fix: validate iat and nbf on payload #568

christiandavilakoobin · 2024-06-19T14:52:25Z

If a JWT has a nonumeric iat or nbf value, it throws a FATAL error when validating the field.

google-cla · 2024-06-19T14:52:28Z

Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

View this failed invocation of the CLA check for more information.

For the most up to date status, view the checks section at the bottom of the pull request.

robocoder · 2025-01-03T23:02:12Z

src/JWT.php

@@ -172,7 +182,7 @@ public static function decode(
        }

        // Check if this token has expired.
-        if (isset($payload->exp) && ($timestamp - static::$leeway) >= $payload->exp) {
+        if (isset($payload->exp) && floor($payload->exp) && ($timestamp - static::$leeway) >= $payload->exp) {


the floor() change here is unnecessary if the exception has already been thrown above

robocoder · 2025-01-03T23:02:59Z

overlaps with #453

fix: validate iat and nbf on payload

f4b20e0

christiandavilakoobin force-pushed the main branch from 1890da5 to f4b20e0 Compare June 21, 2024 08:27

robocoder reviewed Jan 3, 2025

View reviewed changes

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

fix: validate iat and nbf on payload #568

fix: validate iat and nbf on payload #568

christiandavilakoobin commented Jun 19, 2024

google-cla bot commented Jun 19, 2024

robocoder Jan 3, 2025

robocoder commented Jan 3, 2025

fix: validate iat and nbf on payload #568

Are you sure you want to change the base?

fix: validate iat and nbf on payload #568

Conversation

christiandavilakoobin commented Jun 19, 2024

google-cla bot commented Jun 19, 2024

robocoder Jan 3, 2025

Choose a reason for hiding this comment

robocoder commented Jan 3, 2025