diff options
| -rw-r--r-- | Authentication/JWT.php | 11 | ||||
| -rw-r--r-- | tests/JWTTest.php | 9 |
2 files changed, 19 insertions, 1 deletions
diff --git a/Authentication/JWT.php b/Authentication/JWT.php index 38a4f7e..90c1ac7 100644 --- a/Authentication/JWT.php +++ b/Authentication/JWT.php @@ -157,7 +157,16 @@ class JWT } case 'hash_hmac': default: - return $signature === hash_hmac($algo, $msg, $key, true); + $hash = hash_hmac($algo, $msg, $key, true); + $len = min(strlen($signature), strlen($hash)); + + $status = 0; + for ($i = 0; $i < $len; $i++) { + $status |= (ord($signature[$i]) ^ ord($hash[$i])); + } + $status |= (strlen($signature) ^ strlen($hash)); + + return ($status === 0); } } diff --git a/tests/JWTTest.php b/tests/JWTTest.php index ee131d4..2149862 100644 --- a/tests/JWTTest.php +++ b/tests/JWTTest.php @@ -47,6 +47,15 @@ class JWTTest extends PHPUnit_Framework_TestCase { $this->assertEquals($decoded->message, 'abc'); } + function testInvalidToken() { + $payload = array( + "message" => "abc", + "exp" => time() + 20); // time in the future + $encoded = JWT::encode($payload, 'my_key'); + $this->setExpectedException('UnexpectedValueException'); + $decoded = JWT::decode($encoded, 'my_key2'); + } + function testRSEncodeDecode() { $privKey = openssl_pkey_new(array('digest_alg' => 'sha256', 'private_key_bits' => 1024, |