Skip to content

Commit

Permalink
Merge pull request #42 from bizley/3.4.0
Browse files Browse the repository at this point in the history 
3.4.0
  • Loading branch information
Bizley authored Aug 20, 2022
2 parents da3c423 + 4bc9739 commit 8645176
Show file tree
Hide file tree
Showing 6 changed files with 56 additions and 14 deletions.
21 changes: 20 additions & 1 deletion README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -36,7 +36,7 @@ Add `jwt` component to your configuration file:
'components' => [
'jwt' => [
'class' => \bizley\jwt\Jwt::class,
'signer' => ... // Signer ID
'signer' => ... // Signer ID, or signer object, or signer configuration
'signingKey' => ... // Secret key string or path to the signing key file
],
],
Expand All @@ -55,12 +55,31 @@ Asymmetric:
- RSA (RS256, RS384, RS512)
- ECDSA (ES256, ES384, ES512)
- EdDSA (since 3.1.0)
- BLAKE2B (since 3.4.0)

Signer IDs are available as constants (like Jwt::HS256).

You can also provide your own signer, either as an instance of Lcobucci\JWT\Signer or by adding its config to `signers`
and `algorithmTypes` and using its ID for `signer`.

> As stated in lcobucci/jwt documentation: Although BLAKE2B is fantastic due to its performance, it's not JWT standard
> and won't necessarily be offered by other libraries.
### Note on signers and minimum bits requirement

Since `lcobucci/jwt 4.2.0` signers require the minimum key length to make sure those are properly secured, otherwise
the `InvalidKeyProvided` is thrown. If for any reason (**and on your own risk**) you would still like to use the less
secure key (for example HS256 with fewer than 256 bits length) you can wire it through this library by using the
`Unsafe` version of that signer (for example `Lcobucci\JWT\Signer\Hmac\Sha256` has the unsafe version
`Lcobucci\JWT\Signer\Hmac\UnsafeSha256`). Unsafe versions are using the same algorithm ID, so you don't have to add them
on the `Jwt::$algorithmTypes` list, but you need to configure them manually for your signer configuration like:

```php
[
'signer' => [\Lcobucci\JWT\Signer\Hmac\UnsafeSha256::class],
]
```

### Keys

For symmetric signers `signingKey` is required. For asymmetric ones you also need to set `verifyingKey`. Keys can be
Expand Down
2 changes: 1 addition & 1 deletion infection.json.dist
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@
"@default": true,
"MethodCallRemoval": {
"ignore": [
"bizley\\jwt\\Jwt::init::190",
"bizley\\jwt\\Jwt::init::193",
"bizley\\jwt\\JwtHttpBearerAuth::init::77"
]
}
Expand Down
8 changes: 7 additions & 1 deletion src/Jwt.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -47,6 +47,7 @@ class Jwt extends Component
public const ES384 = 'ES384';
public const ES512 = 'ES512';
public const EDDSA = 'EdDSA';
public const BLAKE2B = 'BLAKE2B';

public const STORE_IN_MEMORY = 'in_memory';
public const STORE_LOCAL_FILE_REFERENCE = 'local_file_reference'; // deprecated since 3.2.0, will be removed in 4.0.0
Expand Down Expand Up @@ -131,6 +132,7 @@ class Jwt extends Component
self::ES384 => [Signer\Ecdsa\Sha384::class],
self::ES512 => [Signer\Ecdsa\Sha512::class],
self::EDDSA => [Signer\Eddsa::class],
self::BLAKE2B => [Signer\Blake2b::class],
];

/**
Expand All @@ -151,6 +153,7 @@ class Jwt extends Component
self::ES384,
self::ES512,
self::EDDSA,
self::BLAKE2B,
],
];

Expand Down Expand Up @@ -372,6 +375,9 @@ private function prepareKey($key): Signer\Key
}

if ($store === self::STORE_IN_MEMORY) {
if ($value === '') {
return Signer\Key\InMemory::empty();
}
if ($method === self::METHOD_BASE64) {
return Signer\Key\InMemory::base64Encoded($value, $passphrase);
}
Expand All @@ -386,7 +392,7 @@ private function prepareKey($key): Signer\Key
throw new InvalidConfigException('Invalid key store and method combination!');
}

return Signer\Key\LocalFileReference::file($value, $passphrase);
return Signer\Key\InMemory::file($value, $passphrase);
}

/**
Expand Down
2 changes: 1 addition & 1 deletion tests/BearerTest.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -48,7 +48,7 @@ protected function setUp(): void
'jwt' => [
'class' => Jwt::class,
'signer' => Jwt::HS256,
'signingKey' => 'secret',
'signingKey' => 'c2VjcmV0MXNlY3JldDFzZWNyZXQxc2VjcmV0M',
],
],
'controllerMap' => [
Expand Down
2 changes: 2 additions & 0 deletions tests/JwtTest.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,7 @@ public function testAvailableSigners(): void
Jwt::ES384 => [Signer\Ecdsa\Sha384::class],
Jwt::ES512 => [Signer\Ecdsa\Sha512::class],
Jwt::EDDSA => [Signer\Eddsa::class],
Jwt::BLAKE2B => [Signer\Blake2b::class],
],
(new Jwt())->signers,
);
Expand All @@ -53,6 +54,7 @@ public function testAvailableAlgorithmTypes(): void
Jwt::ES384,
Jwt::ES512,
Jwt::EDDSA,
Jwt::BLAKE2B,
],
],
(new Jwt())->algorithmTypes,
Expand Down
35 changes: 25 additions & 10 deletions tests/SignerTest.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@

use bizley\jwt\Jwt;
use Lcobucci\JWT\Signer\Hmac\Sha256;
use Lcobucci\JWT\Signer\InvalidKeyProvided;
use Lcobucci\JWT\Signer\Key\InMemory;
use Lcobucci\JWT\Validation\Constraint\SignedWith;
use PHPUnit\Framework\TestCase;
Expand Down Expand Up @@ -42,29 +43,29 @@ public function providerForSigners(): array
'Direct signer provided' => [
[
'signer' => new Sha256(),
'signingKey' => 'secret1',
'signingKey' => 'secret1secret1secret1secret1secret1secret1',
],
Jwt::HS256
],
'Direct key provided' => [
[
'signer' => Jwt::HS256,
'signingKey' => InMemory::plainText('secret1')
'signingKey' => InMemory::plainText('secret1secret1secret1secret1secret1secret1')
],
Jwt::HS256
],
'HS256' => [
[
'signer' => Jwt::HS256,
'signingKey' => 'secret1',
'signingKey' => 'secret1secret1secret1secret1secret1secret1',
],
Jwt::HS256
],
'HS256 base64' => [
[
'signer' => Jwt::HS256,
'signingKey' => [
Jwt::KEY => 'c2VjcmV0',
Jwt::KEY => 'c2VjcmV0MXNlY3JldDFzZWNyZXQxc2VjcmV0MXNlY3JldDFzZWNyZXQx',
Jwt::METHOD => JWT::METHOD_BASE64
],
],
Expand All @@ -73,22 +74,22 @@ public function providerForSigners(): array
'HS384' => [
[
'signer' => Jwt::HS384,
'signingKey' => 'secret2',
'signingKey' => 'secret1secret1secret1secret1secret1secret1secret1',
],
Jwt::HS384
],
'HS512' => [
[
'signer' => Jwt::HS512,
'signingKey' => 'secret3',
'signingKey' => 'secret1secret1secret1secret1secret1secret1secret1secret1secret1secret1',
],
Jwt::HS512
],
'HS256 pass' => [
[
'signer' => Jwt::HS256,
'signingKey' => [
Jwt::KEY => 'secret1',
Jwt::KEY => 'secret1secret1secret1secret1secret1secret1secret1',
Jwt::PASSPHRASE => 'passphrase'
],
],
Expand All @@ -98,7 +99,7 @@ public function providerForSigners(): array
[
'signer' => Jwt::HS384,
'signingKey' => [
Jwt::KEY => 'secret2',
Jwt::KEY => 'secret1secret1secret1secret1secret1secret1secret1',
Jwt::PASSPHRASE => 'passphrase'
],
],
Expand All @@ -108,7 +109,7 @@ public function providerForSigners(): array
[
'signer' => Jwt::HS512,
'signingKey' => [
Jwt::KEY => 'secret3',
Jwt::KEY => 'secret1secret1secret1secret1secret1secret1secret1secret1secret1secret1',
Jwt::PASSPHRASE => 'passphrase'
],
],
Expand Down Expand Up @@ -194,7 +195,6 @@ public function providerForSigners(): array
],
Jwt::ES512
],

];
}

Expand Down Expand Up @@ -237,4 +237,19 @@ public function testInvalidKeyConfigCombination(): void
]
);
}

public function testInvalidKeyWithNotEnoughBits(): void
{
$this->expectException(InvalidKeyProvided::class);
$this->expectExceptionMessage('Key provided is shorter than 256 bits, only 56 bits provided');
$jwt = $this->getJwt(
[
'signer' => Jwt::HS256,
'signingKey' => 'secret1',
]
);
$signer = $jwt->getConfiguration()->signer();
$token = $jwt->getBuilder()->getToken($signer, $jwt->getConfiguration()->signingKey());
$jwt->parse($token->toString());
}
}

0 comments on commit 8645176

Please sign in to comment.