feat: adds payload to exceptions

[DanteMarshal]

• Add payload to following exceptions :
  • ExpiredException
  • Signature Exception

• Add and Run Tests

[googlebot]

Thanks for your pull request. It looks like this may be your first contribution to a Google open source project (if not, look below for help). Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

📝 Please visit https://cla.developers.google.com/ to sign.

Once you've signed (or fixed any issues), please reply here with @googlebot I signed it! and we'll verify it.

---

What to do if you already signed the CLA

Individual signers

• It's possible we don't have your GitHub username or you're using a different email address on your commit. Check your existing CLA data and verify that your email is set on your git commits.

Corporate signers

• Your company has a Point of Contact who decides which employees are authorized to participate. Ask your POC to be added to the group of authorized contributors. If you don't know who your Point of Contact is, direct the Google project maintainer to go/cla#troubleshoot (Public version).
• The email used to register you as an authorized contributor must be the email used for the Git commit. Check your existing CLA data and verify that your email is set on your git commits.
• The email used to register you as an authorized contributor must also be attached to your GitHub account.

ℹ️ Googlers: Go here for more info.

[googlebot]

Thanks for your pull request. It looks like this may be your first contribution to a Google open source project (if not, look below for help). Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

📝 Please visit https://cla.developers.google.com/ to sign.

Once you've signed (or fixed any issues), please reply here with @googlebot I signed it! and we'll verify it.

---

What to do if you already signed the CLA

Individual signers

• It's possible we don't have your GitHub username or you're using a different email address on your commit. Check your existing CLA data and verify that your email is set on your git commits.

Corporate signers

• Your company has a Point of Contact who decides which employees are authorized to participate. Ask your POC to be added to the group of authorized contributors. If you don't know who your Point of Contact is, direct the Google project maintainer to go/cla#troubleshoot (Public version).
• The email used to register you as an authorized contributor must be the email used for the Git commit. Check your existing CLA data and verify that your email is set on your git commits.
• The email used to register you as an authorized contributor must also be attached to your GitHub account.

ℹ️ Googlers: Go here for more info.

[googlebot]

CLAs look good, thanks!

ℹ️ Googlers: Go here for more info.

[googlebot]

CLAs look good, thanks!

ℹ️ Googlers: Go here for more info.

[DanteMarshal]

Travis failing on checkstyle with nothing but this information :

---------- begin diff ----------

--- Original

+++ New

@@ @@

 }

+

----------- end diff -----------

Can someone help please ? I don't know what I should do here.

[Krisell]

Can someone help please ? I don't know what I should do here.

I think you're missing a newline at the end of the file, i.e. an empty line 13.

[bendoh]

Awesome, thanks for the PR!!

I’m a bit uncertain about attaching the payload to a SignatureInvalidException : is the payload even meaningful if it was never cryptographically valid? My intuition says no: the token isn’t valid and shouldn’t be parsed in any way.

[DanteMarshal]

Yes, As mentioned by @Krisell in #291 ...

One could argue that decoding and returning the data is "processing", thus not complying with the standard.

But maybe someone needs to access the data in payload in order to process the exception, or perhaps for logging reasons. I believe Processing means using the payload in calculations for returning a response; which does not include logging on the server-side and inner exception handling stuff. At least for me, that was the reason I required it, because I needed to see a part of the payload after after it was expired to use it for future logging.

[bendoh]

Picking this back up cuz I really want this feature. My earlier point is that if the token is not cryptographically valid (its signature doesn't match its payload) then the whole token is invalid, payload and all, and should just be flatly rejected. There's no guarantee that the payload is even valid JSON here, unlike in the expired case, where the payload JSON is necessarily valid since it had to be decoded in order to determine the expiration time.

[DanteMarshal]

Well the developer already knows it's invalid, cuz it's inside an exception; Why would anyone use that to process responses ?
But still won't hurt to keep it in case someone needs that.

Btw @bendoh, just a sidenote; If you're really in a hurry you can just make a copy of the library, make the changes you need and put it inside your project's files. I did that cuz I wasn't gonna wait for this to be merged.

[Dwarfex]

Only because the token is expired, doesn't mean, all its values are invalid.

You are right, when you say the token (as a whole) should not be processed.
Nevertheless i would expect my software that builds upon this library to decide.

I for example would like to access a refresh token stored within an expired token - that is by your definition invalid and MUST NOT be processed by the (low-level) php-jwt library.

Thus my highlevel logic doesn't work anymore.

In my opinion the library should mark the token as invalid and let the highlevel logic decide wheater to discard the "invalid" token.

btw - just for the lulz: https://youtu.be/4HJ-Y8YTo8Q

[edervishaj]

Any specific reason why this is not being merged?

[bshaffer]

I don't think we want this feature. I'm not convinced it's useful.

[bshaffer]

After reading the linked issue and seeing the amount of traffic, I don't see any reason why we can't reopen and merge this. I will create a new PR and add some changes.