Added support for JWT authentication, updated API webConfigurator page to allow admins to rotate the JWT server key and set the JWT expiration period, updated makefile to include JWT changes and prep for version 0.0.3

Author: jaredhendrickson13

pfSense-pkg-API/Makefile

@@ -2,7 +2,7 @@
 
 PORTNAME=	pfSense-pkg-API
 PORTVERSION=	0.0
-PORTREVISION=	2
+PORTREVISION=	3
 CATEGORIES=	sysutils
 MASTER_SITES=	# empty
 DISTFILES=	# empty
@@ -19,6 +19,8 @@ do-extract:
 	${MKDIR} ${WRKSRC}
 
 do-install:
+
+
 	# INSTALL OUR API INCLUDE FILE
 	${MKDIR} ${STAGEDIR}/etc/inc
 	${INSTALL_DATA} ${FILESDIR}/etc/inc/api.inc \
@@ -27,6 +29,25 @@ do-install:
 		${STAGEDIR}/etc/inc
 	${INSTALL_DATA} ${FILESDIR}/etc/inc/apiresp.inc \
 		${STAGEDIR}/etc/inc
+	# INSTALL STATIC PHP-JWT FILES (static files are required as pfSense does not allow composer installations)
+	${MKDIR} ${STAGEDIR}/etc/inc/php-jwt
+	${INSTALL_DATA} ${FILESDIR}/etc/inc/php-jwt/README.md \
+		${STAGEDIR}/etc/inc/php-jwt
+	${INSTALL_DATA} ${FILESDIR}/etc/inc/php-jwt/LICENSE \
+		${STAGEDIR}/etc/inc/php-jwt
+	${INSTALL_DATA} ${FILESDIR}/etc/inc/php-jwt/composer.json \
+		${STAGEDIR}/etc/inc/php-jwt
+	${MKDIR} ${STAGEDIR}/etc/inc/php-jwt/src
+	${INSTALL_DATA} ${FILESDIR}/etc/inc/php-jwt/src/JWT.php \
+		${STAGEDIR}/etc/inc/php-jwt/src
+	${INSTALL_DATA} ${FILESDIR}/etc/inc/php-jwt/src/JWK.php \
+		${STAGEDIR}/etc/inc/php-jwt/src
+	${INSTALL_DATA} ${FILESDIR}/etc/inc/php-jwt/src/SignatureInvalidException.php \
+		${STAGEDIR}/etc/inc/php-jwt/src
+	${INSTALL_DATA} ${FILESDIR}/etc/inc/php-jwt/src/ExpiredException.php \
+		${STAGEDIR}/etc/inc/php-jwt/src
+	${INSTALL_DATA} ${FILESDIR}/etc/inc/php-jwt/src/BeforeValidException.php \
+		${STAGEDIR}/etc/inc/php-jwt/src
 
 	# INSTALL OUR PFSENSE PKG
 	${MKDIR} ${STAGEDIR}${PREFIX}/pkg
@@ -40,6 +61,11 @@ do-install:
     	${STAGEDIR}${PREFIX}/www/api
     # API version
 	${MKDIR} ${STAGEDIR}${PREFIX}/www/api/v1
+	# ACCESS TOKEN API ENDPOINTS
+	# Access Token base
+	${MKDIR} ${STAGEDIR}${PREFIX}/www/api/v1/access_token
+	${INSTALL_DATA} ${FILESDIR}${PREFIX}/www/api/v1/access_token/index.php \
+		${STAGEDIR}${PREFIX}/www/api/v1/access_token
 	# USERS API ENDPOINTS------------------------------------------
 	# Users base
 	${MKDIR} ${STAGEDIR}${PREFIX}/www/api/v1/users

pfSense-pkg-API/files/etc/inc/api.inc

@@ -1,5 +1,9 @@
 <?php
 require_once("apiresp.inc");
+require_once("php-jwt/src/JWT.php");
+require_once("php-jwt/src/ExpiredException.php");
+require_once("php-jwt/src/SignatureInvalidException.php");
+require_once("php-jwt/src/BeforeValidException.php");
 require_once("config.inc");
 require_once("util.inc");
 require_once("interfaces.inc");
@@ -9,6 +13,11 @@ require_once("filter.inc");
 require_once("shaper.inc");
 require_once("auth.inc");
 require_once("functions.inc");
+use Firebase\JWT\JWT;
+use Firebase\JWT\ExpiredException;
+use Firebase\JWT\SignatureInvalidException;
+use Firebase\JWT\BeforeValidException;
+
 
 // HEADERS--------------------------------------------------------------------------------------------------------------
 header("Content-Type: application/json", true);
@@ -104,6 +113,44 @@ function api_generate_token($username) {
     return $key_new;
 }
 
+// Creates JWT server key if one does not exist, or optionally allows rotation of the JWT server key
+function api_create_jwt_server_key($rotate=false) {
+    global $config;
+    $pkg_index = get_api_configuration()[0];    // Save our current API configs pkg index
+    $api_config = get_api_configuration()[1];    // Save our current API config
+    # Create a new server key if one is not set
+    if (empty($api_config["server_key"]) or $rotate === true) {
+        $config["installedpackages"]["package"][$pkg_index]["conf"]["server_key"] = bin2hex(random_bytes(32));
+        write_config();
+    }
+}
+
+// Creates a JWT to use for JWT authentication
+function api_create_jwt($data) {
+    global $config;
+    $api_config = get_api_configuration()[1];    // Save our current API config
+    $token_exp = $api_config["jwt_exp"];    // Expire token in one hours
+    api_create_jwt_server_key();    // Ensure we have a JWT server key
+    $payload = array(
+        "iss" => $config["system"]["hostname"],
+        "exp" => time() + $token_exp,
+        "nbf" => time(),
+        "data" => $data
+    );
+    return JWT::encode($payload, $api_config["server_key"]);
+}
+
+// Decodes a JWT
+function api_decode_jwt($token) {
+    $key = get_api_configuration()[1]["server_key"];    // Save our current server key
+    try {
+        $decoded = (array) JWT::decode($token, $key, array('HS256'));
+    } catch (Exception $e) {
+        $decoded = false;
+    }
+    return $decoded;
+}
+
 // Get our API token ID for a given username
 function api_get_existing_tokens($username) {
     // Local variables
@@ -143,6 +190,23 @@ function api_authenticate() {
     $authenticated = false;
     $api_config = get_api_configuration()[1];
     $users = index_users();
+
+    // Check for JWT in Authorization header if authmode is set to JWT
+    if ($api_config["authmode"] === "jwt") {
+        $auth_header = explode(" ", $_SERVER["HTTP_AUTHORIZATION"]);
+        $token_type = $auth_header[0];
+        $token = $auth_header[1];
+        $decoded_jwt = api_decode_jwt($token);
+
+        // Check that our JWT from our Authorization header is valid
+        if ($token_type === "Bearer" and $decoded_jwt !== false) {
+            unset($_SESSION["Username"]);
+            $client_id = $decoded_jwt["data"];
+            $_SESSION["Username"] = $client_id;
+            $authenticated = true;
+        }
+    }
+
     // Format our client ID and token based on our configured auth mode
     if ($api_config["authmode"] === "base64") {
         $client_id = base64_decode($client_id);
@@ -312,7 +376,7 @@ function api_whitelist_check() {
             } elseif ($srv_ip === $if_info["ipaddrv6"]) {
                 $allowed = true;
                 break;
-            } elseif ($srv_ip === "127.0.0.1" and $wif === "localhost") {
+            } elseif (in_array($srv_ip, ["::1", "127.0.0.1", "localhost"]) and $wif === "localhost") {
                 $allowed = true;
                 break;
             }elseif ($wif === "any") {
@@ -326,7 +390,7 @@ function api_whitelist_check() {
         $api_resp = array("status" => "forbidden", "code" => 403, "return" => 6);
         $api_resp["message"] = $err_lib[$api_resp["return"]];
         http_response_code(403);
-        echo json_encode($api_resp);
+        echo json_encode($api_resp).PHP_EOL;
         die;
     }
 }

pfSense-pkg-API/files/etc/inc/apicalls.inc

@@ -19,6 +19,21 @@ api_runtime_allowed();    // Check that our configuration allows this API call t
 session_start();    // Start our session. This is only used for tracking user name
 $pf_ver_num = get_pfsense_version()["program"];    // Pull our full pfSense version
 
+function api_access_token() {
+    global $api_resp, $client_params, $err_lib;
+    # Check that auth mode is set to JWT before creating token
+    if (get_api_configuration()[1]["authmode"] === "jwt") {
+        # Return our JWT if user is authenticated
+        if (authenticate_user($client_params["username"], $client_params["password"])) {
+            $jwt = api_create_jwt($client_params["username"]);
+            $api_resp = array("status" => "ok", "code" => 200, "return" => 0, "message" => "", "data" => ["token" => $jwt]);
+        }
+    } else {
+        $api_resp = array("status" => "forbidden", "code" => 403, "return" => 9, "message" => $err_lib[9], "data" => []);
+    }
+    return $api_resp;
+}
+
 function api_status_carp() {
     # VARIABLES
     global $err_lib, $config, $api_resp, $client_params;

pfSense-pkg-API/files/etc/inc/apiresp.inc

@@ -12,6 +12,8 @@ function api_error_lib() {
         6 => "Forbidden",
         7 => "Search attribute not found",
         8 => "Could not locate pfSense version",
+        9 => "Authentication mode must be set to JWT to enable access token authentication",
+
         // 1000-1999 reserved for /system API calls
         1000 => "Invalid system hostname",
         1001 => "Invalid system hostname domain",

pfSense-pkg-API/files/etc/inc/php-jwt/LICENSE

@@ -0,0 +1,30 @@
+Copyright (c) 2011, Neuman Vong
+
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are met:
+
+    * Redistributions of source code must retain the above copyright
+      notice, this list of conditions and the following disclaimer.
+
+    * Redistributions in binary form must reproduce the above
+      copyright notice, this list of conditions and the following
+      disclaimer in the documentation and/or other materials provided
+      with the distribution.
+
+    * Neither the name of Neuman Vong nor the names of other
+      contributors may be used to endorse or promote products derived
+      from this software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.