diff options
| author | Chris Raynor <chris@firebase.com> | 2014-11-18 09:58:25 -0800 |
|---|---|---|
| committer | Chris Raynor <chris@firebase.com> | 2014-11-18 09:58:25 -0800 |
| commit | 83b8899cb73d85d648af93f37ec0ac89f4a5bbae (patch) | |
| tree | 07dae7a21defd08d8591bd475cfbf5f8286d1e4d | |
| parent | c20a3cb3faf81ec9716449b6c07c27b14f52bc75 (diff) | |
| parent | 8b6d4f07753dcd8036dc54ecb1b42296bd2d82f7 (diff) | |
| download | php-jwt-83b8899cb73d85d648af93f37ec0ac89f4a5bbae.zip php-jwt-83b8899cb73d85d648af93f37ec0ac89f4a5bbae.tar.gz php-jwt-83b8899cb73d85d648af93f37ec0ac89f4a5bbae.tar.bz2 | |
Merge pull request #24 from brendo/iat-claim-check
Add check for iat claim with some minor documentation updates
| -rw-r--r-- | Authentication/JWT.php | 31 | ||||
| -rw-r--r-- | tests/JWTTest.php | 13 |
2 files changed, 35 insertions, 9 deletions
diff --git a/Authentication/JWT.php b/Authentication/JWT.php index 7e64b4b..1955b60 100644 --- a/Authentication/JWT.php +++ b/Authentication/JWT.php @@ -30,8 +30,13 @@ class JWT * @param bool $verify Don't skip verification process * * @return object The JWT's payload as a PHP object - * @throws UnexpectedValueException Provided JWT was invalid - * @throws DomainException Algorithm was not provided + * + * @throws DomainException Algorithm was not provided + * @throws UnexpectedValueException Provided JWT was invalid + * @throws SignatureInvalidException Provided JWT was invalid because the signature verification failed + * @throws BeforeValidException Provided JWT is trying to be used before it's eligible as defined by 'nbf' + * @throws BeforeValidException Provided JWT is trying to be used before it's been created as defined by 'iat' + * @throws ExpiredException Provided JWT has since expired, as defined by the 'exp' claim * * @uses jsonDecode * @uses urlsafeB64Decode @@ -67,17 +72,27 @@ class JWT throw new SignatureInvalidException('Signature verification failed'); } - // Check token expiry time if defined. - if (isset($payload->exp) && time() >= $payload->exp) { - throw new ExpiredException('Expired token'); - } - - // Check if the nbf if it is defined. + // Check if the nbf if it is defined. This is the time that the + // token can actually be used. If it's not yet that time, abort. if (isset($payload->nbf) && $payload->nbf > time()) { throw new BeforeValidException( 'Cannot handle token prior to ' . date(DateTime::ISO8601, $payload->nbf) ); } + + // Check that this token has been created before 'now'. This prevents + // using tokens that have been created for later use (and haven't + // correctly used the nbf claim). + if (isset($payload->iat) && $payload->iat > time()) { + throw new BeforeValidException( + 'Cannot handle token prior to ' . date(DateTime::ISO8601, $payload->iat) + ); + } + + // Check if this token has expired. + if (isset($payload->exp) && time() >= $payload->exp) { + throw new ExpiredException('Expired token'); + } } return $payload; diff --git a/tests/JWTTest.php b/tests/JWTTest.php index 5a76ed4..b7dbca0 100644 --- a/tests/JWTTest.php +++ b/tests/JWTTest.php @@ -45,7 +45,7 @@ class JWTTest extends PHPUnit_Framework_TestCase JWT::decode($encoded, 'my_key'); } - public function testBeforeValidToken() + public function testBeforeValidTokenWithNbf() { $this->setExpectedException('BeforeValidException'); $payload = array( @@ -55,6 +55,16 @@ class JWTTest extends PHPUnit_Framework_TestCase JWT::decode($encoded, 'my_key'); } + public function testBeforeValidTokenWithIat() + { + $this->setExpectedException('BeforeValidException'); + $payload = array( + "message" => "abc", + "iat" => time() + 20); // time in the future + $encoded = JWT::encode($payload, 'my_key'); + JWT::decode($encoded, 'my_key'); + } + public function testValidToken() { $payload = array( @@ -69,6 +79,7 @@ class JWTTest extends PHPUnit_Framework_TestCase { $payload = array( "message" => "abc", + "iat" => time(), "exp" => time() + 20, // time in the future "nbf" => time() - 20); $encoded = JWT::encode($payload, 'my_key'); |