setPayload flag and customized header properties #21
Conversation
|
@Spomky interested in giving a look too? |
| } | ||
| } | ||
|
|
||
| parent::__construct(array(), $header); |
There was a problem hiding this comment.
TBH I think this will be confusing, as the algorith can either be the algorithm itself or a dictionary or headers. I think we should change the constructor rather than have this as it leads to misunderstanding and legacy
There was a problem hiding this comment.
Yeah, I'm okay with that, I was just trying to maintain backwards compatibility to prevent the big version bump.
|
thanks man! I just have a couple things I want to clarify before being able to merge this. If we change the public API - as we probably should - then we also need to modify the README and I will bump the version to cheers! |
|
Yep, see my comments. Do you want to tackle the 3.0 bump changes? |
|
yeah super open to keep the code as simple as possible even if it require On Mon, Jan 19, 2015 at 8:36 PM, Brian J. Miller notifications@github.com
Nadalin Alessandro |
|
btw are you using this branch anywhere in production? :) |
|
No, ultimately (within the next couple weeks?) it will be a dependency in the OSS lib here: |
|
ok :) @Spomky any comment? |
|
@odino finally got to this one. Changes include switching |
|
i think im generally ok with this! @Spomky do you want to provide some feedback? |
|
Hi, I think it is useless to go deep into the explanation. IMO the following description is enough: |
|
BTW I think a nice way to handle with this problem is to:
That way its easier for people to pick which one to use and we keep the JWS class as simple as possible. Thoughts? |
|
@Spomky that seems reasonable on the doc string, I might link directly to the JWS rfc as well as a suggestion of what "should" be there. I called out those two properties in particular to show that 'typ' has a default and because 'alg' is the bear minimum which used to be constructed for you. Seems like we're moving away from that which is fine. @odino what would the new class be called? Would the constructor of the new class still take the header as its argument or would you revert it to what the original constructor in 2.x accepted? |
|
I went ahead with some of these changes. I created a new class called I also updated the doc strings per @Spomky and updated the README to call out the JWT -> JWS -> EasyJWS structure. @odino please have a look. thanks. |
|
looks good! any suggestion for the class name instead of |
|
Yeah, +1 if someone has a better suggestion, that was the best I could come up with. |
|
hey brian could you please rebase your changes? |
|
@odino rebased. Probably someone should review in light of the encoder changes, etc. that landed. I skimmed them but didn't look at them closely. Tests are passing as much as they were. Would be nice to get the 3 failures eliminated. |
|
WDYM by the 3 failure aliminated? :) |
|
I've been getting 3 failures consistently from the test suite since first started using the library. I think it may be environment specific, I thought I'd seen Travis blow up with the same but I can't seem to find that now. Here is the output from my environment: |
|
@odino anything else needed here? |
|
sorry man :( had very little time lately and we also had to rework on this library due to this Ill try to give it a shot this weekend though I cant promise anything :-S |
|
Catching up now on https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/. Presumably this PR needs to be rebased again and potentially examined based on how it handles the header. |
|
oh yeah, definitely :( I think it actually needs to be rebased cause we pushed some fixes a few weeks ago to exactly target those vulnerabilities |
|
@odino rebased again, would love to get this landed so that we can push forward with our other library's additions, dependencies are hard :-). |
|
@brianjmiller could you please rebase it again? We just created version 3.0.0 which includes phpSeclib |
|
Merging this change would then bump to 4.0.0 because it is non-backwards compatible. This will be the third rebase, will it actually be merged in timely manner? I can't continue to spend time rebasing and sitting on projects waiting on the dependency. Alternatively I could revert to the original implementation which didn't cause the backwards incompatible breakage, but was not prefer from a "complexity" of code standpoint. Either way appreciate the efforts, just need to make progress, thanks @cirpo. |
|
@brianjmiller yes, we will bump up to 4.0.0 and yes I will merge it in less than 24h! sorry and thanks a lot for your patience |
|
@brianjmiller it would be great if you can also modify the README pointing out the incompatibility between 4.0.0 and 3.0.0 |
* Switch JWS constructor to accept header as array * Includes bump to major version 4 in README * Move auto claim handling into new EasyJWS class
|
@cirpo squashed + rebased. The number of commits was getting pretty ugly from the rebases (the conflict fixes) so I figured I'd clean up the history a bit. |
|
@brianjmiller thanks, I'm gonna look into that today, thanks |
| @@ -100,16 +97,6 @@ public function testVerificationRS256() | |||
| $this->assertEquals('b', $payload['a']); | |||
| } | |||
|
|
|||
| public function testValidationOfAValidJWS() | |||
There was a problem hiding this comment.
is there any reason why these tests are deleted?
There was a problem hiding this comment.
The tests are specifically hitting the valid method which is moved into the EasyJWS class, so the corresponding tests got moved into EasyJWSTest. The other tests in this file hit verify which is the important method for the base JWS class after these changes.
|
@brianjmiller I made some comments, could you also please mention the differences between version 2, 3 and 4 in the README? Otherwise I will merge the PR, commit with an updated README/CHANGELOG and tag it 4.0. |
|
@cirpo should be addressed. I wasn't clear on the bump from 1 to 2 or whether there were prior releases, you'd have to round that out if you want it. |
|
@cirpo updated with indication in README. |
|
@brianjmiller thank you! I was thinking about the EasyJws name, what about SimpleJWS? |
|
I think I went "Easy" because it implies the public interface is easy to use, as opposed to "Simple" because that might imply under featured. It honestly doesn't matter much to me, I don't love either :-). |
|
@cirpo new commit EasyJWS -> SimpleJWS. |
|
@brianjmiller thanks, merging! |
setPayload flag and customized header properties
|
done and tagged! |
|
phew, thanks! |
Trying this one again. It provides but fixes the same that was in #20 (which addresses #19).
It also now adds the ability to set custom properties in the header and have the verification on the other end still work. This was achieved by adding to the constructor for the JWS object a way to pass the header as an array rather than just the two individual options. The constructor change was the least change to the
JWS::loadmethod. Alternatively we could do thegetHeader/setHeaderdance.Hopefully my tests have it covered this time. Note that I didn't alter the doc strings for the JWS constructor as I didn't know the best way to do so, nor whether it was worth publicizing. It might be left as an exercise for the reader who wants custom header properties.
Please have a look and let me know if any changes are needed. Thanks.