Merge branch 'main' into patch-1

Author: ennorehling

.github/workflows/tests.yml

@@ -10,7 +10,7 @@ jobs:
     runs-on: ubuntu-latest
     strategy:
       matrix:
-        php: [ "7.4", "8.0", "8.1", "8.2" ]
+        php: [ "7.4", "8.0", "8.1", "8.2", "8.3" ]
     name: PHP ${{matrix.php }} Unit Test
     steps:
       - uses: actions/checkout@v2
@@ -35,7 +35,7 @@ jobs:
       - name: Setup PHP
         uses: shivammathur/setup-php@v2
         with:
-          php-version: "8.0"
+          php-version: "8.2"
       - name: Run Script
         run: |
           composer global require friendsofphp/php-cs-fixer
@@ -49,7 +49,7 @@ jobs:
     - name: Install PHP
       uses: shivammathur/setup-php@v2
       with:
-        php-version: '8.0'
+        php-version: '8.2'
     - name: Run Script
       run: |
         composer install

CHANGELOG.md

@@ -1,5 +1,19 @@
 # Changelog
 
+## [6.10.0](https://github.com/firebase/php-jwt/compare/v6.9.0...v6.10.0) (2023-11-28)
+
+
+### Features
+
+* allow typ header override ([#546](https://github.com/firebase/php-jwt/issues/546)) ([79cb30b](https://github.com/firebase/php-jwt/commit/79cb30b729a22931b2fbd6b53f20629a83031ba9))
+
+## [6.9.0](https://github.com/firebase/php-jwt/compare/v6.8.1...v6.9.0) (2023-10-04)
+
+
+### Features
+
+* add payload to jwt exception ([#521](https://github.com/firebase/php-jwt/issues/521)) ([175edf9](https://github.com/firebase/php-jwt/commit/175edf958bb61922ec135b2333acf5622f2238a2))
+
 ## [6.8.1](https://github.com/firebase/php-jwt/compare/v6.8.0...v6.8.1) (2023-07-14)
 
 

src/BeforeValidException.php

@@ -2,6 +2,17 @@
 
 namespace Firebase\JWT;
 
-class BeforeValidException extends \UnexpectedValueException
+class BeforeValidException extends \UnexpectedValueException implements JWTExceptionWithPayloadInterface
 {
+    private object $payload;
+
+    public function setPayload(object $payload): void
+    {
+        $this->payload = $payload;
+    }
+
+    public function getPayload(): object
+    {
+        return $this->payload;
+    }
 }

src/CachedKeySet.php

@@ -213,7 +213,7 @@ private function rateLimitExceeded(): bool
 
         $cacheItem = $this->cache->getItem($this->rateLimitCacheKey);
         if (!$cacheItem->isHit()) {
-            $cacheItem->expiresAfter(1); // # of calls are cached each minute
+            $cacheItem->expiresAfter(60); // # of calls are cached each minute
         }
 
         $callsPerMinute = (int) $cacheItem->get();

src/ExpiredException.php

@@ -2,6 +2,17 @@
 
 namespace Firebase\JWT;
 
-class ExpiredException extends \UnexpectedValueException
+class ExpiredException extends \UnexpectedValueException implements JWTExceptionWithPayloadInterface
 {
+    private object $payload;
+
+    public function setPayload(object $payload): void
+    {
+        $this->payload = $payload;
+    }
+
+    public function getPayload(): object
+    {
+        return $this->payload;
+    }
 }

src/JWT.php

@@ -153,23 +153,29 @@ public static function decode(
         // Check the nbf if it is defined. This is the time that the
         // token can actually be used. If it's not yet that time, abort.
         if (isset($payload->nbf) && floor($payload->nbf) > ($timestamp + static::$leeway)) {
-            throw new BeforeValidException(
+            $ex = new BeforeValidException(
                 'Cannot handle token with nbf prior to ' . \date(DateTime::ATOM, (int) $payload->nbf)
             );
+            $ex->setPayload($payload);
+            throw $ex;
         }
 
         // Check that this token has been created before 'now'. This prevents
         // using tokens that have been created for later use (and haven't
         // correctly used the nbf claim).
         if (!isset($payload->nbf) && isset($payload->iat) && floor($payload->iat) > ($timestamp + static::$leeway)) {
-            throw new BeforeValidException(
+            $ex = new BeforeValidException(
                 'Cannot handle token with iat prior to ' . \date(DateTime::ATOM, (int) $payload->iat)
             );
+            $ex->setPayload($payload);
+            throw $ex;
         }
 
         // Check if this token has expired.
         if (isset($payload->exp) && ($timestamp - static::$leeway) >= $payload->exp) {
-            throw new ExpiredException('Expired token');
+            $ex = new ExpiredException('Expired token');
+            $ex->setPayload($payload);
+            throw $ex;
         }
 
         return $payload;
@@ -197,13 +203,14 @@ public static function encode(
         string $keyId = null,
         array $head = null
     ): string {
-        $header = ['typ' => 'JWT', 'alg' => $alg];
+        $header = ['typ' => 'JWT'];
+        if (isset($head) && \is_array($head)) {
+            $header = \array_merge($header, $head);
+        }
+        $header['alg'] = $alg;
         if ($keyId !== null) {
             $header['kid'] = $keyId;
         }
-        if (isset($head) && \is_array($head)) {
-            $header = \array_merge($head, $header);
-        }
         $segments = [];
         $segments[] = static::urlsafeB64Encode((string) static::jsonEncode($header));
         $segments[] = static::urlsafeB64Encode((string) static::jsonEncode($payload));
@@ -244,6 +251,9 @@ public static function sign(
                 return \hash_hmac($algorithm, $msg, $key, true);
             case 'openssl':
                 $signature = '';
+                if (!\is_resource($key) && !openssl_pkey_get_private($key)) {
+                    throw new DomainException('OpenSSL unable to validate key');
+                }
                 $success = \openssl_sign($msg, $signature, $key, $algorithm); // @phpstan-ignore-line
                 if (!$success) {
                     throw new DomainException('OpenSSL unable to sign data');

src/JWTExceptionWithPayloadInterface.php

@@ -0,0 +1,20 @@
+<?php
+namespace Firebase\JWT;
+
+interface JWTExceptionWithPayloadInterface
+{
+    /**
+     * Get the payload that caused this exception.
+     *
+     * @return object
+     */
+    public function getPayload(): object;
+
+    /**
+     * Get the payload that caused this exception.
+     *
+     * @param object $payload
+     * @return void
+     */
+    public function setPayload(object $payload): void;
+}

tests/JWTTest.php

@@ -26,6 +26,12 @@ public function testMalformedUtf8StringsFail()
         JWT::encode(['message' => pack('c', 128)], 'a', 'HS256');
     }
 
+    public function testInvalidKeyOpensslSignFail()
+    {
+        $this->expectException(DomainException::class);
+        JWT::sign('message', 'invalid key', 'openssl');
+    }
+
     public function testMalformedJsonThrowsException()
     {
         $this->expectException(DomainException::class);
@@ -107,6 +113,40 @@ public function testExpiredTokenWithLeeway()
         $this->assertSame($decoded->message, 'abc');
     }
 
+    public function testExpiredExceptionPayload()
+    {
+        $this->expectException(ExpiredException::class);
+        $payload = [
+            'message' => 'abc',
+            'exp' => time() - 100, // time in the past
+        ];
+        $encoded = JWT::encode($payload, 'my_key', 'HS256');
+        try {
+            JWT::decode($encoded, new Key('my_key', 'HS256'));
+        } catch (ExpiredException $e) {
+            $exceptionPayload = (array) $e->getPayload();
+            $this->assertEquals($exceptionPayload, $payload);
+            throw $e;
+        }
+    }
+
+    public function testBeforeValidExceptionPayload()
+    {
+        $this->expectException(BeforeValidException::class);
+        $payload = [
+            'message' => 'abc',
+            'iat' => time() + 100, // time in the future
+        ];
+        $encoded = JWT::encode($payload, 'my_key', 'HS256');
+        try {
+            JWT::decode($encoded, new Key('my_key', 'HS256'));
+        } catch (BeforeValidException $e) {
+            $exceptionPayload = (array) $e->getPayload();
+            $this->assertEquals($exceptionPayload, $payload);
+            throw $e;
+        }
+    }
+
     public function testValidTokenWithNbf()
     {
         $payload = [
@@ -484,4 +524,26 @@ public function testGetHeaders()
         $this->assertEquals($headers->typ, 'JWT');
         $this->assertEquals($headers->alg, 'HS256');
     }
+
+    public function testAdditionalHeaderOverrides()
+    {
+        $msg = JWT::encode(
+            ['message' => 'abc'],
+            'my_key',
+            'HS256',
+            'my_key_id',
+            [
+                'cty' => 'test-eit;v=1',
+                'typ' => 'JOSE', // override type header
+                'kid' => 'not_my_key_id', // should not override $key param
+                'alg' => 'BAD', // should not override $alg param
+            ]
+        );
+        $headers = new stdClass();
+        JWT::decode($msg, new Key('my_key', 'HS256'), $headers);
+        $this->assertEquals('test-eit;v=1', $headers->cty, 'additional field works');
+        $this->assertEquals('JOSE', $headers->typ, 'typ override works');
+        $this->assertEquals('my_key_id', $headers->kid, 'key param not overridden');
+        $this->assertEquals('HS256', $headers->alg, 'alg param not overridden');
+    }
 }