Skip to content

fix: validate numeric type of iat, nbf and exp claims in encode #634

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
bshaffer merged 3 commits into from
May 11, 2026
+48 −0
Merged

fix: validate numeric type of iat, nbf and exp claims in encode #634

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
f31a884
fix: validate numeric type of iat, nbf and exp claims in encode
guillaumedelre May 10, 2026
9650187
test: add regression test for numeric string timestamps in encode
guillaumedelre May 11, 2026
883d925
Merge branch 'main' into fix/pr-453-numeric-claims
bshaffer May 11, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 9 additions & 0 deletions src/JWT.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -224,6 +224,15 @@ public static function encode(
if ($keyId !== null) {
$header['kid'] = $keyId;
}
if (isset($payload['nbf']) && !\is_numeric($payload['nbf'])) {
throw new UnexpectedValueException('Payload nbf must be a number');
}
if (isset($payload['iat']) && !\is_numeric($payload['iat'])) {
throw new UnexpectedValueException('Payload iat must be a number');
}
if (isset($payload['exp']) && !\is_numeric($payload['exp'])) {
throw new UnexpectedValueException('Payload exp must be a number');
}
$segments = [];
$segments[] = static::urlsafeB64Encode((string) static::jsonEncode($header));
$segments[] = static::urlsafeB64Encode((string) static::jsonEncode($payload));
Expand Down
39 changes: 39 additions & 0 deletions tests/JWTTest.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -609,6 +609,45 @@ public function testDecodeExpectsIntegerExp()
JWT::decode($payload, $this->hmacKey);
}

public function testEncodeThrowsWhenIatIsNotNumeric(): void
{
$this->expectException(UnexpectedValueException::class);
$this->expectExceptionMessage('Payload iat must be a number');

JWT::encode(['iat' => 'not-an-int'], $this->hmacKey->getKeyMaterial(), 'HS256');
}

public function testEncodeThrowsWhenNbfIsNotNumeric(): void
{
$this->expectException(UnexpectedValueException::class);
$this->expectExceptionMessage('Payload nbf must be a number');

JWT::encode(['nbf' => 'not-an-int'], $this->hmacKey->getKeyMaterial(), 'HS256');
}

public function testEncodeThrowsWhenExpIsNotNumeric(): void
{
$this->expectException(UnexpectedValueException::class);
$this->expectExceptionMessage('Payload exp must be a number');

JWT::encode(['exp' => 'not-an-int'], $this->hmacKey->getKeyMaterial(), 'HS256');
}

public function testEncodeAcceptsNumericStringTimestamps(): void
{
$payload = [
'message' => 'abc',
'iat' => (string) time(),
'exp' => (string) (time() + 20),
'nbf' => (string) (time() - 20),
];

$encoded = JWT::encode($payload, $this->hmacKey->getKeyMaterial(), 'HS256');
$decoded = JWT::decode($encoded, $this->hmacKey);

$this->assertSame('abc', $decoded->message);
}

public function testRsaKeyLengthValidationThrowsException(): void
{
$this->expectException(DomainException::class);
Expand Down
Loading