Merge pull request #81 from sesamyab/jwt-verify

Verify jwt token instead of signed url
sesamyab · Aug 21, 2023 · 320a07a · 320a07a
2 parents fe18a61 + c2f9930
commit 320a07a
Show file tree

Hide file tree

Showing 6 changed files with 78 additions and 364 deletions.
diff --git a/src/composer.json b/src/composer.json
@@ -17,11 +17,12 @@
         }
     },
     "require": {
-        "phpseclib/phpseclib": "~3.0"
+        "gree/jose": "^2.2",
+        "phpseclib/phpseclib": "^2.0"
     },
     "require-dev": {
         "phpunit/phpunit": "^9.0",
         "yoast/phpunit-polyfills": "^1.0",
         "mockery/mockery": "^1.5"
     }
-}
+}
diff --git a/src/composer.lock b/src/composer.lock
diff --git a/src/includes/class-sesamy-api-endpoint.php b/src/includes/class-sesamy-api-endpoint.php
@@ -69,18 +69,18 @@ public function sesamy_post_ep( $request ) {
 			return new WP_Error( 404, 'Post not found.' );
 		}
 
-		$public_signed_url = isset( $_SERVER['HTTP_X_SESAMY_SIGNED_URL'] ) ? esc_url_raw( wp_unslash( $_SERVER['HTTP_X_SESAMY_SIGNED_URL'] ) ) : '';
+		// Get JWT token from the authorization header
+		$jwt = isset( $_SERVER['HTTP_AUTHORIZATION'] ) ? $_SERVER['HTTP_AUTHORIZATION'] : '';
 
-		// Always allow fetching if post is unlocked
-		$sesamy_signed_url = new Sesamy_Signed_Url();
-		$result            = Sesamy::is_locked( $post ) ? $sesamy_signed_url->is_valid_url( $post, $public_signed_url ) : true;
+		// If the post is locked, verify the JWT token. If not, just return the content.
+		$Sesamy_JWT_Helper = new Sesamy_JWT_Helper();
+		$result            = Sesamy::is_locked( $post ) ? $Sesamy_JWT_Helper->verify( $jwt ) : true;
 
 		if ( is_wp_error( $result ) ) {
 			return $result;
 		} elseif ( is_bool( $result ) && true === $result ) {
 			return new WP_REST_Response( array( 'data' => apply_filters( 'the_content', $post->post_content ) ) );
 		} else {
-
 			return new WP_Error( 400, 'The link is incorrect or no longer valid.' );
 		}
 	}