JWT JwtAuthenticator for embedded applications. More...

#include <JwtAuthenticator.h>

Collaboration diagram for JwtAuthenticator:

Public Member Functions
	JwtAuthenticator ()
	Get an instance of the JwtAuthenticator.

void	init (const std::string &secret, int expirySeconds)
	Initialize the JwtAuthenticator with a secret key and expiry time.

std::string	generateJWT (const std::string &userId, const std::string &userName) const
	Generate a JWT for a given user.

bool	validateJWT (const std::string &token, bool validateExpiry=false) const
	Validate a JWT's signature and optionally its expiration.

bool	decodeJWT (const std::string &token, std::string &header, std::string &payload, std::string &signature) const
	Decode a JWT into its components.

bool	isJWTExpired (const std::string &token) const
	Check if a JWT is expired based on the `exp` claim.

bool	isJWTPayloadExpired (const std::string &payload) const
	Check if a decoded JWT payload is expired.

bool	verifyJWTSignature (const std::string &encoded_header, const std::string &encoded_payload, const std::string &signature) const
	Verify a JWT's signature using HMAC-SHA256.

Private Member Functions
std::string	base64urlEncode (const std::string &input) const
	Encode a string using base64url encoding.

bool	base64urlDecode (const std::string &input, std::string &output) const
	Decode a base64url-encoded string.

bool	isBase64urlEncoded (const std::string &str) const
	Check if a string is valid base64url.

std::string	bytesToBase64url (const unsigned char *data, size_t length) const
	Convert a byte buffer to a base64url string.

std::string	hmacSHA256 (const std::string &message) const
	Calculate HMAC-SHA256 for a given message.

Private Attributes
std::string	secretKey
	Construct a new JwtAuthenticator object.

std::string	expiryTime

Detailed Description

This class provides helper methods to generate and validate JWT tokens using HMAC-SHA256. It uses a singleton design pattern and is intended to be stateless aside from a secret key.

Definition at line 26 of file JwtAuthenticator.h.

Constructor & Destructor Documentation

◆ JwtAuthenticator()

JwtAuthenticator::JwtAuthenticator ( )

Get an instance of the JwtAuthenticator.

Returns: Reference to the JwtAuthenticator instance.

Returns: Reference to the JwtAuthenticator instance.

Definition at line 39 of file JwtAuthenticator.cpp.

{
    secretKey = JWT_SECRET;
}

References secretKey.

Member Function Documentation

◆ base64urlDecode()

bool JwtAuthenticator::base64urlDecode	(	const std::string &	input,
		std::string &	output
	)		const

private

Decode a base64url-encoded string.

Parameters

input	Encoded input.
output	Decoded output.

Returns: true if decoding was successful.

Parameters

input	Encoded input.
output	Decoded output.

Returns: true if decoding was successful.

Definition at line 72 of file JwtAuthenticator.cpp.

{
    std::string base64_input = input;
    std::replace(base64_input.begin(), base64_input.end(), '-', '+');
    std::replace(base64_input.begin(), base64_input.end(), '_', '/');
    while (base64_input.size() % 4 != 0)
    {
        base64_input += "=";
    }
 
    for (size_t i = 0; i < base64_input.size(); ++i)
    {
        if (static_cast<unsigned char>(base64_input[i]) > 127)
        {
            std::cout << "Invalid character found in base64: " << (int)base64_input[i] << std::endl;
            return false;
        }
    }
 
    size_t decoded_len = base64_input.size() * 3 / 4 + 4;
    unsigned char *decoded_data = new unsigned char[decoded_len];
 
    int ret = mbedtls_base64_decode(decoded_data, decoded_len, &decoded_len,
                                    (const unsigned char *)base64_input.c_str(), base64_input.size());
 
    if (ret != 0)
    {
        char error_msg[100];
        mbedtls_strerror(ret, error_msg, sizeof(error_msg));
        std::cerr << "Base64 decoding failed: " << error_msg << std::endl;
        delete[] decoded_data;
        return false;
    }
 
    output.assign(reinterpret_cast<char *>(decoded_data), decoded_len);
    delete[] decoded_data;
    return true;
}

Referenced by decodeJWT(), isJWTExpired(), and validateJWT().

Here is the caller graph for this function:

◆ base64urlEncode()

std::string JwtAuthenticator::base64urlEncode ( const std::string & input ) const

private

Encode a string using base64url encoding.

Parameters

input Raw input string.

Returns: Base64url-encoded string.

Parameters

input Raw input string.

Returns: Base64url-encoded string.

Definition at line 45 of file JwtAuthenticator.cpp.

{
    size_t encoded_len = ((input.length() + 2) / 3) * 4 + 1;
    char *encoded_data = new char[encoded_len];
 
    size_t len = 0;
    int result = mbedtls_base64_encode(reinterpret_cast<unsigned char *>(encoded_data), encoded_len, &len,
                                       reinterpret_cast<const unsigned char *>(input.c_str()), input.length());
 
    if (result != 0)
    {
        std::cerr << "Base64 encoding failed with error code: " << result << std::endl;
        delete[] encoded_data;
        return "";
    }
 
    std::string base64_str(encoded_data, len);
    std::string base64url_str(base64_str);
    std::replace(base64url_str.begin(), base64url_str.end(), '+', '-');
    std::replace(base64url_str.begin(), base64url_str.end(), '/', '_');
    base64url_str.erase(std::remove(base64url_str.begin(), base64url_str.end(), '='), base64url_str.end());
 
    delete[] encoded_data;
    return base64url_str;
}

Referenced by generateJWT().

Here is the caller graph for this function:

◆ bytesToBase64url()

std::string JwtAuthenticator::bytesToBase64url	(	const unsigned char *	data,
		size_t	length
	)		const

private

Convert a byte buffer to a base64url string.

Parameters

data	Byte array.
length	Length of array.

Returns: Base64url string.

Parameters

data	Byte array.
length	Length of array.

Returns: Base64url string.

Definition at line 201 of file JwtAuthenticator.cpp.

{
    size_t output_len = length * 4 / 3 + 4;
    char *base64_output = new char[output_len];
    size_t written_len = 0;
 
    mbedtls_base64_encode((unsigned char *)base64_output, output_len, &written_len, data, length);
 
    std::string base64_result(base64_output, written_len);
    std::replace(base64_result.begin(), base64_result.end(), '+', '-');
    std::replace(base64_result.begin(), base64_result.end(), '/', '_');
    base64_result.erase(std::remove(base64_result.end() - 1, base64_result.end(), '='), base64_result.end());
 
    delete[] base64_output;
    return base64_result;
}

Referenced by verifyJWTSignature().

Here is the caller graph for this function:

◆ decodeJWT()

bool JwtAuthenticator::decodeJWT	(	const std::string &	token,
		std::string &	header,
		std::string &	payload,
		std::string &	signature
	)		const

Decode a JWT into its components.

Parameters

token	JWT string.
header	Output decoded header JSON string.
payload	Output decoded payload JSON string.
signature	Output base64url-encoded signature.

Returns: true if decoding was successful.

Parameters

token	JWT string.
header	Output decoded header JSON string.
payload	Output decoded payload JSON string.
signature	Output base64url-encoded signature.

Returns: true if decoding was successful.

Definition at line 168 of file JwtAuthenticator.cpp.

{
    size_t first_dot = token.find('.');
    size_t second_dot = token.find('.', first_dot + 1);
    if (first_dot == std::string::npos || second_dot == std::string::npos)
    {
        return false;
    }
 
    header = token.substr(0, first_dot);
    payload = token.substr(first_dot + 1, second_dot - first_dot - 1);
    signature = token.substr(second_dot + 1);
 
    if (isBase64urlEncoded(header))
    {
        std::string decoded;
        if (!base64urlDecode(header, decoded))
            return false;
        header = decoded;
    }
 
    if (isBase64urlEncoded(payload))
    {
        std::string decoded;
        if (!base64urlDecode(payload, decoded))
            return false;
        payload = decoded;
    }
 
    return true;
}

References base64urlDecode(), and isBase64urlEncoded().

Here is the call graph for this function:

◆ generateJWT()

std::string JwtAuthenticator::generateJWT	(	const std::string &	userId,
		const std::string &	userName
	)		const

Generate a JWT for a given user.

Parameters

userId	User ID (used as the `sub` claim).
userName	User name (stored in `name` claim).

Returns: A signed JWT string.

Parameters

userId	User ID (used as the `sub` claim).
userName	User name (stored in `name` claim).

Returns: A signed JWT string.

Definition at line 150 of file JwtAuthenticator.cpp.

{
    json header = {{"alg", "HS256"}, {"typ", "JWT"}};
    json payload = {
        {"sub", userId},
        {"name", userName},
        {"iat", std::time(0)},
        {"exp", std::time(0) + 3600}};
 
    std::string encodedHeader = base64urlEncode(header.dump());
    std::string encodedPayload = base64urlEncode(payload.dump());
    std::string message = encodedHeader + "." + encodedPayload;
    std::string signature = base64urlEncode(hmacSHA256(message));
 
    return encodedHeader + "." + encodedPayload + "." + signature;
}

References base64urlEncode(), and hmacSHA256().

Here is the call graph for this function:

◆ hmacSHA256()

std::string JwtAuthenticator::hmacSHA256 ( const std::string & message ) const

private

Calculate HMAC-SHA256 for a given message.

Parameters

message Input string.

Returns: Binary HMAC result.

Parameters

message Input string.

Returns: Binary HMAC result.

Definition at line 133 of file JwtAuthenticator.cpp.

{
    unsigned char hmac_output[MBEDTLS_SHA256_DIGEST_LENGTH];
    mbedtls_md_context_t ctx;
 
    mbedtls_md_init(&ctx);
    const mbedtls_md_info_t *md_info = mbedtls_md_info_from_type(MBEDTLS_MD_SHA256);
    mbedtls_md_setup(&ctx, md_info, 1);
    mbedtls_md_hmac_starts(&ctx, reinterpret_cast<const unsigned char *>(secretKey.c_str()), secretKey.size());
    mbedtls_md_hmac_update(&ctx, reinterpret_cast<const unsigned char *>(message.c_str()), message.size());
    mbedtls_md_hmac_finish(&ctx, hmac_output);
    mbedtls_md_free(&ctx);
 
    return std::string(reinterpret_cast<char *>(hmac_output), MBEDTLS_SHA256_DIGEST_LENGTH);
}

References MBEDTLS_SHA256_DIGEST_LENGTH, and secretKey.

Referenced by generateJWT().

Here is the caller graph for this function:

◆ init()

void JwtAuthenticator::init	(	const std::string &	secret,
		int	expirySeconds
	)

Parameters

secret	Secret key for HMAC-SHA256 signing.
expirySeconds	Expiry time in seconds.

Definition at line 299 of file JwtAuthenticator.cpp.

{
    this->secretKey = secret;
    this->expiryTime = expirySeconds;
}

References expiryTime, and secretKey.

◆ isBase64urlEncoded()

bool JwtAuthenticator::isBase64urlEncoded ( const std::string & str ) const

private

Check if a string is valid base64url.

Parameters

str	String to check.

Returns: true if string is valid base64url.

Parameters

str	String to check.

Returns: true if string is valid base64url.

Definition at line 112 of file JwtAuthenticator.cpp.

{
    static const std::string base64url_chars = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-_";
 
    if (str.length() % 4 != 0)
    {
        return false;
    }
 
    for (char c : str)
    {
        if (base64url_chars.find(c) == std::string::npos)
        {
            return false;
        }
    }
 
    return true;
}

Referenced by decodeJWT().

Here is the caller graph for this function:

◆ isJWTExpired()

bool JwtAuthenticator::isJWTExpired ( const std::string & token ) const

Check if a JWT is expired based on the exp claim.

Parameters

token JWT string.

Returns: true if expired, false if valid or error.

Parameters

token JWT string.

Returns: true if expired, false if valid or error.

Definition at line 257 of file JwtAuthenticator.cpp.

{
    size_t first_dot = token.find('.');
    size_t second_dot = token.find('.', first_dot + 1);
    if (first_dot == std::string::npos || second_dot == std::string::npos)
        return false;
 
    std::string encoded_payload = token.substr(first_dot + 1, second_dot - first_dot - 1);
    std::string decoded_payload;
 
    if (!base64urlDecode(encoded_payload, decoded_payload))
        return false;
    return isJWTPayloadExpired(decoded_payload);
}

References base64urlDecode(), and isJWTPayloadExpired().

Here is the call graph for this function:

◆ isJWTPayloadExpired()

bool JwtAuthenticator::isJWTPayloadExpired ( const std::string & payload ) const

Check if a decoded JWT payload is expired.

Parameters

payload Decoded payload string (JSON).

Returns: true if expired, false otherwise.

Parameters

payload Decoded payload string (JSON).

Returns: true if expired, false otherwise.

Definition at line 239 of file JwtAuthenticator.cpp.

{
    auto parsed = json::parse(payload, nullptr, false);
    if (parsed.is_discarded() || !parsed.contains("exp") || !parsed["exp"].is_number_integer())
    {
        std::cerr << "Invalid or missing 'exp' in JWT payload." << std::endl;
        return false;
    }
 
    long long exp_timestamp = parsed["exp"].get<long long>();
    if (exp_timestamp <= 0)
        return false;
 
    auto now = std::chrono::system_clock::to_time_t(std::chrono::system_clock::now());
    return now >= exp_timestamp;
}

Referenced by isJWTExpired(), and validateJWT().

Here is the caller graph for this function:

◆ validateJWT()

bool JwtAuthenticator::validateJWT	(	const std::string &	token,
		bool	validateExpiry = `false`
	)		const

Validate a JWT's signature and optionally its expiration.

Parameters

token	JWT string.
validateExpiry	Whether to check the `exp` claim.

Returns: true if valid and optionally not expired.

Parameters

token	JWT string.
validateExpiry	Whether to check the `exp` claim.

Returns: true if valid and optionally not expired.

Definition at line 273 of file JwtAuthenticator.cpp.

{
    size_t first_dot = token.find('.');
    size_t second_dot = token.find('.', first_dot + 1);
    if (first_dot == std::string::npos || second_dot == std::string::npos)
        return false;
 
    std::string encoded_header = token.substr(0, first_dot);
    std::string encoded_payload = token.substr(first_dot + 1, second_dot - first_dot - 1);
    std::string signature = token.substr(second_dot + 1);
 
    std::string decoded_header, decoded_payload;
    if (!base64urlDecode(encoded_header, decoded_header) ||
        !base64urlDecode(encoded_payload, decoded_payload))
    {
        return false;
    }
 
    if (validateExpiry && isJWTPayloadExpired(decoded_payload))
    {
        return false;
    }
 
    return verifyJWTSignature(encoded_header, encoded_payload, signature);
}

References base64urlDecode(), isJWTPayloadExpired(), and verifyJWTSignature().

Here is the call graph for this function:

◆ verifyJWTSignature()

bool JwtAuthenticator::verifyJWTSignature	(	const std::string &	encoded_header,
		const std::string &	encoded_payload,
		const std::string &	signature
	)		const

Verify a JWT's signature using HMAC-SHA256.

Parameters

encoded_header	Base64url-encoded JWT header.
encoded_payload	Base64url-encoded JWT payload.
signature	Base64url-encoded signature to verify against.

Returns: true if the signature is valid.

Parameters

encoded_header	Base64url-encoded JWT header.
encoded_payload	Base64url-encoded JWT payload.
signature	Base64url-encoded signature to verify against.

Returns: true if the signature is valid.

Definition at line 219 of file JwtAuthenticator.cpp.

{
    std::string header_payload = encoded_header + "." + encoded_payload;
 
    mbedtls_md_context_t ctx;
    mbedtls_md_init(&ctx);
    const mbedtls_md_info_t *md_info = mbedtls_md_info_from_type(MBEDTLS_MD_SHA256);
    mbedtls_md_setup(&ctx, md_info, 1);
    mbedtls_md_hmac_starts(&ctx, (const unsigned char *)secretKey.c_str(), secretKey.length());
    mbedtls_md_hmac_update(&ctx, (const unsigned char *)header_payload.c_str(), header_payload.length());
 
    unsigned char hmac_output[MBEDTLS_SHA256_DIGEST_LENGTH];
    mbedtls_md_hmac_finish(&ctx, hmac_output);
    mbedtls_md_free(&ctx);
 
    std::string computed_signature = bytesToBase64url(hmac_output, MBEDTLS_SHA256_DIGEST_LENGTH);
    return computed_signature == signature;
}

References bytesToBase64url(), MBEDTLS_SHA256_DIGEST_LENGTH, and secretKey.

Referenced by validateJWT().

Here is the call graph for this function:

Here is the caller graph for this function:

Member Data Documentation

◆ expiryTime

std::string JwtAuthenticator::expiryTime

private

Definition at line 99 of file JwtAuthenticator.h.

Referenced by init().

◆ secretKey

std::string JwtAuthenticator::secretKey

private

Secret key is loaded from build config.

Definition at line 98 of file JwtAuthenticator.h.

Referenced by hmacSHA256(), init(), JwtAuthenticator(), and verifyJWTSignature().

The documentation for this class was generated from the following files:

Public Member Functions

Private Member Functions

Private Attributes

Detailed Description

Constructor & Destructor Documentation

◆ JwtAuthenticator()

Member Function Documentation

◆ base64urlDecode()

◆ base64urlEncode()

◆ bytesToBase64url()

◆ decodeJWT()

◆ generateJWT()

◆ hmacSHA256()

◆ init()

◆ isBase64urlEncoded()

◆ isJWTExpired()

◆ isJWTPayloadExpired()

◆ validateJWT()

◆ verifyJWTSignature()

Member Data Documentation

◆ expiryTime

◆ secretKey