NFC-102 Web eID for Mobile authentication support for web-eid

Signed-off-by: Sander Kondratjev <sander.kondratjev@nortal.com>

Author: SanderKondratjevNortal

example/src/Auth.php

@@ -1,6 +1,27 @@
 <?php
 
-use web_eid\web_eid_authtoken_validation_php\authtoken\WebEidAuthToken;
+/*
+ * Copyright (c) 2025-2025 Estonian Information System Authority
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all
+ * copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
+
 use web_eid\web_eid_authtoken_validation_php\challenge\ChallengeNonceStore;
 use web_eid\web_eid_authtoken_validation_php\exceptions\AuthTokenParseException;
 use web_eid\web_eid_authtoken_validation_php\exceptions\ChallengeNonceExpiredException;
@@ -43,6 +64,7 @@ public function getNonce()
     public function validate()
     {
         $this->ctx->assertCsrf();
+        $this->ctx->assertJsonContentType();
         $authToken = file_get_contents("php://input");
 
         try {
@@ -55,17 +77,22 @@ public function validate()
                 $challengeNonce->getBase64EncodedNonce()
             );
 
+            session_regenerate_id();
+
             echo json_encode([
                 "sub" => $subjectName
             ]);
         } catch (ChallengeNonceExpiredException) {
-            http_response_code(400);
+            unset($_SESSION["auth-user"]);
+            http_response_code(401);
             echo "Challenge nonce not found or expired";
         } catch (ChallengeNonceNotFoundException) {
-            http_response_code(400);
+            unset($_SESSION["auth-user"]);
+            http_response_code(401);
             echo "Challenge nonce not found";
         } catch (AuthTokenParseException) {
-            http_response_code(400);
+            unset($_SESSION["auth-user"]);
+            http_response_code(401);
             echo "Invalid authentication token";
         }
     }

example/src/AuthContext.php

@@ -1,5 +1,27 @@
 <?php
 
+/*
+ * Copyright (c) 2025-2025 Estonian Information System Authority
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all
+ * copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
+
 use web_eid\web_eid_authtoken_validation_php\authtoken\WebEidAuthToken;
 use web_eid\web_eid_authtoken_validation_php\certificate\CertificateData;
 use web_eid\web_eid_authtoken_validation_php\certificate\CertificateLoader;
@@ -27,6 +49,11 @@ public function mobileBaseUrl(): string
         return rtrim($this->config->get('mobile_base_url'), '/');
     }
 
+    public function mobileRequestSigningCert(): bool
+    {
+        return (bool) $this->config->get('mobile_request_signing_cert');
+    }
+
     /**
      * @throws AuthTokenParseException
      */
@@ -68,6 +95,25 @@ public function assertCsrf(bool $jsonError = true): void
         }
     }
 
+    public function assertJsonContentType(bool $jsonError = true): void
+    {
+        $contentType = $_SERVER['CONTENT_TYPE'] ?? '';
+
+        if (!str_starts_with(strtolower($contentType), 'application/json')) {
+            http_response_code(415);
+
+            if ($jsonError) {
+                echo json_encode([
+                    "error" => "Content-Type must be application/json"
+                ]);
+            } else {
+                echo "Invalid Content-Type, expected application/json";
+            }
+            exit;
+        }
+    }
+
+
     public function trustedIntermediateCACertificates(): array
     {
         $directory = __DIR__ . "/../certificates/";
@@ -89,7 +135,7 @@ public function tokenValidator(): AuthTokenValidator
         return (new AuthTokenValidatorBuilder($logger))
             ->withSiteOrigin(new Uri($this->config->get('origin_url')))
             ->withTrustedCertificateAuthorities(...$this->trustedIntermediateCACertificates())
-            ->withoutUserCertificateRevocationCheckWithOcsp() // TODO TEST CARDS
+            ->withOcspRequestTimeout(5)
             ->build();
     }
 

example/src/Config.php

@@ -36,7 +36,7 @@ public static function fromArray($configArr)
     public function overrideFromEnv()
     {
         foreach ($this->configArr as $key => $value) {
-            $envKey = 'WEB_EID_SAMPLE_'.strtoupper($key);
+            $envKey = 'WEB_EID_SAMPLE_ORIGIN_URL'.strtoupper($key);
             $envValue = getenv($envKey);
             if ($envValue !== false) {
                 $this->configArr[$key] = $envValue;
@@ -50,4 +50,4 @@ public function get($name)
     {
         return isset ($this->configArr[$name]) ? $this->configArr[$name] : null;
     }
-}
+}

example/src/MobileAuth.php

@@ -1,6 +1,27 @@
 <?php
 
-use web_eid\web_eid_authtoken_validation_php\authtoken\WebEidAuthToken;
+/*
+ * Copyright (c) 2025-2025 Estonian Information System Authority
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all
+ * copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
+
 use web_eid\web_eid_authtoken_validation_php\challenge\ChallengeNonceStore;
 
 final class MobileAuth
@@ -20,20 +41,25 @@ public function init(): void
         $payload = [
             "challenge" => $challenge->getBase64EncodedNonce(),
             "login_uri" => $this->ctx->originUrl() . "/auth/mobile/login",
-            "get_signing_certificate" => true
+            "get_signing_certificate" => $this->ctx->mobileRequestSigningCert()
         ];
 
-        $authUri =
-            $this->ctx->mobileBaseUrl() .
-            "//auth#" .
-            base64_encode(json_encode($payload));
+        $baseUrl = $this->ctx->mobileBaseUrl();
+        $encodedPayload = base64_encode(json_encode($payload));
+
+        if (str_starts_with($baseUrl, 'http')) {
+            $authUri = rtrim($baseUrl, '/') . '/auth#' . $encodedPayload;
+        } else {
+            $authUri = rtrim($baseUrl, '/') . '//auth#' . $encodedPayload;
+        }
 
         echo json_encode(["auth_uri" => $authUri]);
     }
 
     public function login(): void
     {
         $this->ctx->assertCsrf();
+        $this->ctx->assertJsonContentType();
 
         $json = json_decode(file_get_contents("php://input"), true);
         if (!isset($json["auth_token"])) {
@@ -50,10 +76,16 @@ public function login(): void
                 $nonce->getBase64EncodedNonce()
             );
 
+            session_regenerate_id();
+
             echo json_encode(["redirect" => "/welcome"]);
-        } catch (Exception $e) {
-            http_response_code(400);
-            echo json_encode(["error" => "Validation failed"]);
+        } catch (Throwable $e) {
+            error_log("Authentication failed: " . $e->getMessage());
+
+            unset($_SESSION["auth-user"]);
+
+            http_response_code(401);
+            echo json_encode(["error" => "Authentication failed"]);
         }
     }
 }

example/src/app.conf.php

@@ -1,7 +1,7 @@
 <?php
 
 return [
-    'origin_url' => 'https://157937465d58.ngrok-free.app',
+    'origin_url' => 'https://localhost',
     'mobile_base_url' => 'web-eid-mobile://',
     'mobile_request_signing_cert' => false
-];
+];

src/authtoken/SupportedSignatureAlgorithm.php

@@ -22,6 +22,8 @@
  * SOFTWARE.
  */
 
+declare(strict_types=1);
+
 namespace web_eid\web_eid_authtoken_validation_php\authtoken;
 
 class SupportedSignatureAlgorithm
@@ -45,31 +47,16 @@ public function getCryptoAlgorithm(): string
         return $this->cryptoAlgorithm;
     }
 
-    public function setCryptoAlgorithm(string $cryptoAlgorithm): void
-    {
-        $this->cryptoAlgorithm = $cryptoAlgorithm;
-    }
-
     public function getHashFunction(): string
     {
         return $this->hashFunction;
     }
 
-    public function setHashFunction(string $hashFunction): void
-    {
-        $this->hashFunction = $hashFunction;
-    }
-
     public function getPaddingScheme(): string
     {
         return $this->paddingScheme;
     }
 
-    public function setPaddingScheme(string $paddingScheme): void
-    {
-        $this->paddingScheme = $paddingScheme;
-    }
-
     public static function fromArray(array $data): self
     {
         return new self(
@@ -87,4 +74,4 @@ public function toArray(): array
             'paddingScheme' => $this->paddingScheme,
         ];
     }
-}
+}

src/authtoken/WebEidAuthToken.php

@@ -49,7 +49,7 @@ class WebEidAuthToken
      */
     private ?string $format = null;
     /**
-     * @var string Unverfied signing certificate
+     * @var string Unverified signing certificate
      */
     private ?string $unverifiedSigningCertificate = null;
 

src/certificate/CertificateLoader.php

@@ -26,10 +26,11 @@
 
 namespace web_eid\web_eid_authtoken_validation_php\certificate;
 
-use SodiumException;
 use web_eid\web_eid_authtoken_validation_php\exceptions\CertificateDecodingException;
+use web_eid\web_eid_authtoken_validation_php\exceptions\AuthTokenParseException;
 use phpseclib3\File\X509;
 use BadFunctionCallException;
+use Throwable;
 
 final class CertificateLoader
 {
@@ -61,27 +62,18 @@ public static function loadCertificatesFromResources(string ...$resourceNames):
         return $caCertificates;
     }
 
-    /**
-     * @throws CertificateDecodingException
-     */
-    public static function decodeCertificateFromBase64(string $base64): X509
+    public static function decodeCertificateFromBase64(?string $base64, string $fieldName = 'certificate'): X509
     {
-        $cert = new X509();
-
-        if (!str_starts_with($base64, '-----BEGIN CERTIFICATE-----')) {
-            $base64 = "-----BEGIN CERTIFICATE-----\n" .
-                chunk_split($base64, 64) .
-                "-----END CERTIFICATE-----\n";
+        if ($base64 === null || $base64 === '') {
+            throw new AuthTokenParseException("'{$fieldName}' field is missing, null or empty");
         }
-
+        $cert = new X509();
         try {
             if (!$cert->loadX509($base64)) {
-                throw new CertificateDecodingException(
-                    "unverifiedSigningCertificate is not base64 encoded");
+                throw new CertificateDecodingException("'{$fieldName}' decode failed");
             }
-        } catch (SodiumException) {
-            throw new CertificateDecodingException(
-                "unverifiedSigningCertificate is not base64 encoded");
+        } catch (Throwable) {
+            throw new CertificateDecodingException("'{$fieldName}' decode failed");
         }
 
         return $cert;