Skip to content

Commit 953b2c8

Browse files
christiandavilakoobinchristiandavilakoobin
authored
fix: validate iat and nbf on payload (#568)
1 parent 43d70ae commit 953b2c8

File tree

2 files changed

+37
-0
lines changed

2 files changed

+37
-0
lines changed

src/JWT.php

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -127,6 +127,16 @@ public static function decode(
127127
if (!$payload instanceof stdClass) {
128128
throw new UnexpectedValueException('Payload must be a JSON object');
129129
}
130+
if (isset($payload->iat) && !\is_numeric($payload->iat)) {
131+
throw new UnexpectedValueException('Payload iat must be a number');
132+
}
133+
if (isset($payload->nbf) && !\is_numeric($payload->nbf)) {
134+
throw new UnexpectedValueException('Payload nbf must be a number');
135+
}
136+
if (isset($payload->exp) && !\is_numeric($payload->exp)) {
137+
throw new UnexpectedValueException('Payload exp must be a number');
138+
}
139+
130140
$sig = static::urlsafeB64Decode($cryptob64);
131141
if (empty($header->alg)) {
132142
throw new UnexpectedValueException('Empty algorithm');

tests/JWTTest.php

Lines changed: 27 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -546,4 +546,31 @@ public function testAdditionalHeaderOverrides()
546546
$this->assertEquals('my_key_id', $headers->kid, 'key param not overridden');
547547
$this->assertEquals('HS256', $headers->alg, 'alg param not overridden');
548548
}
549+
550+
public function testDecodeExpectsIntegerIat()
551+
{
552+
$this->expectException(UnexpectedValueException::class);
553+
$this->expectExceptionMessage('Payload iat must be a number');
554+
555+
$payload = JWT::encode(['iat' => 'not-an-int'], 'secret', 'HS256');
556+
JWT::decode($payload, new Key('secret', 'HS256'));
557+
}
558+
559+
public function testDecodeExpectsIntegerNbf()
560+
{
561+
$this->expectException(UnexpectedValueException::class);
562+
$this->expectExceptionMessage('Payload nbf must be a number');
563+
564+
$payload = JWT::encode(['nbf' => 'not-an-int'], 'secret', 'HS256');
565+
JWT::decode($payload, new Key('secret', 'HS256'));
566+
}
567+
568+
public function testDecodeExpectsIntegerExp()
569+
{
570+
$this->expectException(UnexpectedValueException::class);
571+
$this->expectExceptionMessage('Payload exp must be a number');
572+
573+
$payload = JWT::encode(['exp' => 'not-an-int'], 'secret', 'HS256');
574+
JWT::decode($payload, new Key('secret', 'HS256'));
575+
}
549576
}

0 commit comments

Comments
 (0)