Skip to content

Commit c818f5f

Browse files
joshuarueswegjoshuaruesweg
committed
Ensure numeric type of iat, nbf and exp parameters
1 parent 018dfc4 commit c818f5f

File tree

1 file changed

+34
-10
lines changed

1 file changed

+34
-10
lines changed

src/JWT.php

Lines changed: 34 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -142,24 +142,39 @@ public static function decode(
142142

143143
// Check the nbf if it is defined. This is the time that the
144144
// token can actually be used. If it's not yet that time, abort.
145-
if (isset($payload->nbf) && $payload->nbf > ($timestamp + static::$leeway)) {
146-
throw new BeforeValidException(
147-
'Cannot handle token prior to ' . \date(DateTime::ISO8601, $payload->nbf)
148-
);
145+
if (isset($payload->nbf)) {
146+
if (!is_int($payload->nbf)) {
147+
throw new UnexpectedValueException('The property nbf must be of type integer.');
148+
}
149+
if ($payload->nbf > ($timestamp + static::$leeway)) {
150+
throw new BeforeValidException(
151+
'Cannot handle token prior to ' . \date(DateTime::ISO8601, $payload->nbf)
152+
);
153+
}
149154
}
150155

151156
// Check that this token has been created before 'now'. This prevents
152157
// using tokens that have been created for later use (and haven't
153158
// correctly used the nbf claim).
154-
if (isset($payload->iat) && $payload->iat > ($timestamp + static::$leeway)) {
155-
throw new BeforeValidException(
156-
'Cannot handle token prior to ' . \date(DateTime::ISO8601, $payload->iat)
157-
);
159+
if (isset($payload->iat)) {
160+
if (!is_int($payload->iat)) {
161+
throw new UnexpectedValueException('The property iat must be of type integer.');
162+
}
163+
if ($payload->iat > ($timestamp + static::$leeway)) {
164+
throw new BeforeValidException(
165+
'Cannot handle token prior to ' . \date(DateTime::ISO8601, $payload->iat)
166+
);
167+
}
158168
}
159169

160170
// Check if this token has expired.
161-
if (isset($payload->exp) && ($timestamp - static::$leeway) >= $payload->exp) {
162-
throw new ExpiredException('Expired token');
171+
if (isset($payload->exp)) {
172+
if (!is_int($payload->exp)) {
173+
throw new UnexpectedValueException('The property exp must be of type integer.');
174+
}
175+
if (($timestamp - static::$leeway) >= $payload->exp) {
176+
throw new ExpiredException('Expired token');
177+
}
163178
}
164179

165180
return $payload;
@@ -194,6 +209,15 @@ public static function encode(
194209
if (isset($head) && \is_array($head)) {
195210
$header = \array_merge($head, $header);
196211
}
212+
if (isset($payload['nbf']) && !is_int($payload['nbf'])) {
213+
throw new UnexpectedValueException('The property nbf must be an integer containing a unix timestamp.');
214+
}
215+
if (isset($payload['iat']) && !is_int($payload['iat'])) {
216+
throw new UnexpectedValueException('The property nbf must be an integer containing a unix timestamp.');
217+
}
218+
if (isset($payload['exp']) && !is_int($payload['exp'])) {
219+
throw new UnexpectedValueException('The property exp must be an integer containing a unix timestamp.');
220+
}
197221
$segments = [];
198222
$segments[] = static::urlsafeB64Encode((string) static::jsonEncode($header));
199223
$segments[] = static::urlsafeB64Encode((string) static::jsonEncode($payload));

0 commit comments

Comments
 (0)