/** * Checks for a valid nonce file according to the WSE. * * @param string $digest The digest string send by the client * @param string $nonce The nonce file * @param string $created The creation date of the nonce * @param string $secret The secret (ie password) to be check * * @return boolean * * @throws \BackBee\Security\Exception\SecurityException */ protected function checkNonce(BBUserToken $token, $secret) { $digest = $token->getDigest(); $nonce = $token->getNonce(); $created = $token->getCreated(); if (time() - strtotime($created) > 300) { throw new SecurityException('Request expired', SecurityException::EXPIRED_TOKEN); } if (md5($nonce . $created . $secret) !== $digest) { throw new SecurityException('Invalid authentication informations', SecurityException::INVALID_CREDENTIALS); } $value = $this->readNonceValue($nonce); if (null !== $value && $value[0] + $this->lifetime < time()) { throw new SecurityException('Prior authentication expired', SecurityException::EXPIRED_AUTH); } return true; }