bsiggel/espocrm
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Initial commit

Browse Source
This commit is contained in:
root
2026-01-19 17:44:46 +01:00
commit 823af8b11d
8721 changed files with 1130846 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

50
application/Espo/Core/Authentication/Jwt/DefaultKeyFactory.php Normal file
View File

@@ -0,0 +1,50 @@
<?php
/************************************************************************
* This file is part of EspoCRM.
*
* EspoCRM Open Source CRM application.
* Copyright (C) 2014-2025 EspoCRM, Inc.
* Website: https://www.espocrm.com
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <https://www.gnu.org/licenses/>.
*
* The interactive user interfaces in modified source and object code versions
* of this program must display Appropriate Legal Notices, as required under
* Section 5 of the GNU Affero General Public License version 3.
*
* In accordance with Section 7(b) of the GNU Affero General Public License version 3,
* these Appropriate Legal Notices must retain the display of the "EspoCRM" word.
************************************************************************/
namespace Espo\Core\Authentication\Jwt;
use Espo\Core\Authentication\Jwt\Exceptions\UnsupportedKey;
use Espo\Core\Authentication\Jwt\Keys\Rsa;
use stdClass;
class DefaultKeyFactory implements KeyFactory
{
private const TYPE_RSA = 'RSA';
public function create(stdClass $raw): Key
{
$kty = $raw->kty ?? null;
if ($kty === self::TYPE_RSA) {
return Rsa::fromRaw($raw);
}
throw new UnsupportedKey();
}
}

32
application/Espo/Core/Authentication/Jwt/Exceptions/Expired.php Normal file
View File

@@ -0,0 +1,32 @@
<?php
/************************************************************************
* This file is part of EspoCRM.
*
* EspoCRM Open Source CRM application.
* Copyright (C) 2014-2025 EspoCRM, Inc.
* Website: https://www.espocrm.com
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <https://www.gnu.org/licenses/>.
*
* The interactive user interfaces in modified source and object code versions
* of this program must display Appropriate Legal Notices, as required under
* Section 5 of the GNU Affero General Public License version 3.
*
* In accordance with Section 7(b) of the GNU Affero General Public License version 3,
* these Appropriate Legal Notices must retain the display of the "EspoCRM" word.
************************************************************************/
namespace Espo\Core\Authentication\Jwt\Exceptions;
class Expired extends Invalid {}

34
application/Espo/Core/Authentication/Jwt/Exceptions/Invalid.php Normal file
View File

@@ -0,0 +1,34 @@
<?php
/************************************************************************
* This file is part of EspoCRM.
*
* EspoCRM Open Source CRM application.
* Copyright (C) 2014-2025 EspoCRM, Inc.
* Website: https://www.espocrm.com
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <https://www.gnu.org/licenses/>.
*
* The interactive user interfaces in modified source and object code versions
* of this program must display Appropriate Legal Notices, as required under
* Section 5 of the GNU Affero General Public License version 3.
*
* In accordance with Section 7(b) of the GNU Affero General Public License version 3,
* these Appropriate Legal Notices must retain the display of the "EspoCRM" word.
************************************************************************/
namespace Espo\Core\Authentication\Jwt\Exceptions;
use Exception;
class Invalid extends Exception {}

32
application/Espo/Core/Authentication/Jwt/Exceptions/NotBefore.php Normal file
View File

@@ -0,0 +1,32 @@
<?php
/************************************************************************
* This file is part of EspoCRM.
*
* EspoCRM Open Source CRM application.
* Copyright (C) 2014-2025 EspoCRM, Inc.
* Website: https://www.espocrm.com
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <https://www.gnu.org/licenses/>.
*
* The interactive user interfaces in modified source and object code versions
* of this program must display Appropriate Legal Notices, as required under
* Section 5 of the GNU Affero General Public License version 3.
*
* In accordance with Section 7(b) of the GNU Affero General Public License version 3,
* these Appropriate Legal Notices must retain the display of the "EspoCRM" word.
************************************************************************/
namespace Espo\Core\Authentication\Jwt\Exceptions;
class NotBefore extends Invalid {}

32
application/Espo/Core/Authentication/Jwt/Exceptions/SignatureNotVerified.php Normal file
View File

@@ -0,0 +1,32 @@
<?php
/************************************************************************
* This file is part of EspoCRM.
*
* EspoCRM Open Source CRM application.
* Copyright (C) 2014-2025 EspoCRM, Inc.
* Website: https://www.espocrm.com
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <https://www.gnu.org/licenses/>.
*
* The interactive user interfaces in modified source and object code versions
* of this program must display Appropriate Legal Notices, as required under
* Section 5 of the GNU Affero General Public License version 3.
*
* In accordance with Section 7(b) of the GNU Affero General Public License version 3,
* these Appropriate Legal Notices must retain the display of the "EspoCRM" word.
************************************************************************/
namespace Espo\Core\Authentication\Jwt\Exceptions;
class SignatureNotVerified extends Invalid {}

34
application/Espo/Core/Authentication/Jwt/Exceptions/UnsupportedKey.php Normal file
View File

@@ -0,0 +1,34 @@
<?php
/************************************************************************
* This file is part of EspoCRM.
*
* EspoCRM Open Source CRM application.
* Copyright (C) 2014-2025 EspoCRM, Inc.
* Website: https://www.espocrm.com
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <https://www.gnu.org/licenses/>.
*
* The interactive user interfaces in modified source and object code versions
* of this program must display Appropriate Legal Notices, as required under
* Section 5 of the GNU Affero General Public License version 3.
*
* In accordance with Section 7(b) of the GNU Affero General Public License version 3,
* these Appropriate Legal Notices must retain the display of the "EspoCRM" word.
************************************************************************/
namespace Espo\Core\Authentication\Jwt\Exceptions;
use Exception;
class UnsupportedKey extends Exception {}

39
application/Espo/Core/Authentication/Jwt/Key.php Normal file
View File

@@ -0,0 +1,39 @@
<?php
/************************************************************************
* This file is part of EspoCRM.
*
* EspoCRM Open Source CRM application.
* Copyright (C) 2014-2025 EspoCRM, Inc.
* Website: https://www.espocrm.com
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <https://www.gnu.org/licenses/>.
*
* The interactive user interfaces in modified source and object code versions
* of this program must display Appropriate Legal Notices, as required under
* Section 5 of the GNU Affero General Public License version 3.
*
* In accordance with Section 7(b) of the GNU Affero General Public License version 3,
* these Appropriate Legal Notices must retain the display of the "EspoCRM" word.
************************************************************************/
namespace Espo\Core\Authentication\Jwt;
interface Key
{
public function getKid(): string;
public function getKty(): string;
public function getAlg(): ?string;
}

41
application/Espo/Core/Authentication/Jwt/KeyFactory.php Normal file
View File

@@ -0,0 +1,41 @@
<?php
/************************************************************************
* This file is part of EspoCRM.
*
* EspoCRM Open Source CRM application.
* Copyright (C) 2014-2025 EspoCRM, Inc.
* Website: https://www.espocrm.com
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <https://www.gnu.org/licenses/>.
*
* The interactive user interfaces in modified source and object code versions
* of this program must display Appropriate Legal Notices, as required under
* Section 5 of the GNU Affero General Public License version 3.
*
* In accordance with Section 7(b) of the GNU Affero General Public License version 3,
* these Appropriate Legal Notices must retain the display of the "EspoCRM" word.
************************************************************************/
namespace Espo\Core\Authentication\Jwt;
use Espo\Core\Authentication\Jwt\Exceptions\UnsupportedKey;
use stdClass;
interface KeyFactory
{
/**
* @throws UnsupportedKey
*/
public function create(stdClass $raw): Key;
}

99
application/Espo/Core/Authentication/Jwt/Keys/Rsa.php Normal file
View File

@@ -0,0 +1,99 @@
<?php
/************************************************************************
* This file is part of EspoCRM.
*
* EspoCRM Open Source CRM application.
* Copyright (C) 2014-2025 EspoCRM, Inc.
* Website: https://www.espocrm.com
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <https://www.gnu.org/licenses/>.
*
* The interactive user interfaces in modified source and object code versions
* of this program must display Appropriate Legal Notices, as required under
* Section 5 of the GNU Affero General Public License version 3.
*
* In accordance with Section 7(b) of the GNU Affero General Public License version 3,
* these Appropriate Legal Notices must retain the display of the "EspoCRM" word.
************************************************************************/
namespace Espo\Core\Authentication\Jwt\Keys;
use Espo\Core\Authentication\Jwt\Key;
use UnexpectedValueException;
use stdClass;
/**
* Immutable.
*/
class Rsa implements Key
{
private string $kid;
private string $kty;
private ?string $alg;
private string $n;
private string $e;
private function __construct(stdClass $raw)
{
$kid = $raw->kid ?? null;
$kty = $raw->kty ?? null;
$alg = $raw->alg ?? null;
$n = $raw->n ?? null;
$e = $raw->e ?? null;
if ($kid === null || $kty === null) {
throw new UnexpectedValueException("Bad JWK value.");
}
if ($n === null || $e === null) {
throw new UnexpectedValueException("Bad JWK RSE key. No `n` or `e` values.");
}
$this->kid = $kid;
$this->kty = $kty;
$this->alg = $alg;
$this->n = $n;
$this->e = $e;
}
public static function fromRaw(stdClass $raw): self
{
return new self($raw);
}
public function getKid(): string
{
return $this->kid;
}
public function getKty(): string
{
return $this->kty;
}
public function getAlg(): ?string
{
return $this->alg;
}
public function getN(): string
{
return $this->n;
}
public function getE(): string
{
return $this->e;
}
}

35
application/Espo/Core/Authentication/Jwt/SignatureVerifier.php Normal file
View File

@@ -0,0 +1,35 @@
<?php
/************************************************************************
* This file is part of EspoCRM.
*
* EspoCRM Open Source CRM application.
* Copyright (C) 2014-2025 EspoCRM, Inc.
* Website: https://www.espocrm.com
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <https://www.gnu.org/licenses/>.
*
* The interactive user interfaces in modified source and object code versions
* of this program must display Appropriate Legal Notices, as required under
* Section 5 of the GNU Affero General Public License version 3.
*
* In accordance with Section 7(b) of the GNU Affero General Public License version 3,
* these Appropriate Legal Notices must retain the display of the "EspoCRM" word.
************************************************************************/
namespace Espo\Core\Authentication\Jwt;
interface SignatureVerifier
{
public function verify(Token $token): bool;
}

35
application/Espo/Core/Authentication/Jwt/SignatureVerifierFactory.php Normal file
View File

@@ -0,0 +1,35 @@
<?php
/************************************************************************
* This file is part of EspoCRM.
*
* EspoCRM Open Source CRM application.
* Copyright (C) 2014-2025 EspoCRM, Inc.
* Website: https://www.espocrm.com
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <https://www.gnu.org/licenses/>.
*
* The interactive user interfaces in modified source and object code versions
* of this program must display Appropriate Legal Notices, as required under
* Section 5 of the GNU Affero General Public License version 3.
*
* In accordance with Section 7(b) of the GNU Affero General Public License version 3,
* these Appropriate Legal Notices must retain the display of the "EspoCRM" word.
************************************************************************/
namespace Espo\Core\Authentication\Jwt;
interface SignatureVerifierFactory
{
public function create(string $algorithm): SignatureVerifier;
}

85
application/Espo/Core/Authentication/Jwt/SignatureVerifiers/Hmac.php Normal file
View File

@@ -0,0 +1,85 @@
<?php
/************************************************************************
* This file is part of EspoCRM.
*
* EspoCRM Open Source CRM application.
* Copyright (C) 2014-2025 EspoCRM, Inc.
* Website: https://www.espocrm.com
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <https://www.gnu.org/licenses/>.
*
* The interactive user interfaces in modified source and object code versions
* of this program must display Appropriate Legal Notices, as required under
* Section 5 of the GNU Affero General Public License version 3.
*
* In accordance with Section 7(b) of the GNU Affero General Public License version 3,
* these Appropriate Legal Notices must retain the display of the "EspoCRM" word.
************************************************************************/
namespace Espo\Core\Authentication\Jwt\SignatureVerifiers;
use Espo\Core\Authentication\Jwt\Token;
use Espo\Core\Authentication\Jwt\SignatureVerifier;
use LogicException;
use RuntimeException;
class Hmac implements SignatureVerifier
{
private const SUPPORTED_ALGORITHM_LIST = [
self::HS256,
self::HS384,
self::HS512,
];
private const ALGORITHM_MAP = [
self::HS256 => 'SHA256',
self::HS384 => 'SHA384',
self::HS512 => 'SHA512',
];
private const HS256 = 'HS256';
private const HS384 = 'HS384';
private const HS512 = 'HS512';
private string $algorithm;
private string $key;
public function __construct(
string $algorithm,
string $key
) {
$this->algorithm = $algorithm;
$this->key = $key;
if (!in_array($algorithm, self::SUPPORTED_ALGORITHM_LIST)) {
throw new RuntimeException("Unsupported algorithm $algorithm.");
}
}
public function verify(Token $token): bool
{
$input = $token->getSigningInput();
$signature = $token->getSignature();
$functionAlgorithm = self::ALGORITHM_MAP[$this->algorithm] ?? null;
if (!$functionAlgorithm) {
throw new LogicException();
}
$hash = hash_hmac($functionAlgorithm, $input, $this->key, true);
return $hash === $signature;
}
}

131
application/Espo/Core/Authentication/Jwt/SignatureVerifiers/Rsa.php Normal file
View File

@@ -0,0 +1,131 @@
<?php
/************************************************************************
* This file is part of EspoCRM.
*
* EspoCRM Open Source CRM application.
* Copyright (C) 2014-2025 EspoCRM, Inc.
* Website: https://www.espocrm.com
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <https://www.gnu.org/licenses/>.
*
* The interactive user interfaces in modified source and object code versions
* of this program must display Appropriate Legal Notices, as required under
* Section 5 of the GNU Affero General Public License version 3.
*
* In accordance with Section 7(b) of the GNU Affero General Public License version 3,
* these Appropriate Legal Notices must retain the display of the "EspoCRM" word.
************************************************************************/
namespace Espo\Core\Authentication\Jwt\SignatureVerifiers;
use Espo\Core\Authentication\Jwt\Key;
use Espo\Core\Authentication\Jwt\Keys\Rsa as RsaKey;
use Espo\Core\Authentication\Jwt\Token;
use Espo\Core\Authentication\Jwt\SignatureVerifier;
use Espo\Core\Authentication\Jwt\Util;
use LogicException;
use phpseclib3\Crypt\PublicKeyLoader;
use phpseclib3\Math\BigInteger;
use RuntimeException;
class Rsa implements SignatureVerifier
{
private const SUPPORTED_ALGORITHM_LIST = [
self::RS256,
self::RS384,
self::RS512,
];
private const ALGORITHM_MAP = [
self::RS256 => 'SHA256',
self::RS384 => 'SHA384',
self::RS512 => 'SHA512',
];
private const RS256 = 'RS256';
private const RS384 = 'RS384';
private const RS512 = 'RS512';
private string $algorithm;
/** @var Key[] */
private array $keys;
/**
* @param Key[] $keys
*/
public function __construct(string $algorithm, array $keys)
{
$this->algorithm = $algorithm;
$this->keys = $keys;
if (!in_array($algorithm, self::SUPPORTED_ALGORITHM_LIST)) {
throw new RuntimeException("Unsupported algorithm $algorithm.");
}
}
public function verify(Token $token): bool
{
$input = $token->getSigningInput();
$signature = $token->getSignature();
$kid = $token->getHeader()->getKid();
$functionAlgorithm = self::ALGORITHM_MAP[$this->algorithm] ?? null;
if (!$functionAlgorithm) {
throw new LogicException();
}
$key = array_values(
array_filter($this->keys, fn ($key) => $key->getKid() === $kid)
)[0] ?? null;
if (!$key) {
return false;
}
if (!$key instanceof RsaKey) {
throw new RuntimeException("Wrong key.");
}
$publicKey = openssl_pkey_get_public($this->getPemFromKey($key));
if ($publicKey === false) {
throw new RuntimeException("Bad RSA public key.");
}
$result = openssl_verify($input, $signature, $publicKey, $functionAlgorithm);
if ($result === false) {
throw new RuntimeException("RSA public key verify error: " . openssl_error_string());
}
return $result === 1;
}
private function getPemFromKey(RsaKey $key): string
{
$publicKey = PublicKeyLoader::load([
'n' => new BigInteger('0x' . bin2hex(Util::base64UrlDecode($key->getN())), 16),
'e' => new BigInteger('0x' . bin2hex(Util::base64UrlDecode($key->getE())), 16),
]);
$pem = $publicKey->toString('PKCS8');
if (!is_string($pem)) {
throw new RuntimeException();
}
return $pem;
}
}

112
application/Espo/Core/Authentication/Jwt/Token.php Normal file
View File

@@ -0,0 +1,112 @@
<?php
/************************************************************************
* This file is part of EspoCRM.
*
* EspoCRM Open Source CRM application.
* Copyright (C) 2014-2025 EspoCRM, Inc.
* Website: https://www.espocrm.com
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <https://www.gnu.org/licenses/>.
*
* The interactive user interfaces in modified source and object code versions
* of this program must display Appropriate Legal Notices, as required under
* Section 5 of the GNU Affero General Public License version 3.
*
* In accordance with Section 7(b) of the GNU Affero General Public License version 3,
* these Appropriate Legal Notices must retain the display of the "EspoCRM" word.
************************************************************************/
namespace Espo\Core\Authentication\Jwt;
use Espo\Core\Authentication\Jwt\Token\Header;
use Espo\Core\Authentication\Jwt\Token\Payload;
use RuntimeException;
/**
* JWT token.
*
* Immutable.
*/
class Token
{
private string $token;
private string $headerPart;
private string $payloadPart;
private string $signaturePart;
private string $headerRaw;
private string $payloadRaw;
private string $signatureRaw;
private Header $header;
private Payload $payload;
private function __construct(string $token)
{
$this->token = $token;
$parts = explode('.', $token);
if (count($parts) < 3) {
throw new RuntimeException("Too few JWT parts.");
}
list($this->headerPart, $this->payloadPart, $this->signaturePart) = $parts;
$this->headerRaw = Util::base64UrlDecode($this->headerPart);
$this->payloadRaw = Util::base64UrlDecode($this->payloadPart);
$this->signatureRaw = Util::base64UrlDecode($this->signaturePart);
$this->header = Header::fromRaw($this->headerRaw);
$this->payload = Payload::fromRaw($this->payloadRaw);
}
public static function create(string $token): self
{
return new self($token);
}
public function getToken(): string
{
return $this->token;
}
public function getSigningInput(): string
{
return $this->headerPart . '.' . $this->payloadPart;
}
public function getHeader(): Header
{
return $this->header;
}
public function getPayload(): Payload
{
return $this->payload;
}
public function getSignature(): string
{
return $this->signatureRaw;
}
public function getHeaderRaw(): string
{
return $this->headerRaw;
}
public function getPayloadRaw(): string
{
return $this->payloadRaw;
}
}

123
application/Espo/Core/Authentication/Jwt/Token/Header.php Normal file
View File

@@ -0,0 +1,123 @@
<?php
/************************************************************************
* This file is part of EspoCRM.
*
* EspoCRM Open Source CRM application.
* Copyright (C) 2014-2025 EspoCRM, Inc.
* Website: https://www.espocrm.com
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <https://www.gnu.org/licenses/>.
*
* The interactive user interfaces in modified source and object code versions
* of this program must display Appropriate Legal Notices, as required under
* Section 5 of the GNU Affero General Public License version 3.
*
* In accordance with Section 7(b) of the GNU Affero General Public License version 3,
* these Appropriate Legal Notices must retain the display of the "EspoCRM" word.
************************************************************************/
namespace Espo\Core\Authentication\Jwt\Token;
use Espo\Core\Utils\Json;
use RuntimeException;
use JsonException;
use stdClass;
/**
* Immutable.
*/
class Header
{
private string $alg;
private ?string $kid;
/** @var array<string, mixed> */
private array $data;
/**
* @param array<string, mixed> $data
*/
private function __construct(
string $alg,
?string $kid,
array $data
) {
$this->alg = $alg;
$this->kid = $kid;
$this->data = $data;
}
/**
* @return mixed
*/
public function get(string $name)
{
return $this->data[$name] ?? null;
}
public static function fromRaw(string $raw): self
{
$parsed = null;
try {
$parsed = Json::decode($raw);
} catch (JsonException) {}
if (!$parsed instanceof stdClass) {
throw new RuntimeException();
}
$alg = self::obtainFromParsedString($parsed, 'alg');
$kid = self::obtainFromParsedStringNull($parsed, 'kid');
return new self(
$alg,
$kid,
get_object_vars($parsed)
);
}
/** @noinspection PhpSameParameterValueInspection */
private static function obtainFromParsedString(stdClass $parsed, string $name): string
{
$value = $parsed->$name ?? null;
if (!is_string($value)) {
throw new RuntimeException("No or bad `$name` in JWT header.");
}
return $value;
}
/** @noinspection PhpSameParameterValueInspection */
private static function obtainFromParsedStringNull(stdClass $parsed, string $name): ?string
{
$value = $parsed->$name ?? null;
if ($value !== null && !is_string($value)) {
throw new RuntimeException("Bad `$name` in JWT header.");
}
return $value;
}
public function getAlg(): string
{
return $this->alg;
}
public function getKid(): ?string
{
return $this->kid;
}
}

235
application/Espo/Core/Authentication/Jwt/Token/Payload.php Normal file
View File

@@ -0,0 +1,235 @@
<?php
/************************************************************************
* This file is part of EspoCRM.
*
* EspoCRM Open Source CRM application.
* Copyright (C) 2014-2025 EspoCRM, Inc.
* Website: https://www.espocrm.com
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <https://www.gnu.org/licenses/>.
*
* The interactive user interfaces in modified source and object code versions
* of this program must display Appropriate Legal Notices, as required under
* Section 5 of the GNU Affero General Public License version 3.
*
* In accordance with Section 7(b) of the GNU Affero General Public License version 3,
* these Appropriate Legal Notices must retain the display of the "EspoCRM" word.
************************************************************************/
namespace Espo\Core\Authentication\Jwt\Token;
use Espo\Core\Utils\Json;
use RuntimeException;
use JsonException;
use stdClass;
/**
* Immutable.
*/
class Payload
{
private ?string $sub;
private ?string $iss;
/** @var string[] */
private array $aud;
private ?int $exp;
private ?int $iat;
private ?int $nbf;
private ?string $nonce;
private ?int $authTime;
private ?string $sid;
/** @var array<string, mixed> */
private array $data;
/**
* @param string[] $aud
* @param array<string, mixed> $data
*/
private function __construct(
?string $sub,
?string $iss,
array $aud,
?int $exp,
?int $iat,
?int $nbf,
?string $nonce,
?int $authTime,
?string $sid,
array $data
) {
$this->sub = $sub;
$this->iss = $iss;
$this->aud = $aud;
$this->exp = $exp;
$this->iat = $iat;
$this->nbf = $nbf;
$this->nonce = $nonce;
$this->authTime = $authTime;
$this->sid = $sid;
$this->data = $data;
}
public function getSub(): ?string
{
return $this->sub;
}
public function getIss(): ?string
{
return $this->iss;
}
public function getExp(): ?int
{
return $this->exp;
}
public function getIat(): ?int
{
return $this->iat;
}
public function getNbf(): ?int
{
return $this->nbf;
}
/**
* @return string[]
*/
public function getAud(): array
{
return $this->aud;
}
public function getNonce(): ?string
{
return $this->nonce;
}
public function getAuthTime(): ?int
{
return $this->authTime;
}
/** @noinspection PhpUnused */
public function getSid(): ?string
{
return $this->sid;
}
/**
* @return mixed
*/
public function get(string $name)
{
return $this->data[$name] ?? null;
}
public static function fromRaw(string $raw): self
{
$parsed = null;
try {
$parsed = Json::decode($raw);
} catch (JsonException) {}
if (!$parsed instanceof stdClass) {
throw new RuntimeException();
}
$sub = $parsed->sub ?? null;
$iss = $parsed->iss ?? null;
$aud = $parsed->aud ?? null;
$exp = $parsed->exp ?? null;
$iat = $parsed->iat ?? null;
$nbf = $parsed->nbf ?? null;
$nonce = $parsed->nonce ?? null;
$authTime = $parsed->auth_time ?? null;
$sid = $parsed->sid ?? null;
if (is_string($aud)) {
$aud = [$aud];
}
if ($aud === null) {
$aud = [];
}
if ($iss !== null && !is_string($sub)) {
throw new RuntimeException("Bad `sub`.");
}
if ($iss !== null && !is_string($iss)) {
throw new RuntimeException("Bad `iss`.");
}
if (!is_array($aud)) {
throw new RuntimeException("Bad `aud`.");
}
if ($exp !== null && !is_numeric($exp)) {
throw new RuntimeException("Bad `exp`.");
}
if ($iat !== null && !is_numeric($iat)) {
throw new RuntimeException("Bad `iat`.");
}
if ($nbf !== null && !is_numeric($nbf)) {
throw new RuntimeException("Bad `nbf`.");
}
if ($nonce !== null && !is_string($nonce)) {
throw new RuntimeException("Bad `nonce`.");
}
if ($authTime !== null && !is_numeric($authTime)) {
throw new RuntimeException("Bad `auth_time`.");
}
if ($sid !== null && !is_string($sid)) {
throw new RuntimeException("Bad `sid`.");
}
if ($exp !== null) {
$exp = (int) $exp;
}
if ($iat !== null) {
$iat = (int) $iat;
}
if ($nbf !== null) {
$nbf = (int) $nbf;
}
if ($authTime !== null) {
$authTime = (int) $authTime;
}
return new self(
$sub,
$iss,
$aud,
$exp,
$iat,
$nbf,
$nonce,
$authTime,
$sid,
get_object_vars($parsed)
);
}
}

51
application/Espo/Core/Authentication/Jwt/Util.php Normal file
View File

@@ -0,0 +1,51 @@
<?php
/************************************************************************
* This file is part of EspoCRM.
*
* EspoCRM Open Source CRM application.
* Copyright (C) 2014-2025 EspoCRM, Inc.
* Website: https://www.espocrm.com
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <https://www.gnu.org/licenses/>.
*
* The interactive user interfaces in modified source and object code versions
* of this program must display Appropriate Legal Notices, as required under
* Section 5 of the GNU Affero General Public License version 3.
*
* In accordance with Section 7(b) of the GNU Affero General Public License version 3,
* these Appropriate Legal Notices must retain the display of the "EspoCRM" word.
************************************************************************/
namespace Espo\Core\Authentication\Jwt;
use RuntimeException;
class Util
{
public static function base64UrlDecode(string $string): string
{
$extra = 4 - strlen($string) % 4;
$extra = $extra < 4 ? $extra : 0;
$preparedString = strtr($string . str_repeat('=', $extra), '-_', '+/');
$decoded = base64_decode($preparedString, true);
if ($decoded === false) {
throw new RuntimeException("Base64url decoding error.");
}
return $decoded;
}
}

68
application/Espo/Core/Authentication/Jwt/Validator.php Normal file
View File

@@ -0,0 +1,68 @@
<?php
/************************************************************************
* This file is part of EspoCRM.
*
* EspoCRM Open Source CRM application.
* Copyright (C) 2014-2025 EspoCRM, Inc.
* Website: https://www.espocrm.com
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <https://www.gnu.org/licenses/>.
*
* The interactive user interfaces in modified source and object code versions
* of this program must display Appropriate Legal Notices, as required under
* Section 5 of the GNU Affero General Public License version 3.
*
* In accordance with Section 7(b) of the GNU Affero General Public License version 3,
* these Appropriate Legal Notices must retain the display of the "EspoCRM" word.
************************************************************************/
namespace Espo\Core\Authentication\Jwt;
use Espo\Core\Authentication\Jwt\Exceptions\Expired;
use Espo\Core\Authentication\Jwt\Exceptions\NotBefore;
class Validator
{
private const DEFAULT_TIME_LEEWAY = 60 * 4;
private int $timeLeeway;
private ?int $now;
public function __construct(
?int $timeLeeway = null,
?int $now = null
) {
$this->timeLeeway = $timeLeeway ?? self::DEFAULT_TIME_LEEWAY;
$this->now = $now;
}
/**
* @throws Expired
* @throws NotBefore
*/
public function validate(Token $token): void
{
$exp = $token->getPayload()->getExp();
$nbf = $token->getPayload()->getNbf();
$now = $this->now ?? time();
if ($exp && $exp + $this->timeLeeway <= $now) {
throw new Expired("JWT expired.");
}
if ($nbf && $now < $nbf - $this->timeLeeway) {
throw new NotBefore("JWT used before allowed time.");
}
}
}