JWT token IP restriction

2024-01-09 10:43:07 +01:00 · 2024-01-09 10:43:07 +01:00 · dd83528a3a
parent 0809200827
commit dd83528a3a
3 changed files with 52 additions and 1 deletions
--- a/app/Http/Kernel.php
+++ b/app/Http/Kernel.php
@ -2,6 +2,7 @@

 namespace App\Http;

+use App\Http\Middleware\AuthenticateJWT;
 use App\Http\Middleware\CustomDomainRestriction;
 use App\Http\Middleware\EmbeddableForms;
 use App\Http\Middleware\IsAdmin;
@ -27,6 +28,7 @@ class Kernel extends HttpKernel
        \App\Http\Middleware\TrimStrings::class,
        \Illuminate\Foundation\Http\Middleware\ConvertEmptyStringsToNull::class,
        \App\Http\Middleware\SetLocale::class,
+        AuthenticateJWT::class,
        CustomDomainRestriction::class,
    ];

--- a/app/Http/Middleware/AuthenticateJWT.php
+++ b/app/Http/Middleware/AuthenticateJWT.php
@ -0,0 +1,46 @@
+<?php
+
+namespace App\Http\Middleware;
+
+use Closure;
+use Illuminate\Http\Request;
+use Tymon\JWTAuth\Exceptions\JWTException;
+
+class AuthenticateJWT
+{
+
+    /**
+     * Verifies the JWT token and validates the IP and User Agent
+     * Invalidates token otherwise
+     */
+    public function handle(Request $request, Closure $next)
+    {
+        // Parse JWT Payload
+        try {
+            $payload = \JWTAuth::parseToken()->getPayload();
+        } catch (JWTException $e) {
+            return $next($request);
+        }
+
+        // Validate IP and User Agent
+        if ($payload) {
+            $error = null;
+            if (!\Hash::check($request->ip(), $payload->get('ip'))) {
+                $error = 'Origin IP is invalid';
+            }
+
+            if (!\Hash::check($request->userAgent(), $payload->get('ua'))) {
+                $error = 'Origin User Agent is invalid';
+            }
+
+            if ($error) {
+                auth()->invalidate();
+                return response()->json([
+                    'message' => $error
+                ], 403);
+            }
+        }
+
+        return $next($request);
+    }
+}
--- a/app/Models/User.php
+++ b/app/Models/User.php
@ -194,7 +194,10 @@ class User extends Authenticatable implements JWTSubject
     */
    public function getJWTCustomClaims()
    {
-        return [];
+        return [
+            'ip' => \Hash::make(request()->ip()),
+            'ua' => \Hash::make(request()->userAgent()),
+        ];
    }

    public function getIsRiskyAttribute()