/**
* Reads the session data from the cookie, verifies its authenticity, and
* returns the data to be natively unserialized into the $_SESSION
* superglobal
*
* @param session_id (unused)
* @return string the serialized session string
* @throws JWTException if JWT processing fails, tampering is detected, etc
*/
public function read($session_id)
{
// session_id is intentionally ignored
if (empty($_COOKIE[$this->cookie])) {
return '';
}
$encoded = $_COOKIE[$this->cookie];
try {
$jwt = JWT::fromEncoded($encoded, $this->secrets);
$claims = $jwt->getClaims();
return $claims[self::CLAIM];
} catch (KeyNotFoundException $e) {
return '';
} catch (InvalidSignatureException $e) {
return '';
}
}
private function setToken(JWT $jwt) : self
{
$claims = $jwt->getClaims();
$this->uid = $claims['uid'];
// Override any previously-set user to re-perform validation
$this->user = null;
// Restore timestamps
$dt = function ($idx) use($claims) {
return isset($claims[$idx]) ? new DateTime($claims[$idx]) : null;
};
$this->ifct = $dt('ifct');
$this->ifet = $dt('ifet');
$this->kfct = $dt('kfct');
$this->kfet = $dt('kfet');
$this->pfct = $dt('pfct');
$this->pfet = $dt('pfet');
$this->hst = $dt('hst');
return $this;
}
/**
* @covers ::getClaims
*/
public function testModifiedAlgorithmTriggersInvalidSignature()
{
$vector = 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.' . 'eyJmb28iOiJiYXIifQ.' . 'dtxWM6MIcgoeMgH87tGvsNDY6cHWL6MGW4LeYvnm1JA';
// Assume the server is hardcoded to HMAC-SHA-512 or the same was
// dervied from the key id. The provided, tampered-with token is signed
// with HS256, although the secret is actually valid (indicitave of the
// RSxxx swap
$keys = $this->getKeyContainer()->setDefaultKey('HS512');
$jwt = JWT::fromEncoded($vector, $keys);
$this->expectException(InvalidSignatureException::class);
$jwt->getClaims();
}