-
-
Notifications
You must be signed in to change notification settings - Fork 602
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add a way to verify a token against multiple algorithms/keys
When dealing with key rotations, we will likely have to verify previously issued tokens (signed with the old key) and new tokens (signed with the new key). This introduces a handy constraint that can take multiple `SignedWith` constraints and only raise exceptions when the signature can't be validated by any of them. Signed-off-by: Luís Cobucci <[email protected]>
- Loading branch information
Showing
4 changed files
with
144 additions
and
55 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,39 @@ | ||
| <?php | ||
| declare(strict_types=1); | ||
|
|
||
| namespace Lcobucci\JWT\Validation\Constraint; | ||
|
|
||
| use Lcobucci\JWT\Token; | ||
| use Lcobucci\JWT\Validation\ConstraintViolation; | ||
| use Lcobucci\JWT\Validation\SignedWith as SignedWithInterface; | ||
|
|
||
| use const PHP_EOL; | ||
|
|
||
| final class SignedWithOneInSet implements SignedWithInterface | ||
| { | ||
| /** @var array<SignedWithInterface> */ | ||
| private readonly array $constraints; | ||
|
|
||
| public function __construct(SignedWithInterface ...$constraints) | ||
| { | ||
| $this->constraints = $constraints; | ||
| } | ||
|
|
||
| public function assert(Token $token): void | ||
| { | ||
| $errorMessage = 'It was not possible to verify the signature of the token, reasons:'; | ||
|
|
||
| foreach ($this->constraints as $constraint) { | ||
| try { | ||
| $constraint->assert($token); | ||
|
|
||
| return; | ||
| } catch (ConstraintViolation $violation) { | ||
| $errorMessage .= PHP_EOL . '- ' . $violation->getMessage() | ||
| . ' (verified by ' . $violation->constraint . ')'; | ||
| } | ||
| } | ||
|
|
||
| throw ConstraintViolation::error($errorMessage, $this); | ||
| } | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,75 @@ | ||
| <?php | ||
| declare(strict_types=1); | ||
|
|
||
| namespace Lcobucci\JWT\Tests\Validation\Constraint; | ||
|
|
||
| use Lcobucci\JWT\Signer\Key\InMemory; | ||
| use Lcobucci\JWT\Token; | ||
| use Lcobucci\JWT\Token\DataSet; | ||
| use Lcobucci\JWT\Token\Plain; | ||
| use Lcobucci\JWT\Token\Signature; | ||
| use Lcobucci\JWT\Validation\Constraint\SignedWithOneInSet; | ||
| use Lcobucci\JWT\Validation\ConstraintViolation; | ||
| use Lcobucci\JWT\Validation\SignedWith; | ||
| use PHPUnit\Framework\Attributes as PHPUnit; | ||
|
|
||
| use const PHP_EOL; | ||
|
|
||
| #[PHPUnit\CoversClass(SignedWithOneInSet::class)] | ||
| #[PHPUnit\CoversClass(ConstraintViolation::class)] | ||
| #[PHPUnit\UsesClass(DataSet::class)] | ||
| #[PHPUnit\UsesClass(InMemory::class)] | ||
| #[PHPUnit\UsesClass(Plain::class)] | ||
| #[PHPUnit\UsesClass(Signature::class)] | ||
| #[PHPUnit\UsesClass(SignedWith::class)] | ||
| final class SignedWithOneInSetTest extends ConstraintTestCase | ||
| { | ||
| #[PHPUnit\Test] | ||
| public function exceptionShouldBeRaisedWhenSignatureIsNotVerifiedByAllConstraints(): void | ||
| { | ||
| $token = $this->createMock(Token::class); | ||
|
|
||
| $verifySignature1 = $this->createMock(SignedWith::class); | ||
| $verifySignature1 | ||
| ->expects(self::once()) | ||
| ->method('assert') | ||
| ->willThrowException(ConstraintViolation::error('Msg1', $verifySignature1)); | ||
|
|
||
| $verifySignature2 = $this->createMock(SignedWith::class); | ||
| $verifySignature2 | ||
| ->expects(self::once()) | ||
| ->method('assert') | ||
| ->willThrowException(ConstraintViolation::error('Msg2', $verifySignature2)); | ||
|
|
||
| $constraint = new SignedWithOneInSet($verifySignature1, $verifySignature2); | ||
|
|
||
| $this->expectException(ConstraintViolation::class); | ||
| $this->expectExceptionMessage( | ||
| 'It was not possible to verify the signature of the token, reasons:' | ||
| . PHP_EOL . '- Msg1 (verified by ' . $verifySignature1::class . ')' | ||
| . PHP_EOL . '- Msg2 (verified by ' . $verifySignature2::class . ')', | ||
| ); | ||
|
|
||
| $constraint->assert($token); | ||
| } | ||
|
|
||
| #[PHPUnit\Test] | ||
| public function assertShouldNotRaiseExceptionsWhenSignatureIsVerifiedByAtLeastOneConstraint(): void | ||
| { | ||
| $token = $this->createMock(Token::class); | ||
|
|
||
| $verifySignature1 = $this->createMock(SignedWith::class); | ||
| $verifySignature1 | ||
| ->expects(self::once()) | ||
| ->method('assert') | ||
| ->willThrowException(ConstraintViolation::error('Msg', $verifySignature1)); | ||
|
|
||
| $verifySignature2 = $this->createMock(SignedWith::class); | ||
| $verifySignature2->expects(self::once())->method('assert'); | ||
|
|
||
| $constraint = new SignedWithOneInSet($verifySignature1, $verifySignature2); | ||
| $constraint->assert($token); | ||
|
|
||
| $this->addToAssertionCount(1); | ||
| } | ||
| } |