Merge pull request #348 from opentok/feature/jwt-change

Added legacy transformation, currently no tests for new JWT structure

.github/workflows/build.yml

@@ -6,7 +6,7 @@ jobs:
             - ubuntu-latest
         strategy:
             matrix:
-                php: ['7.2', '7.3', '7.4', '8.0', '8.1', '8.2']
+                php: ['8.1', '8.2', '8.3']
         steps:
             - name: Configure Git
               if: ${{ matrix.os == 'windows-latest' }}

composer.json

@@ -33,7 +33,8 @@
         "johnstevenson/json-works": "~1.1",
         "firebase/php-jwt": "^6.0",
         "guzzlehttp/guzzle": "~6.0|~7.0",
-      "ext-json": "*"
+      "ext-json": "*",
+        "vonage/jwt": "^0.5.1"
     },
     "require-dev": {
         "phpunit/phpunit": "^7.4|^8.0",
@@ -55,5 +56,10 @@
             "OpenTok\\": "src/OpenTok",
             "OpenTokTest\\": "tests/OpenTokTest"
         }
+    },
+    "config": {
+        "allow-plugins": {
+            "php-http/discovery": true
+        }
     }
 }

sample/Archiving/README.md

@@ -56,7 +56,7 @@ $app->get('/host', function () use ($app, $sessionId) {
 
     $token = $app->opentok->generateToken($sessionId, array(
         'role' => Role::MODERATOR
-    ));
+    ), true);
 
     $app->render('host.html', array(
         'apiKey' => $app->apiKey,

src/OpenTok/OpenTok.php

@@ -2,10 +2,20 @@
 
 namespace OpenTok;
 
+use DateTimeImmutable;
+use Firebase\JWT\Key;
+use Lcobucci\JWT\Configuration;
+use Lcobucci\JWT\Encoding\ChainedFormatter;
+use Lcobucci\JWT\Encoding\JoseEncoder;
+use Lcobucci\JWT\Signer\Key\InMemory;
+use Lcobucci\JWT\Signer\Rsa\Sha256;
+use Lcobucci\JWT\Token\Builder;
 use OpenTok\Util\Client;
 use OpenTok\Util\Validators;
 use OpenTok\Exception\InvalidArgumentException;
 use OpenTok\Exception\UnexpectedValueException;
+use Ramsey\Uuid\Uuid;
+use Vonage\JWT\TokenGenerator;
 
 /**
 * Contains methods for creating OpenTok sessions, generating tokens, and working with archives.
@@ -19,7 +29,6 @@
 */
 class OpenTok
 {
-
     /** @internal */
     private $apiKey;
     /** @internal */
@@ -104,11 +113,56 @@ public function __construct($apiKey, $apiSecret, $options = array())
      *
      * </ul>
      *
+     * @param bool $legacy By default, OpenTok uses SHA256 JWTs for authentication. Switching
+     * legacy to true will create a deprecated T1 token for backwards compatibility.
+     *
      * @return string The token string.
      */
-    public function generateToken($sessionId, $options = array())
+    public function generateToken(string $sessionId, array $options = array(), bool $legacy = false): string
+    {
+        if ($legacy) {
+            return $this->returnLegacyToken($sessionId, $options);
+        }
+
+        $issuedAt = new \DateTimeImmutable('@' . time());
+
+        $defaults = [
+            'session_id' => $sessionId,
+            'role' => Role::PUBLISHER,
+            'expireTime' => null,
+            'initial_layout_list' => [''],
+            'ist' => 'project',
+            'nonce' => mt_rand(),
+            'scope' => 'session.connect'
+        ];
+
+        $options = array_merge($defaults, array_intersect_key($options, $defaults));
+
+        $builder = new Builder(new JoseEncoder(), ChainedFormatter::default());
+        $builder = $builder->issuedBy($this->apiKey);
+
+        if ($options['expireTime']) {
+            $expiry = new \DateTimeImmutable('@' . $options['expireTime']);
+            $builder = $builder->expiresAt($expiry);
+        }
+
+        unset($options['expireTime']);
+
+        $builder = $builder->issuedAt($issuedAt);
+        $builder = $builder->canOnlyBeUsedAfter($issuedAt);
+        $builder = $builder->identifiedBy(bin2hex(random_bytes(16)));
+
+        foreach ($options as $key => $value) {
+            $builder = $builder->withClaim($key, $value);
+        }
+
+        $token = $builder->getToken(new \Lcobucci\JWT\Signer\Hmac\Sha256(), InMemory::plainText($this->apiSecret));
+
+        return $token->toString();
+    }
+
+    private function returnLegacyToken(string $sessionId, array $options = []): string
     {
-        // unpack optional arguments (merging with default values) into named variables
         $defaults = array(
             'role' => Role::PUBLISHER,
             'expireTime' => null,
@@ -237,7 +291,6 @@ public function createSession($options = array())
         }
 
         if (array_key_exists('e2ee', $options) && $options['e2ee']) {
-
             if (array_key_exists('mediaMode', $options) && $options['mediaMode'] !== MediaMode::ROUTED) {
                 throw new InvalidArgumentException('MediaMode must be routed in order to enable E2EE');
             }
@@ -885,13 +938,13 @@ public function startBroadcast(string $sessionId, array $options = []): Broadcas
             Validators::validateResolution($options['resolution']);
         }
 
-	    if (isset($options['outputs']['hls'])) {
-		    Validators::validateBroadcastOutputOptions($options['outputs']['hls']);
-	    }
+        if (isset($options['outputs']['hls'])) {
+            Validators::validateBroadcastOutputOptions($options['outputs']['hls']);
+        }
 
-		if (isset($options['outputs']['rtmp'])) {
-			Validators::validateRtmpStreams($options['outputs']['rtmp']);
-		}
+        if (isset($options['outputs']['rtmp'])) {
+            Validators::validateRtmpStreams($options['outputs']['rtmp']);
+        }
 
         $defaults = [
             'layout' => Layout::getBestFit(),
@@ -900,11 +953,11 @@ public function startBroadcast(string $sessionId, array $options = []): Broadcas
             'streamMode' => 'auto',
             'resolution' => '640x480',
             'maxBitRate' => 2000000,
-	        'outputs' => [
-				'hls' => [
-	                'dvr' => false,
-					'lowLatency' => false
-				]
+            'outputs' => [
+                'hls' => [
+                    'dvr' => false,
+                    'lowLatency' => false
+                ]
             ]
         ];
 
@@ -1316,8 +1369,7 @@ public function startCaptions(
         ?int $maxDuration = null,
         ?bool $partialCaptions = null,
         ?string $statusCallbackUrl = null
-    ): array
-    {
+    ): array {
         return $this->client->startCaptions(
             $sessionId,
             $token,

src/OpenTok/Session.php

@@ -154,9 +154,9 @@ public function __toString()
      *
      * @return string The token string.
      */
-    public function generateToken($options = array())
+    public function generateToken($options = array(), bool $legacy = false)
     {
-        return $this->opentok->generateToken($this->sessionId, $options);
+        return $this->opentok->generateToken($this->sessionId, $options, $legacy);
     }
 
     /**