fix: validate numeric type of iat, nbf and exp claims in encode#634
Conversation
The decode() path already rejected non-numeric iat/nbf/exp values, but encode() accepted any type and silently produced an invalid token. Add the same is_numeric guards in encode() and cover them with unit tests. Signed-off-by: Guillaume Delré <delre.guillaume@gmail.com>
bshaffer
added
next major version
do not merge
|
@guillaumedelre thank you for your contribution! Please see my comments here: #453 (review) |
Covers the case where iat/nbf/exp are passed as numeric strings (e.g. (string) time()), which must remain accepted to avoid a breaking change. Signed-off-by: Guillaume Delré <delre.guillaume@gmail.com>
|
Hi @bshaffer, thanks for the feedback on #453! I'm aware of the breaking change concern with I've also added an explicit regression test covering that exact scenario: $payload = [
'message' => 'abc',
'iat' => (string) time(),
'exp' => (string) (time() + 20),
'nbf' => (string) (time() - 20),
];
$encoded = JWT::encode($payload, $key, 'HS256');
$decoded = JWT::decode($encoded, $keyObj); // no exception thrownSo this should be mergeable without a major version bump. Happy to adjust if you'd like a different approach. |
|
@guillaumedelre I see, I was a bit confused by your PR description and referencing the other PR as "fixed". This looks good to me then! |
bshaffer
removed
next major version
do not merge
|
@bshaffer Sorry, I think I might have gotten a bit mixed up. |
3 participants
The decode() path already rejected non-numeric iat/nbf/exp values, but encode() accepted any type and silently produced an invalid token. Add the same is_numeric guards in encode() and cover them with unit tests.
Closes #453