/** * Reads the session data from the cookie, verifies its authenticity, and * returns the data to be natively unserialized into the $_SESSION * superglobal * * @param session_id (unused) * @return string the serialized session string * @throws JWTException if JWT processing fails, tampering is detected, etc */ public function read($session_id) { // session_id is intentionally ignored if (empty($_COOKIE[$this->cookie])) { return ''; } $encoded = $_COOKIE[$this->cookie]; try { $jwt = JWT::fromEncoded($encoded, $this->secrets); $claims = $jwt->getClaims(); return $claims[self::CLAIM]; } catch (KeyNotFoundException $e) { return ''; } catch (InvalidSignatureException $e) { return ''; } }
private function setToken(JWT $jwt) : self { $claims = $jwt->getClaims(); $this->uid = $claims['uid']; // Override any previously-set user to re-perform validation $this->user = null; // Restore timestamps $dt = function ($idx) use($claims) { return isset($claims[$idx]) ? new DateTime($claims[$idx]) : null; }; $this->ifct = $dt('ifct'); $this->ifet = $dt('ifet'); $this->kfct = $dt('kfct'); $this->kfet = $dt('kfet'); $this->pfct = $dt('pfct'); $this->pfet = $dt('pfet'); $this->hst = $dt('hst'); return $this; }
/** * @covers ::getClaims */ public function testModifiedAlgorithmTriggersInvalidSignature() { $vector = 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.' . 'eyJmb28iOiJiYXIifQ.' . 'dtxWM6MIcgoeMgH87tGvsNDY6cHWL6MGW4LeYvnm1JA'; // Assume the server is hardcoded to HMAC-SHA-512 or the same was // dervied from the key id. The provided, tampered-with token is signed // with HS256, although the secret is actually valid (indicitave of the // RSxxx swap $keys = $this->getKeyContainer()->setDefaultKey('HS512'); $jwt = JWT::fromEncoded($vector, $keys); $this->expectException(InvalidSignatureException::class); $jwt->getClaims(); }