add JWT support

jsteemann · jsteemann · commit 23d7a59c5238 · 2021-04-22T20:41:41.000+02:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -2,6 +2,18 @@
 
 ## Release notes for the ArangoDB-PHP driver 3.8.x
 
+The driver now supports connecting via JWT if the server's JWT secret is known.
+In order to use a JWT to connect, set the following value in ConnectionOptions:
+```
+$connectionOptions = [
+    ArangoDBClient\ConnectionOptions::OPTION_DATABASE => '_system',              // database name
+    ArangoDBClient\ConnectionOptions::OPTION_ENDPOINT => 'tcp://127.0.0.1:8529', // endpoint to connect to
+    ArangoDBClient\ConnectionOptions::OPTION_AUTH_TYPE => 'Bearer',              // authentication via JWT!
+    ArangoDBClient\ConnectionOptions::OPTION_AUTH_USER => 'root',                // user name
+    ArangoDBClient\ConnectionOptions::OPTION_AUTH_PASSWD => 'jwt-secret-value',  // server's JWT secret value,
+  ];
+```
+
 The driver now supports the following options for document CRUD operations:
 - "overwriteMode"
 - "silent"
diff --git a/lib/ArangoDBClient/Connection.php b/lib/ArangoDBClient/Connection.php
@@ -425,12 +425,28 @@ private function updateHttpHeader()
         }
 
         if (isset($this->_options[ConnectionOptions::OPTION_AUTH_TYPE], $this->_options[ConnectionOptions::OPTION_AUTH_USER])) {
-            // add authorization header
-            $authorizationValue = base64_encode(
-                $this->_options[ConnectionOptions::OPTION_AUTH_USER] . ':' .
-                $this->_options[ConnectionOptions::OPTION_AUTH_PASSWD]
-            );
+            if ($this->_options[ConnectionOptions::OPTION_AUTH_TYPE] == 'Bearer') {
+                // JWT
+                $base = json_encode(['typ' => 'JWT', 'alg' => 'HS256']);
+                $base64UrlHeader = str_replace(['+', '/', '='], ['-', '_', ''], base64_encode($base));
+                $payload = json_encode([
+                    'preferred_username' => $this->_options[ConnectionOptions::OPTION_AUTH_USER],
+                    'iss' => 'arangodb',
+                    'iat' => (int) microtime(true),
+                ]);
+                $base64UrlPayload = str_replace(['+', '/', '='], ['-', '_', ''], base64_encode($payload));
+                $signature = hash_hmac('sha256', $base64UrlHeader . "." . $base64UrlPayload, $this->_options[ConnectionOptions::OPTION_AUTH_PASSWD], true);
+                $base64UrlSignature = str_replace(['+', '/', '='], ['-', '_', ''], base64_encode($signature));
+                $authorizationValue = $base64UrlHeader . '.' . $base64UrlPayload . '.' . $base64UrlSignature;
+            } else {
+                // HTTP basic authentication
+                $authorizationValue = base64_encode(
+                    $this->_options[ConnectionOptions::OPTION_AUTH_USER] . ':' .
+                    $this->_options[ConnectionOptions::OPTION_AUTH_PASSWD]
+                );
+            }
 
+            // add authorization header
             $this->_httpHeader .= sprintf(
                 'Authorization: %s %s%s',
                 $this->_options[ConnectionOptions::OPTION_AUTH_TYPE],
diff --git a/lib/ArangoDBClient/ConnectionOptions.php b/lib/ArangoDBClient/ConnectionOptions.php
@@ -165,21 +165,11 @@ class ConnectionOptions implements \ArrayAccess
      */
     const OPTION_BATCHSIZE = 'batchSize';
 
-    /**
-     * Wait for sync index constant
-     */
-    const OPTION_JOURNAL_SIZE = 'journalSize';
-
     /**
      * Wait for sync index constant
      */
     const OPTION_IS_SYSTEM = 'isSystem';
 
-    /**
-     * Wait for sync index constant
-     */
-    const OPTION_IS_VOLATILE = 'isVolatile';
-
     /**
      * Authentication user name
      */
@@ -456,9 +446,7 @@ private static function getDefaults()
             self::OPTION_REVISION                => null,
             self::OPTION_WAIT_SYNC               => DefaultValues::DEFAULT_WAIT_SYNC,
             self::OPTION_BATCHSIZE               => null,
-            self::OPTION_JOURNAL_SIZE            => DefaultValues::DEFAULT_JOURNAL_SIZE,
             self::OPTION_IS_SYSTEM               => false,
-            self::OPTION_IS_VOLATILE             => DefaultValues::DEFAULT_IS_VOLATILE,
             self::OPTION_CONNECTION              => DefaultValues::DEFAULT_CONNECTION,
             self::OPTION_TRACE                   => null,
             self::OPTION_ENHANCED_TRACE          => false,
@@ -486,7 +474,7 @@ private static function getDefaults()
      */
     private static function getSupportedAuthTypes()
     {
-        return ['Basic'];
+        return ['Basic', 'Bearer'];
     }
 
     /**
diff --git a/lib/ArangoDBClient/DefaultValues.php b/lib/ArangoDBClient/DefaultValues.php
@@ -51,16 +51,6 @@ abstract class DefaultValues
      */
     const DEFAULT_WAIT_SYNC = false;
 
-    /**
-     * Default value for collection journal size
-     */
-    const DEFAULT_JOURNAL_SIZE = 33554432;
-
-    /**
-     * Default value for isVolatile
-     */
-    const DEFAULT_IS_VOLATILE = false;
-
     /**
      * Default value for createCollection (create the collection on the fly when the first document is added to an unknown collection)
      */
