Cannot make the expiration validation work #844

geoffroyp · 2022-05-24T12:12:07Z

geoffroyp
May 24, 2022

Hi guys,

I'm working on a piece of code that should accept a JWT generated by another library. I've set up the SignedWith constraint and it's working fine, but i'm struggling with the expiration.

Here's an example of the token I get:
eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9.eyJ0eXBlSWQiOjMsImVudGl0eUlkIjoyMjQsIm1jSWQiOjcwLCJpYXQiOjE1MTYyMzkwMjIsImV4cCI6MTY1MzM4MjU3OX0.PjxbVHpPl7GFRE3VJPsP9W81hvj6yoTd2cPLIdScJUREq-JLbRfVlGuloxOrW93dTj77DbXqjfCxcvqE_mbLPg

And here's my code:

try {
    $signer = new Sha512();
    $key = InMemory::plainText('secret');
    
    $config = Configuration::forSymmetricSigner(
        $signer,
        $key
    );
    
    $legacyToken = $request->request->get('legacyToken');
    if (!$legacyToken) {
        throw new BadRequestHttpException($this->translator->trans('missing_legacy_token_in_request', [], 'auth'));
    }
    
    $decodedToken = $config->parser()->parse($legacyToken);
    assert($decodedToken instanceof UnencryptedToken);
    
    $clock = new SystemClock(new \DateTimeZone('UTC'));

    $config->setValidationConstraints(new StrictValidAt($clock));
    $config->setValidationConstraints(new SignedWith($signer, $key));
    $constraints = $config->validationConstraints();


    $config->validator()->assert($decodedToken, ...$constraints);
} catch (RequiredConstraintsViolated $e) {
    return $this->json(['error' => $this->translator->trans('invalid_legacy_token_in_request', [], 'auth')], Response::HTTP_UNAUTHORIZED);
}

problem is: I can put any datetime in the token, this code will always consider it as "valid". What am I missing?

Answered by Slamdunk

May 24, 2022

As the method name suggests, $config->setValidationConstraints doesn't append constraints, it sets them, so the last call overwrites the previous ones.

The following edit is enough:

    $config->setValidationConstraints(
        new StrictValidAt($clock),
        new SignedWith($signer, $key)
    );

The upcoming version v4.2 will contain a simplified API that should ease DX like this.

View full answer

Slamdunk · 2022-05-24T12:56:46Z

Slamdunk
May 24, 2022
Collaborator

As the method name suggests, $config->setValidationConstraints doesn't append constraints, it sets them, so the last call overwrites the previous ones.

The following edit is enough:

    $config->setValidationConstraints(
        new StrictValidAt($clock),
        new SignedWith($signer, $key)
    );

The upcoming version v4.2 will contain a simplified API that should ease DX like this.

0 replies

geoffroyp · 2022-05-24T14:53:20Z

geoffroyp
May 24, 2022
Author

Indeed, I did not thought about that. To be honest, I found the documentation very "light" on this topic (= no mention of setValidationConstraint() and how to use it. I had to guess by looking in the library code). It would probably be a good idea to update it ;)

Thanks a lot!

1 reply

lcobucci May 24, 2022
Maintainer

It's indeed light but mentioned in https://lcobucci-jwt.readthedocs.io/en/stable/configuration/#customisation

Feel free to send a PR improving it!

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Cannot make the expiration validation work #844

{{title}}

{{editor}}'s edit

{{editor}}'s edit

Replies: 2 comments 1 reply

{{title}}

{{title}}

{{title}}

Select a reply

Cannot make the expiration validation work #844

geoffroyp May 24, 2022

Replies: 2 comments · 1 reply

Slamdunk May 24, 2022 Collaborator

geoffroyp May 24, 2022 Author

lcobucci May 24, 2022 Maintainer

geoffroyp
May 24, 2022

Replies: 2 comments 1 reply

Slamdunk
May 24, 2022
Collaborator

geoffroyp
May 24, 2022
Author

lcobucci May 24, 2022
Maintainer