129 lines
4.3 KiB
PHP
129 lines
4.3 KiB
PHP
|
<?php
|
||
|
|
||
|
|
||
|
namespace Twilio\Jwt;
|
||
|
|
||
|
use Twilio\Jwt\Client\ScopeURI;
|
||
|
|
||
|
/**
|
||
|
* Twilio Capability Token generator
|
||
|
*/
|
||
|
class ClientToken {
|
||
|
public $accountSid;
|
||
|
public $authToken;
|
||
|
/** @var ScopeURI[] $scopes */
|
||
|
public $scopes;
|
||
|
public $clientName;
|
||
|
/** @var string[] $customClaims */
|
||
|
private $customClaims;
|
||
|
|
||
|
/**
|
||
|
* Create a new TwilioCapability with zero permissions. Next steps are to
|
||
|
* grant access to resources by configuring this token through the
|
||
|
* functions allowXXXX.
|
||
|
*
|
||
|
* @param string $accountSid the account sid to which this token is granted
|
||
|
* access
|
||
|
* @param string $authToken the secret key used to sign the token. Note,
|
||
|
* this auth token is not visible to the user of the token.
|
||
|
*/
|
||
|
public function __construct(string $accountSid, string $authToken) {
|
||
|
$this->accountSid = $accountSid;
|
||
|
$this->authToken = $authToken;
|
||
|
$this->scopes = [];
|
||
|
$this->clientName = false;
|
||
|
$this->customClaims = [];
|
||
|
}
|
||
|
|
||
|
/**
|
||
|
* If the user of this token should be allowed to accept incoming
|
||
|
* connections then configure the TwilioCapability through this method and
|
||
|
* specify the client name.
|
||
|
*
|
||
|
* @param string $clientName
|
||
|
* @throws \InvalidArgumentException
|
||
|
*/
|
||
|
public function allowClientIncoming(string $clientName): void {
|
||
|
// clientName must be a non-zero length alphanumeric string
|
||
|
if (\preg_match('/\W/', $clientName)) {
|
||
|
throw new \InvalidArgumentException(
|
||
|
'Only alphanumeric characters allowed in client name.');
|
||
|
}
|
||
|
|
||
|
if ($clientName === '') {
|
||
|
throw new \InvalidArgumentException(
|
||
|
'Client name must not be a zero length string.');
|
||
|
}
|
||
|
|
||
|
$this->clientName = $clientName;
|
||
|
$this->allow('client', 'incoming', ['clientName' => $clientName]);
|
||
|
}
|
||
|
|
||
|
/**
|
||
|
* Allow the user of this token to make outgoing connections.
|
||
|
*
|
||
|
* @param string $appSid the application to which this token grants access
|
||
|
* @param mixed[] $appParams signed parameters that the user of this token
|
||
|
* cannot overwrite.
|
||
|
*/
|
||
|
public function allowClientOutgoing(string $appSid, array $appParams = []): void {
|
||
|
$this->allow('client', 'outgoing', [
|
||
|
'appSid' => $appSid,
|
||
|
'appParams' => \http_build_query($appParams, '', '&')
|
||
|
]);
|
||
|
}
|
||
|
|
||
|
/**
|
||
|
* Allow the user of this token to access their event stream.
|
||
|
*
|
||
|
* @param mixed[] $filters key/value filters to apply to the event stream
|
||
|
*/
|
||
|
public function allowEventStream(array $filters = []): void {
|
||
|
$this->allow('stream', 'subscribe', [
|
||
|
'path' => '/2010-04-01/Events',
|
||
|
'params' => \http_build_query($filters, '', '&'),
|
||
|
]);
|
||
|
}
|
||
|
|
||
|
/**
|
||
|
* Allows to set custom claims, which then will be encoded into JWT payload.
|
||
|
*
|
||
|
* @param string $name
|
||
|
* @param string $value
|
||
|
*/
|
||
|
public function addClaim(string $name, string $value): void {
|
||
|
$this->customClaims[$name] = $value;
|
||
|
}
|
||
|
|
||
|
/**
|
||
|
* Generates a new token based on the credentials and permissions that
|
||
|
* previously has been granted to this token.
|
||
|
*
|
||
|
* @param int $ttl the expiration time of the token (in seconds). Default
|
||
|
* value is 3600 (1hr)
|
||
|
* @return string the newly generated token that is valid for $ttl seconds
|
||
|
*/
|
||
|
public function generateToken(int $ttl = 3600): string {
|
||
|
$payload = \array_merge($this->customClaims, [
|
||
|
'scope' => [],
|
||
|
'iss' => $this->accountSid,
|
||
|
'exp' => \time() + $ttl,
|
||
|
]);
|
||
|
$scopeStrings = [];
|
||
|
|
||
|
foreach ($this->scopes as $scope) {
|
||
|
if ($scope->privilege === 'outgoing' && $this->clientName) {
|
||
|
$scope->params['clientName'] = $this->clientName;
|
||
|
}
|
||
|
$scopeStrings[] = $scope->toString();
|
||
|
}
|
||
|
|
||
|
$payload['scope'] = \implode(' ', $scopeStrings);
|
||
|
return JWT::encode($payload, $this->authToken, 'HS256');
|
||
|
}
|
||
|
|
||
|
protected function allow(string $service, string $privilege, array $params): void {
|
||
|
$this->scopes[] = new ScopeURI($service, $privilege, $params);
|
||
|
}
|
||
|
}
|