/** * Reads the session data from the cookie, verifies its authenticity, and * returns the data to be natively unserialized into the $_SESSION * superglobal * * @param session_id (unused) * @return string the serialized session string * @throws JWTException if JWT processing fails, tampering is detected, etc */ public function read($session_id) { // session_id is intentionally ignored if (empty($_COOKIE[$this->cookie])) { return ''; } $encoded = $_COOKIE[$this->cookie]; try { $jwt = JWT::fromEncoded($encoded, $this->secrets); $claims = $jwt->getClaims(); return $claims[self::CLAIM]; } catch (KeyNotFoundException $e) { return ''; } catch (InvalidSignatureException $e) { return ''; } }
public function setEncodedToken(string $token) : self { if (!$this->keys) { throw new BadMethodCallException('call setKeys() before setEncodedToken()'); } $this->setToken(JWT::fromEncoded($token, $this->keys)); return $this; }
/** * @covers ::getClaims */ public function testModifiedAlgorithmTriggersInvalidSignature() { $vector = 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.' . 'eyJmb28iOiJiYXIifQ.' . 'dtxWM6MIcgoeMgH87tGvsNDY6cHWL6MGW4LeYvnm1JA'; // Assume the server is hardcoded to HMAC-SHA-512 or the same was // dervied from the key id. The provided, tampered-with token is signed // with HS256, although the secret is actually valid (indicitave of the // RSxxx swap $keys = $this->getKeyContainer()->setDefaultKey('HS512'); $jwt = JWT::fromEncoded($vector, $keys); $this->expectException(InvalidSignatureException::class); $jwt->getClaims(); }