I\'m making an authorization system in PHP
, and I came across this Bearer scheme of passing JWT tokens, I read RFC 6750. I\'ve got the following doubts:
I would recommend to use the following RegEx to check, if it's a valid jwt-token:
/Bearer\s((.*)\.(.*)\.(.*))/
and access it also with matches[1].
This is the structure of a JWT-Token, see: https://jwt.io/
1.Improving the security because if token is not sent in the header that sent in url, it will be logged by the network system, the server log ....
2.A good function to get Bearer tokens
/**
* Get header Authorization
* */
function getAuthorizationHeader(){
$headers = null;
if (isset($_SERVER['Authorization'])) {
$headers = trim($_SERVER["Authorization"]);
}
else if (isset($_SERVER['HTTP_AUTHORIZATION'])) { //Nginx or fast CGI
$headers = trim($_SERVER["HTTP_AUTHORIZATION"]);
} elseif (function_exists('apache_request_headers')) {
$requestHeaders = apache_request_headers();
// Server-side fix for bug in old Android versions (a nice side-effect of this fix means we don't care about capitalization for Authorization)
$requestHeaders = array_combine(array_map('ucwords', array_keys($requestHeaders)), array_values($requestHeaders));
//print_r($requestHeaders);
if (isset($requestHeaders['Authorization'])) {
$headers = trim($requestHeaders['Authorization']);
}
}
return $headers;
}
/**
* get access token from header
* */
function getBearerToken() {
$headers = getAuthorizationHeader();
// HEADER: Get the access token from the header
if (!empty($headers)) {
if (preg_match('/Bearer\s(\S+)/', $headers, $matches)) {
return $matches[1];
}
}
return null;
}