisioning';
protected $accountRoute = '/provisioning/me';
protected $method = 'GET';
protected $serverPrivateKeyPem = null;
protected $serverPublicKeyPem = null;
public function setUp(): void
{
parent::setUp();
$keys = openssl_pkey_new(array("private_key_bits" => 4096,"private_key_type" => OPENSSL_KEYTYPE_RSA));
$this->serverPublicKeyPem = openssl_pkey_get_details($keys)['key'];
openssl_pkey_export($keys, $this->serverPrivateKeyPem);
}
public function testBaseProvisioning()
{
# JWT is disabled if Sodium is not loaded
if (!extension_loaded('sodium')) return;
$password = Password::factory()->create();
config()->set('services.jwt.rsa_public_key_pem', $this->serverPublicKeyPem);
$this->get($this->route)->assertStatus(400);
$clock = new FrozenClock(new DateTimeImmutable());
$token = (new JwtFacade(null, $clock))->issue(
new Sha256(),
InMemory::plainText($this->serverPrivateKeyPem),
static fn (
Builder $builder,
DateTimeImmutable $issuedAt
): Builder => $builder->withClaim('email', $password->account->email)
);
$this->withHeaders([
'Authorization' => 'Bearer ' . $token->toString(),
'x-linphone-provisioning' => true,
])
->get($this->accountRoute)
->assertStatus(200)
->assertHeader('Content-Type', 'application/xml')
->assertSee('ha1');
// Sha512
$token = (new JwtFacade(null, $clock))->issue(
new Sha512(),
InMemory::plainText($this->serverPrivateKeyPem),
static fn (
Builder $builder,
DateTimeImmutable $issuedAt
): Builder => $builder->withClaim('email', $password->account->email)
);
$this->withHeaders([
'Authorization' => 'Bearer ' . $token->toString(),
'x-linphone-provisioning' => true,
])
->get($this->accountRoute)
->assertStatus(200)
->assertHeader('Content-Type', 'application/xml')
->assertSee('ha1');
// Expired token
$oldClock = new FrozenClock(new DateTimeImmutable('2022-06-24 22:51:10'));
$token = (new JwtFacade(null, $oldClock))->issue(
new Sha256(),
InMemory::plainText($this->serverPrivateKeyPem),
static fn (
Builder $builder,
DateTimeImmutable $issuedAt
): Builder => $builder->withClaim('email', $password->account->email)
);
$this->withHeaders([
'Authorization' => 'Bearer ' . $token->toString(),
'x-linphone-provisioning' => true,
])
->get($this->accountRoute)
->assertStatus(403);
// Expired token
$token = (new JwtFacade(null, $clock))->issue(
new Sha256(),
InMemory::plainText($this->serverPrivateKeyPem),
static fn (
Builder $builder,
DateTimeImmutable $issuedAt
): Builder => $builder->withClaim('email', 'unknow@man.org')
);
$this->withHeaders([
'Authorization' => 'Bearer ' . $token->toString(),
'x-linphone-provisioning' => true,
])
->get($this->accountRoute)
->assertStatus(403);
// Wrong signature key
$keys = openssl_pkey_new(array("private_key_bits" => 4096,"private_key_type" => OPENSSL_KEYTYPE_RSA));
openssl_pkey_export($keys, $wrongServerPrivateKeyPem);
$wrongToken = (new JwtFacade(null, $clock))->issue(
new Sha256(),
InMemory::plainText($wrongServerPrivateKeyPem),
static fn (
Builder $builder,
DateTimeImmutable $issuedAt
): Builder => $builder->withClaim('email', $password->account->email)
);
$this->withHeaders([
'Authorization' => 'Bearer ' . $wrongToken->toString(),
'x-linphone-provisioning' => true,
])
->get($this->accountRoute)
->assertStatus(403);
}
}

2
flexisip-account-manager.spec
View file

@ -33,7 +33,7 @@ License: GPL
URL: http://www.linphone.org URL: http://www.linphone.org
Source0: flexisip-account-manager.tar.gz Source0: flexisip-account-manager.tar.gz
Requires: php >= 8.0, php-gd, php-pdo, php-redis, php-mysqlnd, php-mbstring Requires: php >= 8.0, php-gd, php-pdo, php-redis, php-mysqlnd, php-mbstring, php-sodium
%description %description
PHP server for Linphone and Flexisip providing module for account creation. PHP server for Linphone and Flexisip providing module for account creation.