Skip to content
This repository has been archived by the owner on Dec 2, 2021. It is now read-only.

Commit

Permalink
Fix security vulnerability of JWT trusted device token
Browse files Browse the repository at this point in the history
  • Loading branch information
scheb committed Jul 8, 2018
1 parent 024b75e commit 8890c1e
Show file tree
Hide file tree
Showing 2 changed files with 68 additions and 0 deletions.
8 changes: 8 additions & 0 deletions Security/TwoFactor/Trusted/JwtTokenEncoder.php
Original file line number Diff line number Diff line change
Expand Up @@ -50,6 +50,14 @@ public function decodeToken(string $token): ?Token
return null; // Could not decode token
}

try {
if (!$token->verify($this->signer, $this->applicationSecret)) {
return null;
}
} catch (\BadMethodCallException $e) {
return null;
}

if ($token->isExpired()) {
return null;
}
Expand Down
60 changes: 60 additions & 0 deletions Tests/Security/TwoFactor/Trusted/JwtTokenEncoderTest.php
Original file line number Diff line number Diff line change
Expand Up @@ -82,4 +82,64 @@ public function decodeToken_validToken_returnDecodedToken()
$this->assertInstanceOf(Token::class, $decodedToken);
$this->assertEquals(self::TOKEN_ID, $decodedToken->getClaim(self::CLAIM, false));
}

/**
* @test
*/
public function decodeToken_validAlgAndSignature_returnDecodedToken()
{
$encodedToken = sprintf(
'%s.%s.%s',
base64_encode('{"typ":"JWT","alg":"HS256"}'),
'eyJ0ZXN0IjoidG9rZW5JZCJ9',
'LZGo1rmO-iHr5U489XaSC1io7l821fmFSIlOKcZ-c24'
);

$this->assertInstanceOf(Token::class, $this->encoder->decodeToken($encodedToken));
}

/**
* @test
*/
public function decodeToken_ignoredAlgNone_returnNull()
{
$encodedNoneAlgToken = sprintf(
'%s.%s.%s',
base64_encode('{"typ":"JWT","alg":"none"}'), // Modified the algorithm from 'HS256' to 'none'
'eyJ0ZXN0IjoidG9rZW5JZCJ9',
'LZGo1rmO-iHr5U489XaSC1io7l821fmFSIlOKcZ-c24'
);

$this->assertNull($this->encoder->decodeToken($encodedNoneAlgToken));
}

/**
* @test
*/
public function decodeToken_ignoredAlgTest_returnNull()
{
$encodedTestAlgToken = sprintf(
'%s.%s.%s',
base64_encode('{"typ":"JWT","alg":"test"}'), // Modified the algorithm from 'HS256' to 'test'
'eyJ0ZXN0IjoidG9rZW5JZCJ9',
'LZGo1rmO-iHr5U489XaSC1io7l821fmFSIlOKcZ-c24'
);

$this->assertNull($this->encoder->decodeToken($encodedTestAlgToken));
}

/**
* @test
*/
public function decodeToken_validAlgWrongSignature_returnNull()
{
$encodedInvalidSignatureToken = sprintf(
'%s.%s.%s',
base64_encode('{"typ":"JWT","alg":"HS256"}'),
'eyJ0ZXN0IjoidG9rZW5JZCJ9',
'invalid'
);

$this->assertNull($this->encoder->decodeToken($encodedInvalidSignatureToken));
}
}

0 comments on commit 8890c1e

Please sign in to comment.