diff --git a/jwt.c b/jwt.c index 976964a..c4dd9b3 100644 --- a/jwt.c +++ b/jwt.c @@ -349,7 +349,12 @@ int jwt_verify_body(char *body, zval *return_value) err_msg = msg; \ } while(0); - /* Expiration */ + /* set expiration and not before */ + JWT_G(expiration) = jwt_hash_str_find_long(return_value, "exp"); + JWT_G(not_before) = jwt_hash_str_find_long(return_value, "nbf"); + JWT_G(iat) = jwt_hash_str_find_long(return_value, "iat"); + + /* expiration */ if (JWT_G(expiration) && (curr_time - JWT_G(leeway)) >= JWT_G(expiration)) FORMAT_CEX_MSG("Expired token", jwt_expired_signature_cex); @@ -357,15 +362,14 @@ int jwt_verify_body(char *body, zval *return_value) if (JWT_G(not_before) && JWT_G(not_before) > (curr_time + JWT_G(leeway))) FORMAT_CEX_TIME(JWT_G(not_before), jwt_before_valid_cex); + /* iat */ + if (JWT_G(iat) && JWT_G(iat) > (curr_time + JWT_G(leeway))) + FORMAT_CEX_TIME(JWT_G(iat), jwt_invalid_iat_cex); + /* iss */ if (jwt_verify_claims_str(return_value, "iss", JWT_G(iss))) FORMAT_CEX_MSG("Invalid Issuer", jwt_invalid_issuer_cex); - /* iat */ - if (JWT_G(iat) && JWT_G(iat) > (curr_time + JWT_G(leeway))) { - FORMAT_CEX_TIME(JWT_G(iat), jwt_invalid_iat_cex); - } - /* jti */ if (jwt_verify_claims_str(return_value, "jti", JWT_G(jti))) FORMAT_CEX_MSG("Invalid Jti", jwt_invalid_jti_cex); @@ -462,11 +466,6 @@ static void php_jwt_encode(INTERNAL_FUNCTION_PARAMETERS) { goto encode_done; } - /* set expiration and not before */ - JWT_G(expiration) = jwt_hash_str_find_long(payload, "exp"); - JWT_G(not_before) = jwt_hash_str_find_long(payload, "nbf"); - JWT_G(iat) = jwt_hash_str_find_long(payload, "iat"); - /* init */ array_init(&header); diff --git a/tests/014.phpt b/tests/014.phpt new file mode 100644 index 0000000..5c03911 --- /dev/null +++ b/tests/014.phpt @@ -0,0 +1,17 @@ +--TEST-- +ISSUE #18 expiration time bug +--SKIPIF-- + +--FILE-- + 'HS256']); +} catch (ExpiredSignatureException $e) { + // Handle expired token + echo "FAIL\n"; +} +?> +--EXPECT-- +FAIL