PHP API using JWT

Author: eneshamzaj328

.gitignore

@@ -0,0 +1 @@
+/vendor/

auth/.htaccess

@@ -0,0 +1,2 @@
+RewriteEngine on
+RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]

auth/classes/auth.php

@@ -0,0 +1,59 @@
+<?php
+
+$my_country_timezone = 'Europe/Tirane';
+
+date_default_timezone_set($my_country_timezone);
+
+include '../vendor/autoload.php';
+include '../controllers/helpers/date_time.php';
+
+
+use \Firebase\JWT\JWT;
+use \Firebase\JWT\Key;
+
+
+class Auth extends DateTimeLocal
+{
+    private $privateKey = 'My_Private_Key';
+
+    public function jwt_encode($payload, string $sslcode = 'HS256')
+    {
+        $json_web_token = JWT::encode($payload, $this->privateKey, $sslcode);
+
+        return $json_web_token;
+    }
+
+    public function jwt_decode($payload, string $sslcode = 'HS256')
+    {
+        $jwt_user_data = JWT::decode($payload, new Key($this->privateKey, $sslcode));
+
+        return $jwt_user_data;
+    }
+
+    public function get_user_data()
+    {
+        $headers = getallheaders();
+        $user_data = $headers['Authentication'];
+        echo $user_data;
+    }
+
+    public function generate_token(int $user_id, string $user_role)
+    {
+        $expire = $this->set_expire_time(30);
+        $expiration_time = $expire;
+
+        // jwt payload
+        $payload = [
+            'id' => $user_id,
+            'user_role' => $user_role,
+            "exp" => $expiration_time
+        ];
+
+        // Encode the token payload with JWT secret key
+        $token = $this->jwt_encode($payload, 'HS256');
+
+        return $token;
+    }
+}
+
+$auth = new Auth();

auth/delete.php

@@ -0,0 +1,94 @@
+<?php
+
+header('Access-Control-Allow-Origin: *');
+header('Access-Control-Allow-Method: POST');
+header('Content-Type: application/json; Charset=UTF-8');
+
+require '../classes/crud_actions.php';
+include '../auth/classes/auth.php';
+
+$obj = new CRUD();
+
+if ($_SERVER["REQUEST_METHOD"] !== "POST") {
+    echo json_encode([
+        'status' => 0,
+        'message' => 'Access Denied!'
+    ]);
+
+    die();
+}
+
+$data = json_decode(file_get_contents("php://input"));
+
+$id = null;
+if (!$data && isset($_GET['id'])) {
+    $id = $_GET['id'];
+} else {
+    $id = $data->id;
+}
+
+if ($id === null) die('Something went wrong while trying to delete theres no id!');
+
+$headers = getallheaders();
+
+$json_web_token = $headers['Authorization'] ?? [];
+// echo $json_web_token;
+if (!$headers || !$json_web_token) {
+    http_response_code(500);
+    echo json_encode(['status' => 0, 'message' => 'Server error!']);
+    die();
+}
+
+// check if logged user/person is admin
+$user_data = $auth->jwt_decode($json_web_token, 'HS256');
+$data = $user_data->data;
+$user_role = $data->user_role;
+
+// check if the user exist before deleting it
+$user_data = $obj->userExists($id, '', true);
+
+if ($user_data && $user_role !== 'admin') {
+    http_response_code(403);
+
+    echo json_encode([
+        'status' => 0,
+        'message' => 'You have no authorization to this particular action!'
+    ]);
+
+    die();
+}
+
+
+if (!$user_data) {
+    http_response_code(500);
+
+    $resMsg = empty($user_data) > 0 ? 'User does not exists!' : 'User has been deleted! User not founded.';
+
+    echo json_encode([
+        'status' => 0,
+        'message' => $resMsg
+    ]);
+
+    die();
+}
+
+
+// delete user
+$obj->delete("users", "id = {$id}");
+$result = $obj->getResult();
+
+if (!$result[2]['delete']) {
+    echo json_encode([
+        'status' => 0,
+        'message' => 'Something went wrong! Server problem.'
+    ]);
+
+    exit();
+}
+
+
+$successMsg = 'User ' . ($id ? ':' . $id . ', ' : '') . 'deleted successfully!';
+echo json_encode([
+    'status' => 1,
+    'message' => $successMsg
+]);

auth/error/403.html

@@ -0,0 +1,17 @@
+<!DOCTYPE html>
+<html lang="en">
+
+<head>
+    <meta charset="UTF-8">
+    <meta http-equiv="X-UA-Compatible" content="IE=edge">
+    <meta name="viewport" content="width=device-width, initial-scale=1.0">
+    <title>403 Not Authorized!</title>
+</head>
+
+<body>
+    <p>No premission / Access Denied!</p> <br />
+    <a href="../login-user.php">Login to Continue.</a> <br />
+    <a href="../../products/all-products.php">Homepage</a>
+</body>
+
+</html>

auth/login.php

@@ -0,0 +1,125 @@
+<?php
+
+header('Access-Control-Allow-Origin: *');
+header('Access-Control-Allow-Method: POST');
+header('Content-Type: application/json; Charset=UTF-8');
+
+require '../classes/crud_actions.php';
+include '../auth/classes/auth.php';
+
+$obj = new CRUD();
+
+if ($_SERVER['REQUEST_METHOD'] !== 'POST') {
+    echo json_encode([
+        'status' => 0,
+        'message' => 'Access Denied',
+    ]);
+
+    unset($_COOKIE['jwt_token']);
+
+    die();
+}
+
+$data = json_decode(file_get_contents("php://input"), true);
+
+$uid = htmlentities($data['uid'] ?? $data['username']);
+
+$username = '';
+$email = '';
+
+if (gettype($uid) === 'string') {
+    if (!str_contains($uid, '@')) {
+        $username = $uid;
+    } else {
+        $email = $uid;
+    }
+}
+
+$password = htmlentities($data['password']);
+
+if (!$obj->userExists($username, $email)) {
+    http_response_code(500);
+
+    echo json_encode([
+        'status' => 0,
+        'message' => 'User does not Exists!',
+    ]);
+
+    die();
+}
+
+$obj->select('users', '*', null, "username='$username' OR email='$email'", null, null);
+$data = $obj->userExists($username, $email, true);
+
+// user login token time-left to expire
+$exp_login_token_time = $datetime->set_expire_time(60);
+$login_token_time_to_exp = $exp_login_token_time['time'];
+$login_token_time_tostr = $exp_login_token_time['time_to_str'];
+
+# Only when debugging: echo $login_token_time_tostr;
+
+$id = $data['id'] ?? '';
+$name = $data['name'];
+$surname = $data['surname'];
+$username = $data['username'] ?? '';
+$email = $data['email'] ?? '';
+$user_password = $data['password'] ?? '';
+$user_role = $data['role'] ?? '';
+
+if (!password_verify($password, $user_password)) {
+    echo json_encode([
+        'status' => 0,
+        'message' => 'Invalid Credentials',
+    ]);
+
+    exit();
+}
+
+$payload = [
+    'iss' => 'localhost',
+    'aud' => 'localhost',
+    'exp' => $login_token_time_to_exp, // 30min
+    'data' => [
+        'id' => $id,
+        'name' => $name,
+        'surname' => $surname,
+        'username' => $username,
+        'email' => $email,
+        'user_role' => $user_role
+    ]
+];
+
+
+$json_web_token = $auth->jwt_encode($payload, 'HS256');
+
+$cookie_params = [
+    'expires' => $login_token_time_to_exp,
+    'path' => '/',
+    'secure' => true,
+    // 'httponly' => true,
+    'samesite' => 'Strict'
+];
+
+echo json_encode([
+    'status' => 1,
+    'user' => [
+        'name' => $name,
+        'surname' => $surname
+    ],
+    // 'jwt' => $json_web_token, // only if you want to manipulate token in front_end 
+    'message' => 'Login Successfully!',
+]);
+
+if (isset($_COOKIE['jwt_token']) && !empty($_COOKIE['jwt_token'])) exit();
+
+setcookie('jwt_token', $json_web_token, $cookie_params);
+
+if ($user_role === 'admin') {
+    setcookie('user_role', $user_role,  [
+        'expires' => $login_token_time_to_exp,
+        'path' => '/',
+        'secure' => true,
+        'httponly' => true,
+        'samesite' => 'Strict'
+    ]);
+}

auth/logout.php

@@ -0,0 +1,69 @@
+<?php
+
+header('Access-Control-Allow-Origin: *');
+header('Access-Control-Allow-Method: POST');
+header('Content-Type: application/json; Charset=UTF-8');
+
+require '../auth/classes/auth.php';
+
+// Handle logout request
+if ($_SERVER['REQUEST_METHOD'] !== 'POST') {
+    http_response_code(500);
+    echo json_encode([
+        'status' => 0,
+        'message' => 'Access Denied'
+    ]);
+    exit();
+}
+
+
+$data = json_decode(file_get_contents("php://input", true));
+
+// Retrieve JWT token from Authorization header
+$auth_header = $_SERVER['HTTP_AUTHORIZATION'];
+$token = $auth_header;
+
+if (str_contains($token, 'Bearer')) {
+    $token = str_replace('Bearer ', '', $token);
+}
+
+if (!$token) {
+    // Return response indicating no JWT token was present
+    http_response_code(400);
+    header('Content-Type: application/json');
+    echo json_encode(array('message' => 'No JWT token present'));
+
+    die();
+}
+
+
+// Decode JWT token
+$payload = $auth->jwt_decode($token);
+
+// Set expiration time to a date in the past
+$payload->exp = strtotime('-1 day');
+
+// Encode modified payload back into a new JWT token
+$new_token = $auth->jwt_encode((array) $payload);
+
+// Return response indicating logout was successful
+header('Content-Type: application/json');
+
+
+$cookie_params = [
+    'expires' => time() + 1,
+    'path' => '/',
+    'secure' => true,
+    // 'httponly' => true,
+    'samesite' => 'Strict'
+];
+
+setcookie('jwt_token', '', $cookie_params);
+unset($_COOKIE['jwt_token']);
+setcookie('user_role', '', $cookie_params);
+
+if (isset($_COOKIE['jwt_token'])) {
+    die();
+}
+
+echo json_encode(['status' => 1, 'message' => 'You have been, Logged Out!']);