public function WardenAPI::isValidWardenToken in Warden 6
Same name and namespace in other branches
- 7 warden_api.inc \WardenAPI::isValidWardenToken()
Check the validity of a token sent from Warden.
To prove a request came from the Warden application, Warden encrypts the current timestamp using its private key which can be decrypted with its public key. Only the true Warden can produce the encrypted message. Since it is possible to reply the token, the token only lasts for 20 seconds.
Parameters
string $encryptedRemoteToken: The token sent from the warden site which has been encrypted with Warden's private key.
Return value
bool TRUE if we can trust the token.
File
- ./
warden_api.inc, line 73 - The API for communicating with the Warden server application.
Class
- WardenAPI
- @file The API for communicating with the Warden server application.
Code
public function isValidWardenToken($encryptedRemoteToken, $timestamp) {
$envelope = json_decode(base64_decode($encryptedRemoteToken));
if (!is_object($envelope) || empty($envelope->time) || empty($envelope->signature)) {
return FALSE;
}
$remoteTimestamp = base64_decode($envelope->time);
if (!is_numeric($remoteTimestamp) || $remoteTimestamp > $timestamp + 20 || $remoteTimestamp < $timestamp - 20) {
return FALSE;
}
$result = openssl_verify($remoteTimestamp, base64_decode($envelope->signature), $this
->getPublicKey());
return $result === 1;
}