Skip to content

SDK-2819 prevent scientific notation in timestamp on low-precision#418

Merged
mehmet-yoti merged 1 commit into
Release/4.5.2from
SDK-2819-php-timestamp-serialized-in-scientific-notation-causes-401-message-signing-on-php-8-4-fpm
Jun 29, 2026
Merged

SDK-2819 prevent scientific notation in timestamp on low-precision#418
mehmet-yoti merged 1 commit into
Release/4.5.2from
SDK-2819-php-timestamp-serialized-in-scientific-notation-causes-401-message-signing-on-php-8-4-fpm

Conversation

@mehmet-yoti

@mehmet-yoti mehmet-yoti commented Jun 29, 2026

Copy link
Copy Markdown
Contributor

On PHP FPM environments with non-default precision ini settings (≤12), casting a large float to string could produce scientific notation (e.g. 1.78E+12) instead of a plain integer, causing Yoti signature verification to fail with 401 MESSAGE_SIGNING.

…vironments

On PHP FPM environments with non-default precision ini settings (≤12),
casting a large float to string could produce scientific notation
(e.g. 1.78E+12) instead of a plain integer, causing Yoti signature
verification to fail with 401 MESSAGE_SIGNING.

Replace (string)(round(microtime(true) * 1000)) with
sprintf('%.0F', microtime(true) * 1000) which forces a plain decimal
string regardless of the precision ini setting, and drops the redundant
round() since %.0F already rounds to zero decimal places.

Tests added to verify plain integer output under precision=12 and
precision=8 (via @dataProvider), and to assert the timestamp falls
within the correct Unix-millisecond range under low precision without
masking scientific notation via an early (int) cast.

Fixes #417

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR hardens SignedRequestStrategy::createQueryParams() against PHP environments with low precision ini settings where casting a large float to string can yield scientific notation, which breaks Yoti request signature verification.

Changes:

  • Replace float-to-string timestamp generation with sprintf('%.0F', microtime(true) * 1000) to force a plain decimal integer string.
  • Add PHPUnit coverage to ensure timestamp formatting stays as a plain integer under low precision settings and remains within the expected Unix-millisecond range.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

File Description
src/Http/AuthStrategy/SignedRequestStrategy.php Switches timestamp formatting to a sprintf-based approach that avoids scientific notation under low precision.
tests/Http/AuthStrategy/SignedRequestStrategyTest.php Adds tests validating plain-integer timestamp formatting under low precision and validating millisecond-range correctness.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@mehmet-yoti mehmet-yoti changed the base branch from master to Release/4.5.2 June 29, 2026 14:20
@mehmet-yoti mehmet-yoti changed the title fix: prevent scientific notation in timestamp on low-precision PHP en… SDK-2819 prevent scientific notation in timestamp on low-precision PHP Jun 29, 2026
@mehmet-yoti mehmet-yoti changed the title SDK-2819 prevent scientific notation in timestamp on low-precision PHP SDK-2819 prevent scientific notation in timestamp on low-precision Jun 29, 2026
@mehmet-yoti mehmet-yoti merged commit addb754 into Release/4.5.2 Jun 29, 2026
13 checks passed
@mehmet-yoti mehmet-yoti mentioned this pull request Jun 29, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants