Download the PHP package spoova/jwstoken without Composer
On this page you can find all versions of the php package spoova/jwstoken. It is possible to download/install these versions without Composer. Possible dependencies are resolved automatically.
Download spoova/jwstoken
More information about spoova/jwstoken
Files in spoova/jwstoken
Package jwstoken
Short Description Spoova package for generation JWS tokens
License MIT
Informations about the package jwstoken
JwsToken
This package is used to generate JWS tokens.
Initializing class
Modifying header for generating token
Since a jws token is expected to created, it is essential to define the token header. This can be done by using the method. The header usually contain an header type and a specified algoritm as shown below:
-
- The type of data supplied can either be or .
-
- (optional) Any of the acceptable hashing algoritms in [HS256|HS384|HS512|RS256]
The example below is an example of setting any header
-
- The type of data supplied can either be or .
-
- (optional) Any of the acceptable hasing algoritms.
When the method is not defined, the arguments supplied above are assumed to be the default.
Modifying algorithm for generating token only
In the cases where we do not need to defined the entire header, we can modify only the algorithm without setting the full header by using the method. In this case, only the default algo will be modified. For example:
Setting Payload
The JwsToken payload is usually an array data that contains a list of specified data keys that contains relative information about a token that is expected to be hashed. The JwsToken accepts an array under the following specific keys
- the subject of a token
- the issuer of a token
- the owner of a token
- the time in which a generated token becomes active
- the time in which a generated token becomes expired
-
other information that is expected to be stored
The key of a supplied payload should not contain any secret data. The example below reveals how to set a payload
In the example above,
- defines the title or subject of the token (optional)
- defines the id of the issuer of a token
- defines the id of the owner of a token (optional)
- defines the time a token is generated (optional)
- defines the time a token is active (optional)
- defines the time a token expires (optional)
- should not contain any sensitive information.
Generally, the entire payload should not contain any sensitive information because it is only tokenfied but still visible to anyone. It is also important to note that it is not all the keys that are required. If the key is not defined, we can also set it by using the method as shown below
Payloads which do not have will become active immediately it is generated while those that do not have will never expire. Also, payloads can contain any other custom keys aside the specifically reserved ones above.
Obtaining the hashed token
Before a token can be obtained, it must be signed with a secret key using the method after which the token is obtained using the method.
Signing a token is shown below assuming the payload is already defined
When a secret key is signed, a secret key is expected to be defined. By default, the method uses the crypto hashing algorithm , however this can be remodified by supplying a second argument into the method which should be a valid hashing alogithm. Once a payload is signed, we can proceed to obtain the generated token.
Validating a generated token
Once a token is generated, it can be validated using specifically designed methods
Setting a token for validation
In order to test if a token is valid, the method is used. This usually contains the secret key used during token generation and the hashing algorithm used.
Example of testing if a token is valid
Usually, when a token is not valid it can be due to three reasons which is the reason we need to know why a token is not valid using the method. A token may not be valid for the following reasons
- Bad token format
- Token is not yet active
-
Token is has expired.
We can detect if a token has expired by supplying the secret key and hashing algorithm into the method.
We can detect if a token is not yet active by also supplying the secret key and hashing algorithm into the method.
Note that pending will return false if the payload is valid but is active. If no test is done yet, the method will return empty string. However, is only returned if the payload is valid and the token is not yet active or activated.
Decrypting Token
Valid tokens can be decrypted using the method. Decryption here does not mean that the payload was not visible to users but it is only used to fetch a payload from a valid token. It is impossible to properly detect that any token supplied is a good one but if a token is valid, then we surely know we can obtain a valid payload from it which is done with the method. This method takes the first argument as the token to be decrypted while the second argument is the secret key used to generate the token. Lastly, the third argument is the hash algorithm used to hash the token.
> Decrypting a valid token sample
In the event that a token is checked for validity, the decrypt method can be used immediate to fetch the valid payload