'iat' added to payload should be an int #33
Comments
|
Thanks man, good catch! Would you mind sending a PR? :) |
|
the problem is that changing forcing it to be an int as done in the PR old tokens might be invalid. |
|
I stumbled across this issue as well. The tokens generated usign this lib are not compatible with https://github.com/auth0/node-jsonwebtoken and we were forced to use an ugly workaround. As per RFC, As for backward compatibility, I think a version bump would be enough so developers won't upgrade by mistake. |
|
@shark0der it's not only BC, you have to think that all old tokens will be considered invalid, so we need a mechanism to allow for an easier migration -- else imagine all your logged in users will be logged out as soon as you deploy. For some it's not a problem, for some others its quite annoying. Anyhow, we'll think of something with @cirpo this week and will let you know -- feel also free to come up with a PR that address the issue of verifying old tokens where iat and other parameters are strings. |
|
Ok, I missed this when I created my pull request. No guarantees of a more extensive patch from my end only because we're not using the verification in this application. Good to know that others were already looking at the issue however. |
|
@odino what I actually meant to say was a major/minor version bump, not just the patch number (considering a major.minor.patch versioning scheme). This way, packages that still depend on jose will not update by mistake. |
|
👍 -- I think what we will do is to go for the major version bump and will share a snippet on how to overcome having everyone logging out |
- [x] Test to check backwards compatibility added
- [x] Test to check backwards compatibility added - [x] Exp should be an integer too - [x] supports string as of now for backwards compatibility - [x] Uses time function instead of $now->getTimestamp()
- [x] Adds tests to check backwards compatibility added - [x] Makes exp an integer too - [x] Supports string as of now for backwards compatibility - [x] Uses time function instead of $now->getTimestamp() - [x] Adds tests section in readme
- [x] Makes iat and exp as integer - [x] Uses time function instead of $now->getTimestamp() - [x] Adds tests section and backwards compatibility notice in readme - [x] Adds tests for iat and exp to be integer
- [x] Makes iat and exp as integer - [x] Uses time function instead of $now->getTimestamp() - [x] Adds tests section and backwards compatibility notice in readme - [x] Adds tests for iat and exp to be integer
- [x] Makes iat and exp as integer - [x] Uses time function instead of $now->getTimestamp() - [x] Adds tests section and backwards compatibility notice in readm - [x] Adds tests for iat and exp to be integer - [x] Uses `setExpectedException` in new tests to support php 5.5 with phpunit 4.x
- [x] Makes iat and exp as integer - [x] Uses time function instead of $now->getTimestamp() - [x] Adds tests section and backwards compatibility notice in readm - [x] Adds tests for iat and exp to be integer - [x] Uses `setExpectedExceptionRegExp` in new tests to support php 5.5 with phpunit 4.x
Fixes #33 - iat added to payload should be an int
It encoded as string now, and it should be a number:
https://tools.ietf.org/html/draft-ietf-oauth-json-web-token-32#section-4.1.6
"Its value MUST be a number containing a NumericDate value"
The text was updated successfully, but these errors were encountered: