robdwaller / reallysimplejwt Goto Github PK

Hi,

How can I reduce the length of the JWT token generated ?

Regards,

David

I was having trouble with an error that the Token::customPayload function didn't exist, and tracked it down to the fact that composer had installed v1.1 of reallysimplejwt. When I tried forcing it to install version 2.0, I get:

Package rbdwllr/reallysimplejwt at version 2.0 has a PHP requirement incompatible with your PHP version (7.0.33)

So which PHP version is required? Thanks!

Rob, there are a number of PHP syntax errors in the README doc examples. Fix these.

See this pull request as an example: #39

Not sure whether this is by design but when I created my token and then validated it, the nbf value is validated however that part of the token is not set hence it will always raise the error when validating it's own tokens.

Hi Rob,

We are currently implementing ReallySimpleJWT, but we have one question. When/how do we refresh the token? If we set an exp time of 3600 seconds, does the client need to contact the server for a new token, or does the server do this itself and send the new token whenever the client contacts the server?

The situation that made this question occur to me is like this: When the client needs to ask the server a new token every hour, but at the end of the day they shutdown their PC and go home. Do they need to log in that next morning, or will they contact the server with the old token and get an up-to-date one?

I hope I've made my question clear!

Kind regards :)

Due to string comparison, please use hash_equals() instead.

Hello,

While it was working flawlessly before, I suddenly got this error.

2022/01/03 22:28:51 [error] 2739#2739: *1635 FastCGI sent in stderr: "PHP message: PHP Fatal error: Uncaught Error: Call to undefined method ReallySimpleJWT\Token::validateExpiration() in /var/.......php:23

What could be the cause of this error?

Server: Nginx 1.18 PHP-FPM

Hi,

first thanks for this great piece of work. I am looking for a jwt php library, as I am not really experienced with php. But as this is a very critical part I tried to understand the implementation.

I had a hard time to understand why a hash is fed to the signature and there used as algorithm - until I figured out it was just the name of the variable that kept me away from understanding the code. Perhaps it would make complex things easier to understand if a algorithm is named as such...

Merry Christmas,
Dietmar

Nevermine I misread the docs.

A JWT is represented as a sequence of URL-safe parts separated by
period ('.') characters. Each part contains a base64url-encoded value.

RFC 7519 - section 3. The lib is using Base64 encoding and not Base64URL.

Maybe lcobucci/jose-parsing can help you 😉

notBefore fails if the request is checked in the same timestamp it was generated: timestamp is 1000ms vs a HTTP request of few 10 to 100ms.
replace
$notBefore < time()
by
$notBefore <= time()
in
Validate.php
this also does not allow for any clock drift between systems

I there any way of supporting 512 algrothim?

Hi Mr Waller,

Firstly, awesome library.

Secondly, I believe the readme needs an update.

validateExpiration is performed in validate, and validateExpiration is no longer part of Token?

I'm not too familiar with signing of JWT's, but there is a NGINX package here: ngx-http-auth-jwt-module that supports:

"The algorithm to use. One of: HS256, HS384, HS512, RS256, RS384, RS512"

I compiled that module and tried it out. It seems to work quite well. I had been using ReallySimpleJWT a little previously, so it was convenient when testing out that other NGINX package.

Does this package support asymmetric keys ? If not, is that something that could be added to the package ? That NGINX module also requires the 'password' if using HS256 to be in BINHEX format, which is fine, but just worth noting.

Stephen D. Scotti

$this->builder = new \ReallySimpleJWT\TokenBuilder();
$this->builder->addPayload(["key" => "UserID", "value" => $userId]) // $userId = 5
        ->setSecret(JWT::$SECRET_KEY) // = "sec!ReT423*&"
        ->setExpiration(date("Y-m-d H:i:s", strtotime('+1 hours')))
        ->setIssuer("MY-APP")
        ->build();

(Copied from documentation, just changed UserID)

Output:

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJVc2VySUQiOjUsImlzcyI6Ik1TQ1AiLCJleHAiOjE1MzU0NzY1NzYsInN1YiI6IiIsImF1ZCI6IiJ9.jCuaGJy3H1rkCjFwn4sIe9VetQ5wYgAz5NZD46YiKdgeyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJVc2VySUQiOjUsImlzcyI6Ik1TQ1AiLCJleHAiOjE1MzU0NzY1NzYsInN1YiI6IiIsImF1ZCI6IiJ9.jCuaGJy3H1rkCjFwn4sIe9VetQ5wYgAz5NZD46YiKdg

This contains 4x ., but it should only contain it 2 times.

https://jwt.io/ also tells "Invalid signature"

Im using PHP Version 7.2.8 with xampp.

greetings from germany
Jonas

Nothing to explain I SPENT ONE SUNDAY IN THIS LIBRARY
ReallyDoesn'tWorkJWT

just for test i created an index.php in scr folder
mycode:

<?php
include 'Token.php';
use ReallySimpleJWT\Token;

$token = Token::getToken('userIdentifier', 'secret', 'dateTimeString' | 'dateTimeNumber', 'issuerIdentifier');

full error message:
Fatal error: Uncaught Error: Class 'ReallySimpleJWT\TokenBuilder' not found in C:\wamp64\www\test\src\Token.php:77 Stack trace: #0 C:\wamp64\www\test\src\Token.php(28): ReallySimpleJWT\Token::builder() #1 C:\wamp64\www\test\src\index.php(5): ReallySimpleJWT\Token::getToken('userIdentifier', 'secret', 'dateTime_u\x7Fkow', 'issuerIdentifie...') #2 {main} thrown in C:\wamp64\www\test\src\Token.php on line 77

Relevance

We need to use separate secrets depending on the service/client that requires auth.

This is difficult with the current setup since we need the key to get the header in Token::getHeader()

We, therefore, need to parse and get the kid claim from the header ourselves first - repeating logic and complicating things.

Proposal

Something like:

<?php

declare(strict_types=1);

namespace ReallySimpleJWT;

/**
 * Value object for the generated JSON Web Token, takes the token and
 * the secret.
 *
 * @author Rob Waller <[email protected]>
 */
class Jwt
{
    /**
     * The JSON Web Token string
     *
     * @var string $token
     */
    private $token;

    /**
    * The secret used to create the JWT signature
    *
    * @var string $secret
    */
    private $secret;

    /**
     * JWT Constructor
     *
     * @param string $token
     * @param string|array $secret Array to auto-determine secret from kid=>secret mapping
     */
    public function __construct(string $token, $secret)
    {
        $this->token = $token;

        if (is_string($secret)) {
            $this->secret = $secret;

            return;
        }

        $this->secret = $secret[$this->getKid()];
    }

    /**
     * Return the JSON Web Token String
     *
     * @return string
     */
    public function getToken(): string
    {
        return $this->token;
    }

    /**
     * Return the secret used to encode the JWT signature
     *
     * @return string
     */
    public function getSecret(): string
    {
        return $this->secret;
    }

    /**
     * @return string
     */
    private function getKid(): string
    {
        $header = substr(
            $this->token,
            0,
            strpos($this->token, '.')
        );

        $header = json_decode(base64_decode($header), true);

        return $header['kid'];
    }
}

Question should say everything.
Why do i have to insert the token secret when i just want for example my uid value from the payload.
I mean when i am posting my token inside https://jwt.io/#debugger-io i can also just access my values.

Edit: Just figured out you can also just pass an empty string into the getPayload function. But please update your code and the documentation to make this argument optional!

Would be useful to have instructions on how to install / incorporate into PHP web page. I am an experienced programmer, but am admittedly new to PHP. The documentation is skant on how to get it going. A few sentences would go a long way to making what looks to be a great project - even better. Any help on how to get it going on my PHP site? What files are needed on the server? How to incorporate into an existing PHP website? Thank you in advance for the help.

The token generated and validated work perfectly on localhost, but not on the remote server. I get 500 Internal Server Error, without any php error.

PHP Version | 5.4.45-0+deb7u11

Hi,

I was trying to use this library to generate JWT tokens that could then be used to talk to another server running node (running express-jwt) however my tokens were getting rejected, after some digging I found that this library seemed to be generating the exp times as date strings rather than epoch numbers (even if you pass in an epoch number) I think this is because you are using a DateTime to parse the input and when you are outputting you're not using a formatter e.g. ->format('U')

I was in a bit of a rush so I've used a different library but thought I would flag it up for you. Some relevant links below for anyone looking to make a fix. I haven't checked but I'd guess it's probably the same with any other dates e.g. iss

exp time should be a NumericDate, definition of a NumericDate

While using my own secret, i am getting this error

Fatal error: Uncaught ReallySimpleJWT\Exception\ValidateException: Invalid secret. in /Applications/MAMP/htdocs/xxxxxxx/assets/libs/vendor/rbdwllr/reallysimplejwt/src/Build.php:153

What is purpose of validating secret while building jWT?

if (!$this->secretValidator->validate($secret)) {
  throw new ValidateException('Invalid secret.', 9);
}

I am currently using php 7.0 on my prod server, and composer installs version 1.x which is not found by autoloader.

Locally I got the version 2.x and works great. only 7.0 has a bug in the autoloader.

Hi there!!

I read your blog post and am trying to implement your library in my current project. I'm using the illuminate/database component from Laravel, which installs the illuminate/support package, which requires nesbot/carbon "^1.24.1".

I'm getting the following output when attempting to require your package into my project:

- Conclusion: don't install rbdwllr/reallysimplejwt 1.0.4
- Conclusion: don't install rbdwllr/reallysimplejwt 1.0.3
- Conclusion: don't install rbdwllr/reallysimplejwt 1.0.2
- Conclusion: don't install rbdwllr/reallysimplejwt 1.0.1
- Conclusion: remove nesbot/carbon 1.32.0
- Installation request for rbdwllr/reallysimplejwt ^1.0 -> satisfiable by rbdwllr/reallysimplejwt[1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4].
- Conclusion: don't install nesbot/carbon 1.32.0
- rbdwllr/reallysimplejwt 1.0.0 requires nesbot/carbon 1.22.* -> satisfiable by nesbot/carbon[1.22.0, 1.22.1].
- Can only install one of: nesbot/carbon[1.22.0, 1.32.0].
- Can only install one of: nesbot/carbon[1.22.1, 1.32.0].
- Installation request for nesbot/carbon (locked at 1.32.0) -> satisfiable by nesbot/carbon[1.32.0].

I'm not too familiar with the workings of the carbon library, but was wondering if this could be resolved or not?

Thanks again and awesome package.

I'm using PHP 7.1, MySQL 5.6 and NGINX on Ubuntu 16.04 server

It would appear the server returns a malformed JWT string without payload.

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..cZDpuZIgW0341pb7-4t-rRnhrItIIPfBknARJInVPz4

My PHP code:

$token = $builder->addPayload(["key" => "userId", "value" => $user->getId()])
                     ->addPayload(["key" => "firstName", "value" => $user->getFirstName()])
                     ->addPayload(["key" => "lastName", "value" => $user->getLastName()])
                     ->addPayload(["key" => "email", "value" => $user->getEmail()])
                     ->addPayload(["key" => "role", "value" => $user->getRole()])
                     ->addPayload(["key" => "phone", "value" => $user->getPhone()])
                     ->setSecret("@NFmuyc9k*Ia")
                     ->setExpiration(time() + 18000)
                     ->setIssuer("127.0.0.1")
                     ->build();
    echo json_encode($token);

I'm trying to generate a JWT to use with 3rd party API.

The secret/key I have doesn't contain any symbols (alphanumeric only) so I can't get this library to generate a valid JWT that the 3rd party will accept.

Is there a reason the secret is validated in such a way? Can it be loosened to allow alphanumeric only secrets? Is it part of the JWT 'spec' for it need to contain symbols?

Thanks for this cool project.

Some small possible improvements:

• You define a DateTime class that provides and interface to the Carbon Date Time library.
  So use it everywhere and do not expose / use Carbon classes elsewhere.

• You split and decode the same token more than once when you validate it and get it's payload.
  (The first time in Token::validate and a second time in Token::getPayload)
  Validate expiration decode the payload and json_decode it. You do it again in Token::getPayload

Have fun.

Hi! I'm currently using your library in a refactoring of a legacy application around the Container of Laravel, rewriting all to get it into the full framework would be too costly. This library is currently helping me a lot to implement a sane authentication.

I'm just about to get into the authorization and I was thinking about using the audience claim, so I'd like to know if you have any plans or would be accepting PR to implement this as part of the library itself. Or don't and it should be something I could implement in a separate package.

Thanks for contributing this to the community and I look forward to a contribution if you are interested.

There is a mistake in the ReadMe documentation. It currently reads.

<?php

use ReallySimpleJWT\TokenBuilder;

$builder = new TokenBuilder();

$token = $builder->addPayload('key', 'value')
    ->addPayload(['key' => 'foo', 'value' => 'bar'])
    ->setSecret($secret)
    ->setExpiration($expiration)
    ->setIssuer($issuer)
    ->build();

You should remove the first addPayload method as it is wrong.

It's seems it is feasible the jsonDecode method in the JsonEncoder helper can return null in some cases, an issue to be looked at.

TypeError: Return value of ReallySimpleJWT\Parse::jsonDecode() must be of the type array, null returned

vendor/rbdwllr/reallysimplejwt/src/Helper/JsonEncoder.php:35
vendor/rbdwllr/reallysimplejwt/src/Parse.php:250
vendor/rbdwllr/reallysimplejwt/src/Parse.php:221
vendor/rbdwllr/reallysimplejwt/src/Parse.php:106

Hello,

I want to expire/kill a currently active Token. Is this possible?

Thank you for your work!

If any property of the payload is a string with accents this function ( Token::validate($token, $secret);) returns false without entering in any catch clause.
Example: "name": "Gerard Hernàndez",