Skip to content

Commit ac79986

Browse files
joshuarueswegjoshuaruesweg
committed
Ensure numeric type of iat and nbf parameters
1 parent 018dfc4 commit ac79986

File tree

1 file changed

+26
-8
lines changed

1 file changed

+26
-8
lines changed

src/JWT.php

Lines changed: 26 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -142,19 +142,31 @@ public static function decode(
142142

143143
// Check the nbf if it is defined. This is the time that the
144144
// token can actually be used. If it's not yet that time, abort.
145-
if (isset($payload->nbf) && $payload->nbf > ($timestamp + static::$leeway)) {
146-
throw new BeforeValidException(
147-
'Cannot handle token prior to ' . \date(DateTime::ISO8601, $payload->nbf)
148-
);
145+
if (isset($payload->nbf)) {
146+
if (!is_int($payload->nbf)) {
147+
throw new UnexpectedValueException('The property nbf must be of type integer.');
148+
}
149+
150+
if ($payload->nbf > ($timestamp + static::$leeway)) {
151+
throw new BeforeValidException(
152+
'Cannot handle token prior to ' . \date(DateTime::ISO8601, $payload->nbf)
153+
);
154+
}
149155
}
150156

151157
// Check that this token has been created before 'now'. This prevents
152158
// using tokens that have been created for later use (and haven't
153159
// correctly used the nbf claim).
154-
if (isset($payload->iat) && $payload->iat > ($timestamp + static::$leeway)) {
155-
throw new BeforeValidException(
156-
'Cannot handle token prior to ' . \date(DateTime::ISO8601, $payload->iat)
157-
);
160+
if (isset($payload->iat)) {
161+
if (!is_int($payload->iat)) {
162+
throw new UnexpectedValueException('The property iat must be of type integer.');
163+
}
164+
165+
if ($payload->iat > ($timestamp + static::$leeway)) {
166+
throw new BeforeValidException(
167+
'Cannot handle token prior to ' . \date(DateTime::ISO8601, $payload->iat)
168+
);
169+
}
158170
}
159171

160172
// Check if this token has expired.
@@ -194,6 +206,12 @@ public static function encode(
194206
if (isset($head) && \is_array($head)) {
195207
$header = \array_merge($head, $header);
196208
}
209+
if (isset($payload['nbf']) && !is_int($payload['nbf'])) {
210+
throw new UnexpectedValueException('The property nbf must be an integer containing a unix timestamp.');
211+
}
212+
if (isset($payload['iat']) && !is_int($payload['iat'])) {
213+
throw new UnexpectedValueException('The property nbf must be an integer containing a unix timestamp.');
214+
}
197215
$segments = [];
198216
$segments[] = static::urlsafeB64Encode((string) static::jsonEncode($header));
199217
$segments[] = static::urlsafeB64Encode((string) static::jsonEncode($payload));

0 commit comments

Comments
 (0)