New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Decode method does not enforce object return type #370
Comments
Thank you for pointing this out! You're right, the library assumes the As the types are correct if used as documented, can this really cause a static analysis error? Also, without breaking backwards compatibility, how would you recommend fixing this? |
As there is no requirement that the JWT originates from this library, or even the same application, the documented type of encode (which itself is not enforced, as can be seen in the example) is not super relevant. Using decode (as documented) expects to return an object, but this does not have to be the case, and may cause errors in the code consuming the return value of decode (such as by accessing a property) if some other type is returned. My recommendation would be throwing an UnexpectedValueException if the decoded object was not an object. This would then match the behaviour specified in the docblock. An alternative would be to remove the @return object in the docblock. If this was typed as object using native PHP, it would throw a TypeError, allowing a malformed JWT to trigger an \Error branch rather than \Exception branch throwable. |
This is now enforced: https://github.com/firebase/php-jwt/blob/main/src/JWT.php#L162 It will be released in |
The decode method declares an object return type using docblock, however this is not enforced by either userland runtime checks or a PHP return type, and the function will quite happily return a non-object result if the original JWT was created in such a way:
This causes higher levels of static analysis to either fail to detect a possible error condition when using the return value, or alternatively create a false positive for a redundant check when verifying the return type is an object.
The text was updated successfully, but these errors were encountered: