Nodarx/server
1
0
Fork 0
Code Issues 1 Pull Requests Actions Packages Projects Releases Wiki Activity

Initial Version

Browse Source
This commit is contained in:
root
2025-12-21 10:09:54 -05:00
commit 2fbddd7dbc
366 changed files with 41999 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

202
core/lib/Service/SecurityService.php Normal file
View File

@@ -0,0 +1,202 @@
<?php
declare(strict_types=1);
namespace KTXC\Service;
use KTXC\Http\Request\Request;
use KTXC\Models\Identity\User;
use KTXC\SessionTenant;
/**
* Security Service
*
* Handles request-level authentication (token validation).
* Authentication orchestration is handled by AuthenticationManager.
*
* This service is used by the Kernel to authenticate incoming requests.
*/
class SecurityService
{
private string $securityCode;
public function __construct(
private readonly TokenService $tokenService,
private readonly UserService $userService,
private readonly SessionTenant $sessionTenant
) {
$this->securityCode = $this->sessionTenant->configuration()->security()->code();
}
/**
* Authenticate a request and return the user if valid
*
* @param Request $request The HTTP request to authenticate
* @return User|null The authenticated user, or null if not authenticated
*/
public function authenticate(Request $request): ?User
{
$authorization = $request->headers->get('Authorization');
$cookieToken = $request->cookies->get('accessToken');
// Cookie token takes precedence
if ($cookieToken) {
return $this->authenticateJWT($cookieToken);
}
if ($authorization) {
if (str_starts_with($authorization, 'Bearer ')) {
$token = substr($authorization, 7);
return $this->authenticateBearer($token);
}
if (str_starts_with($authorization, 'Basic ')) {
$decoded = base64_decode(substr($authorization, 6) ?: '', true);
if ($decoded !== false) {
[$identity, $secret] = array_pad(explode(':', $decoded, 2), 2, null);
if ($identity !== null && $secret !== null) {
return $this->authenticateBasicHeader($identity, $secret);
}
}
}
}
return null;
}
/**
* Authenticate JWT token from cookie or header
*/
public function authenticateJWT(string $token): ?User
{
$payload = $this->tokenService->validateToken($token, $this->securityCode);
if (!$payload) {
return null;
}
// Verify user still exists
if ($this->userService->fetchByIdentifier($payload['identifier']) === null) {
return null;
}
$user = new User();
$user->populate($payload, 'jwt');
return $user;
}
/**
* Authenticate Bearer token
*/
public function authenticateBearer(string $token): ?User
{
return $this->authenticateJWT($token);
}
/**
* Authenticate HTTP Basic header (for API access)
* Note: This is for request authentication, not login
*/
private function authenticateBasicHeader(string $identity, string $credentials): ?User
{
// For Basic auth headers, we need to validate against the provider
// This is a simplified flow for API access
$provider = $this->providerRegistry->resolve('default');
if ($provider === null) {
return null;
}
$result = $provider->authenticate($identity, $credentials);
if (!$result->isSuccess()) {
return null;
}
return $this->getUserByIdentity($identity);
}
// =========================================================================
// Token Operations (delegated to AuthenticationManager for new flows)
// These are kept for backwards compatibility during transition
// =========================================================================
/**
* @deprecated Use AuthenticationManager::createTokens() instead
*/
public function createAccessToken(array $payload): string
{
return $this->tokenService->createToken($payload, $this->securityCode, 900);
}
/**
* @deprecated Use AuthenticationManager::createTokens() instead
*/
public function createRefreshToken(array $payload): string
{
$refreshPayload = [
'tenant' => $payload['tenant'] ?? null,
'identifier' => $payload['identifier'],
'identity' => $payload['identity'],
'type' => 'refresh'
];
return $this->tokenService->createToken($refreshPayload, $this->securityCode, 604800);
}
/**
* @deprecated Use AuthenticationManager::refreshAccessToken() instead
*/
public function validateRefreshToken(string $refreshToken): ?User
{
$payload = $this->tokenService->validateToken($refreshToken, $this->securityCode);
if (!$payload) {
return null;
}
if (!isset($payload['type']) || $payload['type'] !== 'refresh') {
return null;
}
$identifier = $payload['identifier'] ?? null;
if (!$identifier || $this->providerRegistry->validateUser($identifier) === false) {
return null;
}
$user = new User();
$user->populate([
'identifier' => $payload['identifier'],
'identity' => $payload['identity'],
'tenant' => $payload['tenant'] ?? null,
], 'jwt');
return $user;
}
/**
* @deprecated Use AuthenticationManager::logout() instead
*/
public function logout(?string $jti = null, ?int $exp = null): void
{
if ($jti !== null) {
$expiresAt = $exp ?? (time() + 86400);
$this->tokenService->blacklist($jti, $expiresAt);
}
}
/**
* @deprecated Use AuthenticationManager::logoutAll() instead
*/
public function logoutAllDevices(string $identity): void
{
$this->tokenService->blacklistUserTokensBefore($identity, time());
}
/**
* Extract token claims (for logout to get jti/exp)
*/
public function extractTokenClaims(string $token): ?array
{
return $this->tokenService->validateToken($token, $this->securityCode, checkBlacklist: false);
}
}