ff/checktoken.php at master · britseye/ff · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
<?php
$ffid = -1;
$ffflags = 0;
$token_ok = false;
$token_msg = "";

function check($obj, $ip)
{
   global $ffmark;
   $marker = substr(hash('sha256', ''.$obj->expires.$ffmark), 0, 10);
   if ($marker != $obj->marker)
   {
      $token_msg = "Token not marked by this server.";
      return false;
   }
   if (time() >= $obj->expires)
   {
      $token_msg = "Token has expired.";
      return false;
   }
   if ($obj->ip != $ip)
   {
      $token_msg = "Token IP does not match REMOTE_ADDR.";
      return false;
   }
   return true;
}

$ip = $_SERVER["REMOTE_ADDR"];
$authData = $_SERVER['HTTP_FF_TOKEN'];
$ct = base64_decode($authData);
$dt = decrypt( $ct, $ffkey );
$dt = trim($dt, "\0");
$a = explode(".", $dt);
$hdr = $a[0];
$hdr = base64_decode($hdr);
$payload = $a[1];
$payload = base64_decode($payload);
$sig = hash('sha256', $hdr.$payload.$ffkey);
if ($sig == $a[2])
{
   $obj = json_decode($payload);
   if (check($obj, $ip))
   {
      $ffid = $obj->id;
      $ffflags = $obj->flags;
      $token_ok = true;
      $token_msg = "Good to go.";
   }
}
else $token_msg = "Token signature invalid.";
?>