diff options
| author | Brendan Abbott <brendan@vuid.com> | 2014-11-17 11:27:21 +1000 |
|---|---|---|
| committer | Brendan Abbott <brendan@vuid.com> | 2014-11-17 11:27:21 +1000 |
| commit | ec3a4a853ca62dddf1951972f8f5b37ea40b4ea8 (patch) | |
| tree | efe9e5e68420f99ff1a6b892638d9f690ac1ba71 /Authentication | |
| parent | c20a3cb3faf81ec9716449b6c07c27b14f52bc75 (diff) | |
| download | php-jwt-ec3a4a853ca62dddf1951972f8f5b37ea40b4ea8.zip php-jwt-ec3a4a853ca62dddf1951972f8f5b37ea40b4ea8.tar.gz php-jwt-ec3a4a853ca62dddf1951972f8f5b37ea40b4ea8.tar.bz2 | |
Add check for iat claim with some minor documentation updates
Diffstat (limited to 'Authentication')
| -rw-r--r-- | Authentication/JWT.php | 27 |
1 files changed, 20 insertions, 7 deletions
diff --git a/Authentication/JWT.php b/Authentication/JWT.php index 7e64b4b..7e8c14e 100644 --- a/Authentication/JWT.php +++ b/Authentication/JWT.php @@ -30,8 +30,11 @@ class JWT * @param bool $verify Don't skip verification process * * @return object The JWT's payload as a PHP object - * @throws UnexpectedValueException Provided JWT was invalid * @throws DomainException Algorithm was not provided + * @throws UnexpectedValueException Provided JWT was invalid + * @throws BeforeValidException Provided JWT is trying to be used before it's eligible as defined by 'nbf' + * @throws BeforeValidException Provided JWT is trying to be used before it's been created as defined by 'iat' + * @throws ExpiredException Provided JWT has since expired, as defined by the 'exp' claim * * @uses jsonDecode * @uses urlsafeB64Decode @@ -67,17 +70,27 @@ class JWT throw new SignatureInvalidException('Signature verification failed'); } - // Check token expiry time if defined. - if (isset($payload->exp) && time() >= $payload->exp) { - throw new ExpiredException('Expired token'); - } - - // Check if the nbf if it is defined. + // Check if the nbf if it is defined. This is the time that the + // token can actually be used. If it's not yet that time, abort. if (isset($payload->nbf) && $payload->nbf > time()) { throw new BeforeValidException( 'Cannot handle token prior to ' . date(DateTime::ISO8601, $payload->nbf) ); } + + // Check that this token has been created before 'now'. This prevents + // using tokens that have been created for later use (and haven't + // correctly used the nbf claim). + if (isset($payload->iat) && $payload->iat > time()) { + throw new BeforeValidException( + 'Cannot handle token prior to ' . date(DateTime::ISO8601, $payload->iat) + ); + } + + // Check if this token has expired. + if (isset($payload->exp) && time() >= $payload->exp) { + throw new ExpiredException('Expired token'); + } } return $payload; |