adhocore / php-jwt Goto Github PK

Old versions will still support PHP5

This is done to make PHP typehints work properly and improve code standards.

Sometimes it is useful to be able to decode the token without validation of the signature or timestamps.
And other times it is useful to just validate the token without (the need to) decoding it.

Hi, in the current version:

That line should be:

['nbf', -$this->leeway, static::ERROR_TOKEN_NOT_NOW, 'Not now'],

When checking the nbf ("not before") time, then the "max age" value is not relevant.

Let's see an example:

• Current time = 2020-10-08 12:00:00
• Max age = 3 hours = 10800 sec
• nbf = 2020-10-08 11:00:00 (will be valid after this time)
• leeway = 5 sec (allow max 5 sec misalignment of server clocks)

Then the current code would say:

• The token fails the nbf check because:
  • reference value = 2020-10-08 11:00:00 + 3 hours - 5 sec = 2020-10-08 13:59:55
  • And the current time still hasn't reached this value yet.

But it should only subtract the leeway, and leave the irrelevant "max age" out of this:

• The nbf check is successful, because:
  • reference value = 2020-10-08 11:00:00 - 5 sec = 2020-10-08 10:59:55
  • And the current time is greater than this value.

Hello, when I call the route with $jwt = new JWT('secret', 'HS256', 3600, 10); on code, returns Server Error 500, I'm using Docker:

api/test.php:

<?php
  include "../vendor/autoload.php";
	use Ahc\Jwt\JWT;

  $jwt = new JWT('secret', 'HS256', 3600, 10);
?>

Error on POST:

In Try Catch return this error:

Error Object
(
    [message:protected] => Class 'Ahc\Jwt\JWT' not found
    [string:Error:private] => 
    [code:protected] => 0
    [file:protected] => /var/www/html/api/test.php
    [line:protected] => 8
    [trace:Error:private] => Array
        (
        )

    [previous:Error:private] => 
)

When I remove $jwt = new JWT('secret', 'HS256', 3600, 10); the error not occurred.
Any idea how solve this?

An uncaught Exception was encountered

Type: Ahc\Jwt\JWTException

Message: Unsupported algo PS256

From what I can see in docs, it seems only possible to pass a file path in the constructor. It would be helpful if I could pass the key directly as a string without having to create a file first (in my case it's coming from a database). Is there maybe a trick using the resource method somehow?

Move to GitHub action.
Build should run on all php versions currently supported by this library.

Hi,

I managed to include this very user friendly library in a project and create a token that validates on jwt.io.
I am sending this token in a http header to another server where it needs to be validated. This is not working though. The other server only has access to the public key. When I try to echo (new JWT($public_key))->decode($token); I receive an error:

Uncaught Ahc\Jwt\JWTException: Invalid token: Signature failed in JWT.php:153 Stack trace: #0 ....Ahc\Jwt\JWT->decode(Array) #1 {main} thrown in JWT.php on line 153

Surely I am doing something wrong. How can I validate the JWT string and decode it to retrieve its content?

I created a PEM file on server ubuntu 18 with openssl 1.1.1 using this code

 $privkey = openssl_pkey_new([
            'digest_alg' => 'sha256',
            'private_key_bits' => 1024,
            'private_key_type' => OPENSSL_KEYTYPE_RSA,
        ]);
        try {
            openssl_pkey_export_to_file($privkey, 'WEB-INF/config/' . $filename);
        } catch (Exception $e) {
            echo 'Caught exception: ',  $e->getMessage(), "\n";
        }

on the same server it runs well, encoding and decoding as expected.

Then if I try the to decode using the same PEM file on different server (wich use openssl 1.1.1f) it doesn't run saying that signature is invalid.

Doing the same using a string instead of PEM file works. I cannot understand... could it be that PEM file I created depend on specficia server?

still extends \InvalidArgumentException

Please change the description

Closing this. I saw it was fixed in a newer version.