From 91df6856ad69707c1108340837e5fe6e185effe0 Mon Sep 17 00:00:00 2001
From: Petr Trofimov <pt@onliner.by>
Date: Tue, 9 Jun 2015 18:43:47 +0300
Subject: [PATCH] fixed hmac verify

---
 src/Signer/Hmac.php      |  4 ++++
 test/Signer/HmacTest.php | 10 ++++++++++
 2 files changed, 14 insertions(+)

diff --git a/src/Signer/Hmac.php b/src/Signer/Hmac.php
index b73bf83e..f2b3b7e6 100644
--- a/src/Signer/Hmac.php
+++ b/src/Signer/Hmac.php
@@ -28,6 +28,10 @@ public function createHash($payload, $key)
      */
     public function verify($expected, $payload, $key)
     {
+        if (!is_string($expected)) {
+            return false;
+        }
+
         $callback = function_exists('hash_equals') ? 'hash_equals' : [$this, 'hashEquals'];
 
         return call_user_func($callback, $expected, $this->createHash($payload, $key));
diff --git a/test/Signer/HmacTest.php b/test/Signer/HmacTest.php
index 5bd3032a..c0d4eb6c 100644
--- a/test/Signer/HmacTest.php
+++ b/test/Signer/HmacTest.php
@@ -76,6 +76,16 @@ public function verifyShouldReturnFalseWhenExpectedHashWasNotCreatedWithSameInfo
         $this->assertFalse($this->signer->verify($expected, 'test', '1234'));
     }
 
+    /**
+     * @test
+     *
+     * @covers Lcobucci\JWT\Signer\Hmac::verify
+     */
+    public function verifyShouldReturnFalseWhenExpectedHashIsNotString()
+    {
+        $this->assertFalse($this->signer->verify(false, 'test', '1234'));
+    }
+
     /**
      * @test
      *