johannessteu/Provider.php

## Provider.php
<?php
namespace ...\Security\Authentication\Provider;

[...]
class JwtApiTokenProvider extends AbstractProvider
{

    /**
     * @Flow\Inject
     * @var PolicyService
     */
    protected $policyService;

    /**
     * @Flow\InjectConfiguration(package="...", path="Api.sharedSecret")
     */
    protected $secret;

    /**
     * Returns the class names of the tokens this provider is responsible for.
     */
    public function getTokenClassNames()
    {
        return [JwtApiToken::class];
    }

    /**
     * Sets isAuthenticated to TRUE for all tokens.
     *
     * @param TokenInterface $authenticationToken The token to be authenticated
     * @return void
     * @throws UnsupportedAuthenticationTokenException
     * @throws AccessDeniedException
     */
    public function authenticate(TokenInterface $authenticationToken)
    {
        $credentials = $authenticationToken->getCredentials();
        if (!is_array($credentials) || !isset($credentials['jwt'])) {
            $authenticationToken->setAuthenticationStatus(TokenInterface::NO_CREDENTIALS_GIVEN);
            return;
        }
        $jwtPayload = null;
        try {
            $jwtPayload = (array)JWT::decode($credentials['jwt'], $this->secret, ['HS256']);
        } catch (\Exception $e) {
            $authenticationToken->setAuthenticationStatus(TokenInterface::WRONG_CREDENTIALS);
        }
        if ($jwtPayload === null || !isset($jwtPayload['accountIdentifier'])) {
            $authenticationToken->setAuthenticationStatus(TokenInterface::WRONG_CREDENTIALS);
            return;
        }

        $account = $this->createTransientAccount($jwtPayload['accountIdentifier']);
        $authenticationToken->setAccount($account);
        $authenticationToken->setAuthenticationStatus(TokenInterface::AUTHENTICATION_SUCCESSFUL);
    }

    /**
     * @param $accountIdentifier
     * @param array $roleIdentifiers
     * @return Account
     */
    protected function createTransientAccount($accountIdentifier)
    {
        $account = new Account();
        $account->setAccountIdentifier($accountIdentifier);
        $account->addRole($this->policyService->getRole('Yeebase.t3n.Common:ApiUser'));

        $account->setAuthenticationProviderName($this->name);
        return $account;
    }
}

## Token.php
<?php
namespace ...\Security\Authentication\Token;

[...]

/**
 * JWT token authentication token
 *
 * An authentication token used for JWT authentication. Will accept the JWT encoded string
 * from HTTP headers (with <code>X-JWT</code>)
 */
class JwtApiToken extends AbstractToken implements SessionlessTokenInterface
{

    /**
     * The jwt credentials
     *
     * @var array
     * @Flow\Transient
     */
    protected $credentials = ['jwt' => ''];

    /**
     * @param ActionRequest $actionRequest
     * @return void
     */
    public function updateCredentials(ActionRequest $actionRequest)
    {
        if ($actionRequest->getHttpRequest()->hasHeader('X-Jwt')) {
            $this->credentials['jwt'] = $actionRequest->getHttpRequest()->getHeader('X-Jwt');
            $this->setAuthenticationStatus(self::AUTHENTICATION_NEEDED);
        }
    }
}
	<?php
	namespace ...\Security\Authentication\Provider;

	[...]
	class JwtApiTokenProvider extends AbstractProvider
	{

	/**
	* @Flow\Inject
	* @var PolicyService
	*/
	protected $policyService;

	/**
	* @Flow\InjectConfiguration(package="...", path="Api.sharedSecret")
	*/
	protected $secret;

	/**
	* Returns the class names of the tokens this provider is responsible for.
	*/
	public function getTokenClassNames()
	{
	return [JwtApiToken::class];
	}

	/**
	* Sets isAuthenticated to TRUE for all tokens.
	*
	* @param TokenInterface $authenticationToken The token to be authenticated
	* @return void
	* @throws UnsupportedAuthenticationTokenException
	* @throws AccessDeniedException
	*/
	public function authenticate(TokenInterface $authenticationToken)
	{
	$credentials = $authenticationToken->getCredentials();
	if (!is_array($credentials) \|\| !isset($credentials['jwt'])) {
	$authenticationToken->setAuthenticationStatus(TokenInterface::NO_CREDENTIALS_GIVEN);
	return;
	}
	$jwtPayload = null;
	try {
	$jwtPayload = (array)JWT::decode($credentials['jwt'], $this->secret, ['HS256']);
	} catch (\Exception $e) {
	$authenticationToken->setAuthenticationStatus(TokenInterface::WRONG_CREDENTIALS);
	}
	if ($jwtPayload === null \|\| !isset($jwtPayload['accountIdentifier'])) {
	$authenticationToken->setAuthenticationStatus(TokenInterface::WRONG_CREDENTIALS);
	return;
	}

	$account = $this->createTransientAccount($jwtPayload['accountIdentifier']);
	$authenticationToken->setAccount($account);
	$authenticationToken->setAuthenticationStatus(TokenInterface::AUTHENTICATION_SUCCESSFUL);
	}

	/**
	* @param $accountIdentifier
	* @param array $roleIdentifiers
	* @return Account
	*/
	protected function createTransientAccount($accountIdentifier)
	{
	$account = new Account();
	$account->setAccountIdentifier($accountIdentifier);
	$account->addRole($this->policyService->getRole('Yeebase.t3n.Common:ApiUser'));

	$account->setAuthenticationProviderName($this->name);
	return $account;
	}
	}
	<?php
	namespace ...\Security\Authentication\Token;

	[...]

	/**
	* JWT token authentication token
	*
	* An authentication token used for JWT authentication. Will accept the JWT encoded string
	* from HTTP headers (with <code>X-JWT</code>)
	*/
	class JwtApiToken extends AbstractToken implements SessionlessTokenInterface
	{

	/**
	* The jwt credentials
	*
	* @var array
	* @Flow\Transient
	*/
	protected $credentials = ['jwt' => ''];

	/**
	* @param ActionRequest $actionRequest
	* @return void
	*/
	public function updateCredentials(ActionRequest $actionRequest)
	{
	if ($actionRequest->getHttpRequest()->hasHeader('X-Jwt')) {
	$this->credentials['jwt'] = $actionRequest->getHttpRequest()->getHeader('X-Jwt');
	$this->setAuthenticationStatus(self::AUTHENTICATION_NEEDED);
	}
	}
	}