Authentication
Merchant Order Pulling API must authenticate requests by JWT Tokens.
The API must check Tokens Payload as follows:
-
jti identifier must be unique for every request in a 120 seconds window
-
iat identifier must be no more than 120 seconds in past and no more than 5 seconds in future
-
exp identifier must not exceed request income time.
- The token must be signed with a valid secret key.
Example to check Request JWT Token
use MerchantOP\OrderPullingManager;
$secret = 'QWA8Ff34/!{5q<Cc';
$jtiChecker = function ($jti) {
if (Cache::has("mop-$jti")) {
return false;
}
Cache::set("mop-$jti", true, $ttl = 120);
return true;
};
if (!OrderPullingManager::authenticator($secret, $jtiChecker)->validate(OrderPullingManager::bearerHeader())) {
abort(401); # Return empty response with 401 status code
}
OrderPullingManager::bearerHeader() will read Authorization Header from $_SERVER['HTTP_AUTHORIZATION'].
We recommend to implement a JTI identifier checker in order to be secured of request replays.
Each JTI can be stored into a cache (Redis, Memcached, etc) with a 120 seconds TTL, and the next identifiers should be checked for presence in that cache and abort request on true.
|