feat(Secret): Protect jwt key for env('APP_SECRET_KEY')

1. use sha1 to Protect jwt key for env('APP_SECRET_KEY').
2. Add Advanced Login Options support in jwt payload.
3. isMaxUserSessionsReached() will only check those no-exist session.

CHANGELOG.md

@@ -14,6 +14,7 @@
 - **User:** Fix User Class miss in string format (3680444)
 
 ### Refactor
+- **Auth/JWT:** Better for auth by JWT (36f49a0)
 - **Config:** Remove params `$throw` in Config()->get() (706cc9a)
 - **RateLimit:** Change last param of isRateLimitHit and rate limit store Namespace (4dd571d)
 - **Site:** Simple Category Detail get function (ffa6855)

apps/models/form/Auth/UserLoginForm.php

@@ -34,16 +34,6 @@ class UserLoginForm extends Validator
 
     private $self;
 
-    // Key Information of User Session
-    private $sessionLength = 64;
-
-    // Cookie
-    private $cookieExpires = 0x7fffffff;
-    private $cookiePath = '/';
-    private $cookieDomain = '';
-    private $cookieSecure = false;  // Notice : Only change this value when you first run !!!!
-    private $cookieHttpOnly = true;
-
     private $jwt_payload;
 
     protected $_autoload_data = true;
@@ -134,7 +124,7 @@ protected function loadUserFromPdo()
     /** @noinspection PhpUnused */
     protected function isMaxUserSessionsReached()
     {
-        $exist_session_count = app()->pdo->createCommand('SELECT COUNT(`id`) FROM `user_session_log` WHERE uid = :uid AND expired = 0')->bindParams([
+        $exist_session_count = app()->pdo->createCommand('SELECT COUNT(`id`) FROM `user_session_log` WHERE uid = :uid AND expired = -1')->bindParams([
             'uid' => $this->self['id']
         ])->queryScalar();
 
@@ -178,22 +168,25 @@ private function createUserSession()
             'jti' => $jti,
         ];
 
-        $cookieExpire = $this->cookieExpires;
-        if ($this->logout === 'yes') {
-            $payload['exp'] = $cookieExpire = $timenow + 15 * 60;  // 15 minutes
+        $cookieExpire = 0x7fffffff;  // for never
+        if ($this->logout === 'yes' || config('security.auto_logout') > 1) {
+            $cookieExpire = $timenow + 15 * 60;  // for 15 minutes
         }
+        $payload['exp'] = $cookieExpire;
 
         // Custom Payload key
         $payload['user_id'] = $this->self['id'];  // Store User Id so we can quick load their information
-        if ($this->securelogin === 'yes') $payload['secure_login_ip'] = sprintf('%08x', crc32($login_ip));  // Store User Login IP ( in CRC32 format )
-        if ($this->ssl) $payload['ssl'] = true;  // FIXME Check if site support this feature , Store User want full ssl protect
+        if ($this->securelogin === 'yes' || config('security.secure_login') > 1)
+            $payload['secure_login_ip'] = sprintf('%08x', crc32($login_ip));  // Store User Login IP ( in CRC32 format )
+        if ($this->ssl || config('security.ssl_login') > 1)
+            $payload['ssl'] = true;  // Store User want full ssl protect
 
         // Generate JWT content
         $this->jwt_payload = $payload;
         $jwt = JWTHelper::encode($payload);
 
         // Sent JWT content AS Cookie
-        app()->response->setCookie(Constant::cookie_name, $jwt, $cookieExpire, $this->cookiePath, $this->cookieDomain, $this->cookieSecure, $this->cookieHttpOnly);
+        app()->response->setCookie(Constant::cookie_name, $jwt, $cookieExpire, '/', '', false, true);
     }
 
     private function updateUserLoginInfo()

framework/Helpers/JWTHelper.php

@@ -16,13 +16,13 @@ class JWTHelper
 {
     public static function encode($payload, $key = null)
     {
-        return JWT::encode($payload, $key ?? env('APP_SECRET_KEY'));
+        return JWT::encode($payload, $key ?? sha1(env('APP_SECRET_KEY')));
     }
 
-    public static function decode($jwt, $key = null, array $allowed_algs = array(), $allow_exp = false)
+    public static function decode(string $jwt,string $key = null, array $allowed_algs = array(), $allow_exp = false)
     {
         try {
-            $payload = (array) JWT::decode($jwt, $key ?? env('APP_SECRET_KEY'), $allowed_algs ?: ['HS256']);   // jwt data in array
+            $payload = (array) JWT::decode($jwt, $key ?? sha1(env('APP_SECRET_KEY')), $allowed_algs ?: ['HS256']);   // jwt data in array
         } catch (Exception $e) {
             $payload = false;
             if ($allow_exp && $e instanceof ExpiredException) {

framework/Helpers/StringHelper.php

@@ -38,7 +38,7 @@ private static function my_simple_crypt(string $string, $action = 'e'): ?string
         $secret_key = env('APP_SECRET_KEY');
         $secret_iv = env('APP_SECRET_IV');
 
-        $encrypt_method = "AES-256-CBC";
+        $encrypt_method = 'AES-256-CBC';
         $key = hash('sha256', $secret_key);
         $iv = substr(hash('sha256', $secret_iv), 0, 16);