Secret validation is too strict - can't generate the token correctly about reallysimplejwt HOT 9 CLOSED

Hi Thanks for the question,

The library imposes strict secrets to increase the minimal level of security JWTs offer as it is relatively easy to crack a JWT if the secret is weak.

I would ask why your secret / secrets are only alphanumeric,, how are you generating them?

If you wish to amend this functionality you can extend the validation class and override the secret method... https://github.com/RobDWaller/ReallySimpleJWT/blob/master/src/Validate.php#L88

Then inject this new validation class into the Parse class.

I hop that makes sense and let me know if you have any other questions.

Cheers, Rob

from reallysimplejwt.

The secret is generated by the 3rd party API provider. I don't have control over this.
I'm not sure if it's used for more things than the JWT secret so maybe it can't contain symbols.

I've extended the Validate class and overwritten the secret() method and then passed it into the Builder/Parser. It seems to be working locally but I'll give it a proper check over soon.

Thanks for you time/help Rob and I really appreciate the flexibility of this library!

from reallysimplejwt.

No worries, I'll have a think about how this issue can be solved sensibly in a future release.

from reallysimplejwt.

@RobDWaller Hi Rob, I have the same issue, so I've extended the Validate class and overwritten the secret() method, but how can I inject this new validation class into the Parse class?
Can you please provide a code example?

from reallysimplejwt.

@ikozyrev3

In my main file I call the lib like this;

use ReallySimpleJWT\Exception\ValidateException;
use ReallySimpleJWT\Token;

if (!class_exists('\ReallySimpleJWT\Token')) {
    require ABSPATH . 'vendor/autoload.php';
}

include_once('JWT-class-override.php');

and the JWT-class-override.php looks like this;

<?php

/*
 * We overwrite the secret method from ReallySimpleJWT\Validate
 * This is because the ReallySimpleJWT library expects symbols and such in the `secret` and Credit Kudos don't provide that.
*/

class CustomValidate extends ReallySimpleJWT\Validate
{
    public function secret(string $secret): bool
    {
        return true;
    }
}

In the main file I then call the Build() myself like this;

$builder = new ReallySimpleJWT\Build('JWT', new CustomValidate(), new ReallySimpleJWT\Encode());

This is where the CustomValidate() from JWT-class-override.php is used instead of the default one :)

This seems to work fine for me, hopefully it's helpful for you too.

from reallysimplejwt.

@ikozyrev3

The old code was simple with $token = Token::customPayload($payload, $secret); but now I need to do $token = customPayload($payload, $secret); where customPayload is defined like this;

/**
 *
 * This is a really hacky fix but there is a problem with the library secret validation been too aggressive.
 * I've overridden the Validation class with a custom ->secret() and we pass this into the Builder/Parser.
 *
 * It should continue to work well but it's just messy.
 *
 * @param $payload
 * @param $secret
 * @return string
 * @throws ValidateException
 */
function customPayload($payload, $secret) {
    $builder = new ReallySimpleJWT\Build('JWT', new CustomValidate(), new ReallySimpleJWT\Encode());

    foreach ($payload as $key => $value) {
        if (is_int($key)) {
            throw new ValidateException('Invalid payload claim.', 8);
        }

        $builder->setPayloadClaim($key, $value);
    }

    return $builder->setSecret($secret)
        ->build()
        ->getToken();
}

from reallysimplejwt.

Guys I'm really sorry for the slow response to this stuff. Been very busy, I'll try to add some extra documentation or a code improvement.

from reallysimplejwt.

Just an update on this, I'm hoping version 3.0 should provide an adequate solution to this problem. Should be released in Feb I hope.

from reallysimplejwt.

So I've now released version 3.0.0 of this package which should solve this problem now. See the amended documentation.

https://github.com/RobDWaller/ReallySimpleJWT#custom-secrets

from reallysimplejwt.