'HS256', 'typ' => 'JWT'); $h = bericht_b64url_encode(json_encode($header)); $p = bericht_b64url_encode(json_encode($payload)); $sig = hash_hmac('sha256', $h.'.'.$p, bericht_jwt_secret(), true); return $h.'.'.$p.'.'.bericht_b64url_encode($sig); } function bericht_jwt_decode($token) { $parts = explode('.', $token); if (count($parts) !== 3) return null; list($h, $p, $s) = $parts; $expected = bericht_b64url_encode(hash_hmac('sha256', $h.'.'.$p, bericht_jwt_secret(), true)); if (!hash_equals($expected, $s)) return null; $payload = json_decode(bericht_b64url_decode($p), true); if (!is_array($payload)) return null; if (isset($payload['exp']) && $payload['exp'] < time()) return null; return $payload; } /** * Liest und validiert das Authorization: Bearer Header. * @return array|null decoded payload */ function bericht_jwt_from_request() { $hdr = ''; if (isset($_SERVER['HTTP_AUTHORIZATION'])) { $hdr = $_SERVER['HTTP_AUTHORIZATION']; } elseif (function_exists('apache_request_headers')) { $h = apache_request_headers(); if (isset($h['Authorization'])) $hdr = $h['Authorization']; } if (!$hdr || stripos($hdr, 'bearer ') !== 0) return null; $token = trim(substr($hdr, 7)); return bericht_jwt_decode($token); }