Skip to content

SignedRequestStrategy timestamp may use scientific notation on PHP 8.4, causing signing failures #417

Description

@paulgibbs

Hi Yoti team,

We encountered a signing failure when using the PHP SDK on WP Engine FPM running PHP 8.4.22.

The issue appears to come from the timestamp generated in:

Yoti\Http\AuthStrategy\SignedRequestStrategy::createQueryParams()

The current upstream code casts the rounded millisecond timestamp to a string:

'timestamp' => (string)(round(microtime(true) * 1000)),

In our environment, this can produce a timestamp in scientific notation, for example:

timestamp=1.78231576830E%2B12

That timestamp is included in the signed request URL, and Yoti rejects the request with:

401 - MESSAGE_SIGNING - The message was not signed correctly

We patched the SDK locally by formatting the timestamp as a plain integer string:

'timestamp' => sprintf('%.0F', round(microtime(true) * 1000)),

This produces the expected millisecond timestamp format, for example:

1782315979361

After applying that change, the signed request timestamp is emitted as a plain integer and the signing failure is resolved.

Would you consider updating SignedRequestStrategy::createQueryParams() to force a non-scientific integer timestamp string?

--

The above was written up from an issue ticket by AI, but I reviewed and debugged and tested the issue (as a Human!). If any more information or testing can be done on the environment in question, please let me know. Happy to help.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions