The examples here fetch the configuration object from a hypothetical dependency injection container. You can create it in the same script or require it from a different file. It basically depends on how your system is bootstrapped.
lcobucci/jwt
is broken in your project. LooseValidAt
exists in 4.2.x
: https://github.com/lcobucci/jwt/blob/a8acedb920bb48de30bad1aa9e6d242903ecd693/src/Validation/Constraint/LooseValidAt.php#L13 . It does not exist in 3.x
, so your dependency got upgraded, probably because a laravel component did not declare compatibility with 3.x
specifically.
4.x
code, but you are using 3.x
private function issue($user){
$config = $GLOBALS["tokenConfig"];
assert ($config instanceof Configuration);
$now = new DateTimeImmutable();
$this->token = $config->builder()
// sub
->relatedTo($user->user_id)
// issue by
->issuedBy("https://testpage.com/")
// iat
->issuedAt($now)
// jwt expire
->expiresAt($now->modify('8 hour'))
// builds a new token
->getToken($config->signer(), $config->signingKey());
}private function Validator(string $cookie){
/**
* Validate token string
*/
$config = $GLOBALS["tokenConfig"];
assert ($config instanceof Configuration);
// parse token
try {
$token = $config->parser()->parse($cookie);
}
catch (\Exception $e){
return false;
}
assert ($token instanceof UnencryptedToken);
//
$constraints = $config->validationConstraints();
// validate
try {
$config->validator()->assert($token, ...$constraints);
}
catch (RequiredConstraintsViolated $e) {
return false;
}
return true;
}
Validator#validate()
I have a question about the migration to 4.0 (or 3.4 in this case). I just want to make sure that I'm not changing any functionality in the project when I migrate to the newer version.
I think this is the case, but are these two things doing the same thing as far as validation goes?
// 3.3 and before
use Lcobucci\JWT\ValidationData;
$jwtValidation = new ValidationData();
$validated = $token->validate($jwtValidation) && $token->verify($jwtSigner, $key) ;
// 3.4
use Lcobucci\JWT\Signer\Key\InMemory;
use Lcobucci\JWT\Validator;
use Lcobucci\Clock\SystemClock;
use Lcobucci\JWT\Validation\Constraint\ValidAt;
use Lcobucci\JWT\Validation\Constraint\SignedWith;
$validator = new Validator();
$validated = $validator->validate(
$token,
new ValidAt(SystemClock::fromUTC()),
new SignedWith($jwtSigner, InMemory::plainText($key))
);
Also I'm on PHP 7.3 right now so I can't go to 4 quite yet, and so I don't have LooseValidAt
.
Hi, everyone! I get the RequiredConstraintsViolated
exception when I'm trying to validate a parsed unencrypted token. Is this a problem in my configuration or maybe some kind of bug?
Exception details:
Type: Lcobucci\JWT\Validation\RequiredConstraintsViolated
Code: 0
Message: The token violates some mandatory constraints, details: - You should pass a plain token - You should pass a plain token
When I'm trying to check the type of the parsed token assert($parsedToken instanceof UnencryptedToken);
it also fails with AssertionError
.
The version of library which i'm currently use is ^4.1.
Configuration which i use in my container:
use Lcobucci\Clock\SystemClock;
use Lcobucci\JWT\Configuration;
use Lcobucci\JWT\Signer\Ecdsa;
use Lcobucci\JWT\Signer\Key\InMemory;
use Lcobucci\JWT\Validation\Constraint\SignedWith;
use Lcobucci\JWT\Validation\Constraint\StrictValidAt;
// ...
$privateKey = $container->get('config')['jwt']['private_key_path'];
$publicKey = $container->get('config')['jwt']['public_key_path'];
$configuration = Configuration::forAsymmetricSigner(
Ecdsa\Sha256::create(),
InMemory::file($privateKey),
InMemory::file($publicKey),
);
$configuration->setValidationConstraints(
new StrictValidAt(new SystemClock(new DateTimeZone(date_default_timezone_get()))),
new SignedWith(
$configuration->signer(),
$configuration->verificationKey(),
),
);
//...
Processing provided token:
use Lcobucci\JWT\Configuration;
use Lcobucci\JWT\Token\Plain;
use Lcobucci\JWT\UnencryptedToken;
use Lcobucci\JWT\Validation\RequiredConstraintsViolated;
//...
$tokenStr = trim((string)preg_replace('/^\s*Bearer\s/', '', $header));
/** @var Plain $parsedToken */
$parsedToken = $this->configuration->parser()->parse($tokenStr);
$constraints = $this->configuration->validationConstraints();
try {
//assert($parsedToken instanceof UnencryptedToken);
$this->configuration->validator()->assert($parsedToken, ...$constraints);
} catch (RequiredConstraintsViolated $e){
var_dump($e->getMessage());
exit;
}
//...
@lcobucci
Type checks of the $parsedToken
returns this:
use Lcobucci\JWT\Token;
use Lcobucci\JWT\Token\Plain;
use Lcobucci\JWT\UnencryptedToken;
//...
var_dump($parsedToken instanceof Token); // true
var_dump($parsedToken instanceof Plain); // true
var_dump($parsedToken instanceof UnencryptedToken); // false
//...
I think $parsedToken
is an instance of Plain
class which the default Parser
returns. The Plain
class in the library implements the UnencryptedToken
interface, but it quite weird why php thinks it's not a subtype of UnencryptedToken
.