Updating docs to explain change in behavour

Updatig the readme to explain whe the KID is now needed when passing
when decodig the token also why the token need the KID to be set in the
header

README.md

@@ -127,17 +127,26 @@ $app->add(new Tuupola\Middleware\JwtAuthentication([
 
 ### Algorithm
 
-You can set supported algorithms via `algorithm` parameter. This can be either string or array of strings. Default value is `["HS256", "HS512", "HS384"]`. Supported algorithms are `HS256`, `HS384`, `HS512` and `RS256`. Note that enabling both `HS256` and `RS256` is a [security risk](https://auth0.com/blog/critical-vulnerabilities-in-json-web-token-libraries/).
+You can set supported algorithms via `algorithm` parameter. This can be either string or array of strings. Default value is `["HS256"]`. Supported algorithms are `HS256`, `HS384`, `HS512` and `RS256`. Note that enabling both `HS256` and `RS256` is a [security risk](https://auth0.com/blog/critical-vulnerabilities-in-json-web-token-libraries/).
+
+When passing multiple algorithm it be a key value array, with the key being the `KID` of the jwt.
 
 ``` php
 $app = new Slim\App;
 
 $app->add(new Tuupola\Middleware\JwtAuthentication([
     "secret" => "supersecretkeyyoushouldnotcommittogithub",
-    "algorithm" => ["HS256", "HS384"]
+    "algorithm" => [
+        "amce" => "HS256",
+        "beta" => "HS384"
+    ]
 ]));
 ```
 
+> :warning: **Warning**: <br>
+Because of changes in `firebase/php-jwt` the `kid` is now checked when multiple algorithm are passed, failing to provide a key the algorithm will be used for the kid.
+this also means the `kid` will now need to be present in the JWT header as well.
+
 ### Attribute
 
 When the token is decoded successfully and authentication succeeds the contents of the decoded token is saved as `token` attribute to the `$request` object. You can change this with. `attribute` parameter. Set to `null` or `false` to disable this behavour

src/JwtAuthentication.php

@@ -79,7 +79,7 @@ final class JwtAuthentication implements MiddlewareInterface
      * Stores all the options passed to the middleware.
      *
      * @var array{
-     *   secret?: string|array<string>,
+     *   secret?: string|array<string>|array<string,string>,
      *   secure: bool,
      *   relaxed: array<string>,
      *   algorithm: array<string>,
@@ -321,7 +321,8 @@ private function decodeToken(string $token): array
         try {
             $decoded = JWT::decode(
                 $token,
-                $keys
+                $keys,
+                $this->options['algorithm']
             );
             return (array) $decoded;
         } catch (Exception $exception) {

tests/JwtAuthenticationTest.php

@@ -220,6 +220,33 @@ public function testShouldReturn200WithSecretArray(): void
         $this->assertEquals("Success", $response->getBody());
     }
 
+    public function testShouldReturn200WithSecretArrayCheckKid(): void
+    {
+        $request = (new ServerRequestFactory)
+            ->createServerRequest("GET", "https://example.com/api")
+            ->withHeader("Authorization", "Bearer " . self::$betaToken);
+
+        $default = function (ServerRequestInterface $request) {
+            $response = (new ResponseFactory)->createResponse();
+            $response->getBody()->write("Success");
+            return $response;
+        };
+
+        $collection = new MiddlewareCollection([
+            new JwtAuthentication([
+                "algorithm" => ["acme" => "HS256", "beta" => "HS256"],
+                "secret" => [
+                    "acme" =>"supersecretkeyyoushouldnotcommittogithub",
+                    "beta" =>"anothersecretkeyfornevertocommittogithub"
+                ],
+            ])
+        ]);
+
+        $response = $collection->dispatch($request, $default);
+        $this->assertEquals(200, $response->getStatusCode());
+        $this->assertEquals("Success", $response->getBody());
+    }
+
     public function testShouldReturn401WithSecretArray(): void
     {
         $request = (new ServerRequestFactory)