You are here

public function WardenAPI::isValidWardenToken in Warden 7

Same name and namespace in other branches
  1. 6 warden_api.inc \WardenAPI::isValidWardenToken()

Check the validity of a token sent from Warden.

To prove a request came from the Warden application, Warden encrypts the current timestamp using its private key which can be decrypted with its public key. Only the true Warden can produce the encrypted message. Since it is possible to reply the token, the token only lasts for 20 seconds.

Parameters

string $encryptedRemoteToken: The token sent from the warden site which has been encrypted with Warden's private key.

Return value

bool TRUE if we can trust the token.

File

./warden_api.inc, line 73
The API for communicating with the Warden server application.

Class

WardenAPI
@file The API for communicating with the Warden server application.

Code

public function isValidWardenToken($encryptedRemoteToken, $timestamp) {
  $envelope = json_decode(base64_decode($encryptedRemoteToken));
  if (!is_object($envelope) || empty($envelope->time) || empty($envelope->signature)) {
    return FALSE;
  }
  $remoteTimestamp = base64_decode($envelope->time);
  if (!is_numeric($remoteTimestamp) || $remoteTimestamp > $timestamp + 20 || $remoteTimestamp < $timestamp - 20) {
    return FALSE;
  }
  $result = openssl_verify($remoteTimestamp, base64_decode($envelope->signature), $this
    ->getPublicKey());
  return $result === 1;
}