~fkooman/php-jwt

a3e06777fb6e5a0adcbb19ff53254d059b53efd0 — François Kooman 4 years ago 5fdd2d7
small comment changes
1 files changed, 6 insertions(+), 7 deletions(-)

M src/Jwt.php
M src/Jwt.php => src/Jwt.php +6 -7
@@ 79,13 79,12 @@ abstract class Jwt
    public function decode($jwtStr)
    {
        $jwtParts = self::parseToken($jwtStr);
        // we do NOT need to parse the header in order to verify the signature
        if (false === $this->verify($jwtParts[0].'.'.$jwtParts[1], Base64UrlSafe::decode($jwtParts[2]))) {
            throw new JwtException('invalid signature');
        }

        // as we do not need any information from the header BEFORE checking
        // the signature, we only verify it AFTER checking the signature.
        // --> verify signature before parsing best-practice.
        // check the header contents AFTER the signature verification...
        $headerData = Json::decode(Base64UrlSafe::decode($jwtParts[0]));
        $this->checkHeader($headerData);



@@ 156,15 155,15 @@ abstract class Jwt
     *
     * @return void
     */
    private function checkHeader(array $jwtHeaderData)
    private function checkHeader(array $headerData)
    {
        if (!\array_key_exists('alg', $jwtHeaderData)) {
        if (!\array_key_exists('alg', $headerData)) {
            throw new JwtException('"alg" header key missing');
        }
        if ($this->getAlgorithm() !== $jwtHeaderData['alg']) {
        if ($this->getAlgorithm() !== $headerData['alg']) {
            throw new JwtException('unexpected "alg" value');
        }
        if (\array_key_exists('crit', $jwtHeaderData)) {
        if (\array_key_exists('crit', $headerData)) {
            throw new JwtException('"crit" header key not supported');
        }
    }