Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Repo info
Activity
  • Aug 12 14:36
    lcobucci labeled #863
  • Aug 12 14:36
    lcobucci closed #863
  • Aug 12 14:32
    lcobucci assigned #863
  • Aug 12 14:32
    lcobucci commented #863
  • Aug 12 13:24
    Ciloe edited #863
  • Aug 12 13:22
    Ciloe edited #863
  • Aug 12 13:19
    Ciloe opened #863
  • Aug 11 09:32
    Slamdunk closed #861
  • Aug 11 09:32
    Slamdunk locked #861
  • Aug 11 09:04
    igor-davidov commented #861
  • Aug 11 09:04
    igor-davidov commented #861
  • Aug 11 08:08
    igor-davidov commented #861
  • Aug 11 07:47
    Slamdunk commented #861
  • Aug 11 07:28
    igor-davidov commented #861
  • Aug 11 07:03
    Slamdunk commented #861
  • Aug 10 23:42
    igor-davidov closed #861
  • Aug 10 23:42
    igor-davidov commented #861
  • Aug 10 22:50
    igor-davidov commented #861
  • Aug 10 21:35
    jedisct1 commented #861
  • Aug 10 21:31
    igor-davidov commented #861
stephaneThannio
@stephaneThannio
Hello all how to declare $container with this project?
Thanks a lot
Luís Cobucci
@lcobucci
@stephaneThannio it does not. Perhaps you've missed the note at the top of page (eg https://lcobucci-jwt.readthedocs.io/en/stable/issuing-tokens/)
The examples here fetch the configuration object from a hypothetical dependency injection container. You can create it in the same script or require it from a different file. It basically depends on how your system is bootstrapped.
Constantinos Sergiou
@constantinosergiou
Hello all
i have this issue Class 'App\Http\Controllers\Lcobucci\JWT\Signer\Hmac\Sha256' not found
Constantinos Sergiou
@constantinosergiou
fixed :)
Mohinish Sharma
@mohinishsharma
Hi all,
im trying to use this lib with lumen and im getting Target [Lcobucci\JWT\Configuration] is not instantiable.
can anyone help me out in this?
Luís Cobucci
@lcobucci
@mohinishsharma check which version of the library is installed on your project. That class only exists on v3.4+
Rose Riyadh
@RoseRiyadh
hello, I'm trying to get my laravel project upgraded from 5.8 up to 8 to have sign in with apple, I'm getting this error Class 'Lcobucci\JWT\Validation\Constraint\LooseValidAt' not found
what should I do?
@lcobucci
Marco Pivetta
@Ocramius
Sounds like the dependency to lcobucci/jwt is broken in your project. LooseValidAt exists in 4.2.x: https://github.com/lcobucci/jwt/blob/a8acedb920bb48de30bad1aa9e6d242903ecd693/src/Validation/Constraint/LooseValidAt.php#L13 . It does not exist in 3.x, so your dependency got upgraded, probably because a laravel component did not declare compatibility with 3.x specifically.
ah, sorry, the opposite
code needs 4.x code, but you are using 3.x
Rose Riyadh
@RoseRiyadh
@Ocramius so I should update my lcobucci to ^4
@Ocramius it's locked on 4.1.4
Rose Riyadh
@RoseRiyadh
@Ocramius i did it and it worked, thank you so much!
Ashish Vinayak
@ashishvinayak
JWT expires automatically before expiresAt('8 hour'). I am unable to understand why. I found a related issue at lcobucci/jwt#622, yet I am still unsure if my validation is correct. I've posted my code below. Could someone please help me?
private function issue($user){
    $config = $GLOBALS["tokenConfig"];           
    assert ($config instanceof Configuration);

    $now = new DateTimeImmutable();
    $this->token = $config->builder()    
            // sub
            ->relatedTo($user->user_id)
            // issue by
            ->issuedBy("https://testpage.com/")
            // iat
            ->issuedAt($now)
            // jwt expire
            ->expiresAt($now->modify('8 hour'))
            // builds a new token
            ->getToken($config->signer(), $config->signingKey());
}private function Validator(string $cookie){
/**
 * Validate token string
 */
    $config = $GLOBALS["tokenConfig"];
    assert ($config instanceof Configuration);
    // parse token
    try {
        $token = $config->parser()->parse($cookie);
    }
    catch (\Exception $e){
        return false;
    }
    assert ($token instanceof UnencryptedToken);
    // 
    $constraints = $config->validationConstraints();        
    // validate
    try {
        $config->validator()->assert($token, ...$constraints);
    }
    catch (RequiredConstraintsViolated $e) {
        return false;
    }
    return true;
}
Ashish Vinayak
@ashishvinayak
@lcobucci Any suggestions?
Luís Cobucci
@lcobucci
@ashishvinayak we'd need to see a sample token and the list of constraints you're using.
11 replies
Also, if you just need to return a boolean result, I'd suggest using Validator#validate()
Anton Smirnov
@sandfox_gitlab
Greetings
How to submit security issues, well, securely?
Marco Pivetta
@Ocramius
@sandfox_gitlab would say email - lcobucci AT gmail
Or ocramius AT gmail
Anton Smirnov
@sandfox_gitlab
Thank you
R. Mohammad
@rmohammad25
@lcobucci Good morning. I follow the steps on issuing token and etc ( which is working fine ) . My question i have is why its not all random ( only the first part and second ) see image ? sorry newbie here.
Luís Cobucci
@lcobucci
@rmohammad25 it's because of JWTs' structure. I believe those are two different tokens with almost same claims (probably time difference only). Which means that the encoded headers and claims are essentially the same.
R. Mohammad
@rmohammad25
Thanks @lcobucci .
balamurugan natarajan
@bala03:matrix.org
[m]
Hi i am new user for jwt also, facing issues of undefined container while generate token provided on documentation
[2021-11-09 16:59:58] local.ERROR: Undefined variable: container {"exception":"[object] (ErrorException(code: 0): Undefined variable: container at C:\wamp64\www\laravel\idpal_setup\app\Http\Controllers\ZendeskController.php:21)
balamurugan natarajan
@bala03:matrix.org
[m]
hi didnt get any response on slack please help me to fix the issues
Luís Cobucci
@lcobucci
@bala03:matrix.org maybe this can help https://gitter.im/lcobucci/jwt?at=60918907ff705616c77129cc
balamurugan natarajan
@bala03:matrix.org
[m]
HI @lcobucci Thanks for your reply
balamurugan natarajan
@bala03:matrix.org
[m]
@lcobucci: hi what is jti. how we generated that laravel or using lcobucci packages, sorry to dont have idea to provide it
balamurugan natarajan
@bala03:matrix.org
[m]
Thanks ic, i generated the token
Shawn Corrigan
@scorgn

I have a question about the migration to 4.0 (or 3.4 in this case). I just want to make sure that I'm not changing any functionality in the project when I migrate to the newer version.

I think this is the case, but are these two things doing the same thing as far as validation goes?

// 3.3 and before
use Lcobucci\JWT\ValidationData;

$jwtValidation = new ValidationData();
$validated = $token->validate($jwtValidation) && $token->verify($jwtSigner, $key) ;
// 3.4
use Lcobucci\JWT\Signer\Key\InMemory;
use Lcobucci\JWT\Validator;
use Lcobucci\Clock\SystemClock;
use Lcobucci\JWT\Validation\Constraint\ValidAt;
use Lcobucci\JWT\Validation\Constraint\SignedWith;

$validator = new Validator();
$validated = $validator->validate(
    $token,
    new ValidAt(SystemClock::fromUTC()),
    new SignedWith($jwtSigner, InMemory::plainText($key))
);

Also I'm on PHP 7.3 right now so I can't go to 4 quite yet, and so I don't have LooseValidAt.

Luís Cobucci
@lcobucci
@scorgn that is correct 👍
(you're performing the same set of validations)
Shawn Corrigan
@scorgn
Thanks!
Rei
@rei-gun

Hi All, any idea why Lumen can't find the Configuration package?

lumen.ERROR: ReflectionException: Class Lcobucci\JWT\Configuration does not exist in /usr/src/myapp/vendor/illuminate/container/Container.php:811

Luís Cobucci
@lcobucci
@rei-gun is the expected version of the lib installed (v3.4+)?
ilyasirotin-dev
@ilyasirotin-dev

Hi, everyone! I get the RequiredConstraintsViolated exception when I'm trying to validate a parsed unencrypted token. Is this a problem in my configuration or maybe some kind of bug?

Exception details:

Type: Lcobucci\JWT\Validation\RequiredConstraintsViolated Code: 0 Message: The token violates some mandatory constraints, details: - You should pass a plain token - You should pass a plain token

When I'm trying to check the type of the parsed token assert($parsedToken instanceof UnencryptedToken); it also fails with AssertionError.

The version of library which i'm currently use is ^4.1.

Configuration which i use in my container:

use Lcobucci\Clock\SystemClock;
use Lcobucci\JWT\Configuration;
use Lcobucci\JWT\Signer\Ecdsa;
use Lcobucci\JWT\Signer\Key\InMemory;
use Lcobucci\JWT\Validation\Constraint\SignedWith;
use Lcobucci\JWT\Validation\Constraint\StrictValidAt;

// ... 

$privateKey = $container->get('config')['jwt']['private_key_path'];
$publicKey = $container->get('config')['jwt']['public_key_path'];

$configuration = Configuration::forAsymmetricSigner(
    Ecdsa\Sha256::create(),
    InMemory::file($privateKey),
    InMemory::file($publicKey),
);

$configuration->setValidationConstraints(
    new StrictValidAt(new SystemClock(new DateTimeZone(date_default_timezone_get()))),
    new SignedWith(
    $configuration->signer(),
    $configuration->verificationKey(),
    ),
);

//...

Processing provided token:

use Lcobucci\JWT\Configuration;
use Lcobucci\JWT\Token\Plain;
use Lcobucci\JWT\UnencryptedToken;
use Lcobucci\JWT\Validation\RequiredConstraintsViolated;

//...

$tokenStr = trim((string)preg_replace('/^\s*Bearer\s/', '', $header));

/** @var Plain $parsedToken */
$parsedToken = $this->configuration->parser()->parse($tokenStr);

$constraints = $this->configuration->validationConstraints();

try {
    //assert($parsedToken instanceof UnencryptedToken);
    $this->configuration->validator()->assert($parsedToken, ...$constraints);
} catch (RequiredConstraintsViolated $e){
    var_dump($e->getMessage());
    exit;
}

//...
Luís Cobucci
@lcobucci
@ilyasirotin-dev your code seems correct... $parsedToken is an instance of which class in that snippet?
ilyasirotin-dev
@ilyasirotin-dev

@lcobucci
Type checks of the $parsedToken returns this:

use Lcobucci\JWT\Token;
use Lcobucci\JWT\Token\Plain;
use Lcobucci\JWT\UnencryptedToken;

//...

var_dump($parsedToken instanceof Token);  // true
var_dump($parsedToken instanceof Plain);  // true
var_dump($parsedToken instanceof UnencryptedToken);  // false

//...

I think $parsedToken is an instance of Plain class which the default Parser returns. The Plain class in the library implements the UnencryptedToken interface, but it quite weird why php thinks it's not a subtype of UnencryptedToken.

Luís Cobucci
@lcobucci
Is it possible that you have different versions of the library installed together? Some people forked my lib and published it under different packages but without changing namespaces
You can use reflection to get which file defines the class/interface
ilyasirotin-dev
@ilyasirotin-dev
@lcobucci You're right, I had another older library in the project that came as a dependency for the Firebase library. Thanks a lot for your help!)