Fix token verification where original token was encoded with whitespace #110
Conversation
Currently, the original token string it not stored anywhere. This token is decoded and those decoded values are stored. When you try to verify the signature, the header and payload are then re-encoded and checked against the signature. The issue with this is that the original formatting is lost when re-encoding the token. This change uses the original token, if present, to verify the signature against.
| return sprintf('%s.%s', $parts[0], $parts[1]); | ||
| } | ||
|
|
||
| return $this->generateSigninInput(); |
There was a problem hiding this comment.
hey @jshayes thanks for this! Any reason we would need to fallback to the original generateSigninInput?
There was a problem hiding this comment.
@odino I just did it this way to not impact the existing interface. If the token is generated using the load method, then it should never reach this line. However, it is possible to create the token without going through the load method, in which case it is possible $this->originalToken was not set and it will fallback to the original generateSigninInput method.
I can handle this differently if you'd like.
There was a problem hiding this comment.
how can we create the token without going through the load method? Sorry, just trying to remember :)
There was a problem hiding this comment.
All the methods to build the state of the token are publicly exposed, so you can call them to create a token manually. For example, you can create a new instance of JWS and then call setHeader and setPayload to build the token.
Fixes #109
Currently, the original token string it not stored anywhere. This token is decoded and those decoded values are stored. When you try to verify the signature, the header and payload are then re-encoded and checked against the signature. The issue with this is that the original formatting is lost when re-encoding the token. This change uses the original token, if present, to verify the signature against.