/** * @test * * @covers \Lcobucci\JWT\Configuration * @covers \Lcobucci\JWT\Builder * @covers \Lcobucci\JWT\Parser * @covers \Lcobucci\JWT\Token * @covers \Lcobucci\JWT\Signature * @covers \Lcobucci\JWT\Signer\Key * @covers \Lcobucci\JWT\Signer\BaseSigner * @covers \Lcobucci\JWT\Signer\Hmac * @covers \Lcobucci\JWT\Signer\Hmac\Sha256 * @covers \Lcobucci\JWT\Claim\Factory * @covers \Lcobucci\JWT\Claim\Basic */ public function everythingShouldWorkWhenUsingATokenGeneratedByOtherLibs() { $data = 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXUyJ9.eyJoZWxsbyI6IndvcmxkIn0.Rh' . '7AEgqCB7zae1PkgIlvOpeyw9Ab8NGTbeOH7heHO0o'; $token = $this->config->getParser()->parse((string) $data); self::assertEquals('world', $token->getClaim('hello')); self::assertTrue($token->verify($this->config->getSigner(), 'testing')); }
/** * @test * * @covers \Lcobucci\JWT\Configuration * @covers \Lcobucci\JWT\Builder * @covers \Lcobucci\JWT\Parser * @covers \Lcobucci\JWT\Token * @covers \Lcobucci\JWT\Signature * @covers \Lcobucci\JWT\Signer\Key * @covers \Lcobucci\JWT\Signer\BaseSigner * @covers \Lcobucci\JWT\Signer\Rsa * @covers \Lcobucci\JWT\Signer\Rsa\Sha256 * @covers \Lcobucci\JWT\Claim\Factory * @covers \Lcobucci\JWT\Claim\Basic */ public function everythingShouldWorkWhenUsingATokenGeneratedByOtherLibs() { $data = 'eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXUyJ9.eyJoZWxsbyI6IndvcmxkIn0.s' . 'GYbB1KrmnESNfJ4D9hOe1Zad_BMyxdb8G4p4LNP7StYlOyBWck6q7XPpPj_6gB' . 'Bo1ohD3MA2o0HY42lNIrAStaVhfsFKGdIou8TarwMGZBPcif_3ThUV1pGS3fZc' . 'lFwF2SP7rqCngQis_xcUVCyqa8E1Wa_v28grnl1QZrnmQFO8B5JGGLqcrfUHJO' . 'nJCupP-Lqh4TmIhftIimSCgLNmJg80wyrpUEfZYReE7hPuEmY0ClTqAGIMQoNS' . '98ljwDxwhfbSuL2tAdbV4DekbTpWzspe3dOJ7RSzmPKVZ6NoezaIazKqyqkmHZfcMaHI1lQeGia6LTbHU1bp0gINi74Vw'; $token = $this->config->getParser()->parse((string) $data); self::assertEquals('world', $token->getClaim('hello')); self::assertTrue($token->verify($this->config->getSigner(), self::$rsaKeys['public'])); }
/** * @test * * @covers \Lcobucci\JWT\Configuration * @covers \Lcobucci\JWT\Builder * @covers \Lcobucci\JWT\Parser * @covers \Lcobucci\JWT\Token * @covers \Lcobucci\JWT\Signature * @covers \Lcobucci\JWT\Signer\Key * @covers \Lcobucci\JWT\Signer\BaseSigner * @covers \Lcobucci\JWT\Signer\Ecdsa * @covers \Lcobucci\JWT\Signer\Ecdsa\KeyParser * @covers \Lcobucci\JWT\Signer\Ecdsa\EccAdapter * @covers \Lcobucci\JWT\Signer\Ecdsa\SignatureSerializer * @covers \Lcobucci\JWT\Signer\Ecdsa\Sha512 * @covers \Lcobucci\JWT\Signer\Hmac * @covers \Lcobucci\JWT\Signer\Hmac\Sha512 * @covers \Lcobucci\JWT\Claim\Factory * @covers \Lcobucci\JWT\Claim\Basic */ public function preventRegressionsThatAllowsMaliciousTampering() { $data = 'eyJhbGciOiJFUzUxMiIsInR5cCI6IkpXVCJ9.eyJoZWxsbyI6IndvcmxkIn0.' . 'AQx1MqdTni6KuzfOoedg2-7NUiwe-b88SWbdmviz40GTwrM0Mybp1i1tVtm' . 'TSQ91oEXGXBdtwsN6yalzP9J-sp2YATX_Tv4h-BednbdSvYxZsYnUoZ--ZU' . 'dL10t7g8Yt3y9hdY_diOjIptcha6ajX8yzkDGYG42iSe3f5LywSuD6FO5c'; $key = new Key('-----BEGIN PUBLIC KEY-----' . PHP_EOL . 'MIGbMBAGByqGSM49AgEGBSuBBAAjA4GGAAQAcpkss6wI7PPlxj3t7A1RqMH3nvL4' . PHP_EOL . 'L5Tzxze/XeeYZnHqxiX+gle70DlGRMqqOq+PJ6RYX7vK0PJFdiAIXlyPQq0B3KaU' . PHP_EOL . 'e86IvFeQSFrJdCc0K8NfiH2G1loIk3fiR+YLqlXk6FAeKtpXJKxR1pCQCAM+vBCs' . PHP_EOL . 'mZudf1zCUZ8/4eodlHU=' . PHP_EOL . '-----END PUBLIC KEY-----'); // Let's let the attacker tamper with our message! $bad = $this->createMaliciousToken($data, $key); /** * At this point, we have our forged message in $bad for testing... * * Now, if we allow the attacker to dictate what Signer we use * (e.g. HMAC-SHA512 instead of ECDSA), they can forge messages! */ $token = $this->config->getParser()->parse((string) $bad); self::assertEquals('world', $token->getClaim('hello'), 'The claim content should not be modified'); self::assertTrue($token->verify(new HS512(), $key), 'Using the attackers signer should make things unsafe'); self::assertFalse($token->verify(Sha512::create(), $key), 'But we know which Signer should be used so the attack fails'); }
/** * @test * * @covers \Lcobucci\JWT\Configuration::getParser * @covers \Lcobucci\JWT\Configuration::setParser * * @uses \Lcobucci\JWT\Builder * @uses \Lcobucci\JWT\Claim\Factory * @uses \Lcobucci\JWT\Parser */ public function getParserShouldNotCreateAnInstanceIfItWasConfigured() { $config = new Configuration(); $config->setParser($this->parser); self::assertSame($this->parser, $config->getParser()); }
/** * @test * * @depends builderCanGenerateAToken * * @covers \Lcobucci\JWT\Configuration * @covers \Lcobucci\JWT\Builder * @covers \Lcobucci\JWT\Parser * @covers \Lcobucci\JWT\Token * @covers \Lcobucci\JWT\Claim\Factory * @covers \Lcobucci\JWT\Claim\Basic */ public function parserCanReadAToken(Token $generated) { $read = $this->config->getParser()->parse((string) $generated); self::assertEquals($generated, $read); self::assertEquals('testing', $read->getClaim('user')['name']); }