Skip to content

feat: Allows Key instance to be used for encoding #575

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 6 commits into
base: main
Choose a base branch
from
Open

feat: Allows Key instance to be used for encoding #575

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
7ead1dc
feat: Allows Key instance to be used for encoding
Oinkling Aug 8, 2024
42bda5c
Merge branch 'main' into allow-key-in-encode
bshaffer Apr 15, 2025
6b41417
Enforce null alg when key is Key object
Oinkling Apr 29, 2025
e78315d
Added tests for encoding with Key object
Oinkling Apr 29, 2025
e9cace2
Enforce null alg when key is Key object in sign
Oinkling Apr 29, 2025
d812f9f
Merge branch 'main' into allow-key-in-encode
bshaffer Apr 29, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
33 changes: 27 additions & 6 deletions src/JWT.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -195,24 +195,35 @@ public static function decode(
* Converts and signs a PHP array into a JWT string.
*
* @param array<mixed> $payload PHP array
* @param string|resource|OpenSSLAsymmetricKey|OpenSSLCertificate $key The secret key.
* @param string $alg Supported algorithms are 'ES384','ES256', 'ES256K', 'HS256',
* @param string|resource|OpenSSLAsymmetricKey|OpenSSLCertificate|Key $key The secret key.
* @param ?string $alg Supported algorithms are 'ES384','ES256', 'ES256K', 'HS256',
* 'HS384', 'HS512', 'RS256', 'RS384', and 'RS512'
* @param string $keyId
* @param array<string, string> $head An array with header elements to attach
*
* @return string A signed JWT
*
* @throws InvalidArgumentException
*
* @uses jsonEncode
* @uses urlsafeB64Encode
*/
public static function encode(
array $payload,
$key,
string $alg,
?string $alg = null,
?string $keyId = null,
?array $head = null
): string {
if ($key instanceof Key) {
if ($alg !== null) {
throw new InvalidArgumentException('If key is instance of Key alg must be null');
}
$alg = $key->getAlgorithm();
$key = $key->getKeyMaterial();
Copy link
Collaborator

@bshaffer bshaffer Apr 9, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We would also want to throw an exception if $alg isn't null. Otherwise this would be possible and potentially cause confusion:

JWT::encode($payload, $key, 'FooAlg');

} elseif ($alg === null) {
throw new InvalidArgumentException('alg cannot be null unless key is instance of Key');
}
$header = ['typ' => 'JWT'];
if (isset($head)) {
$header = \array_merge($header, $head);
Expand All @@ -236,19 +247,29 @@ public static function encode(
* Sign a string with a given key and algorithm.
*
* @param string $msg The message to sign
* @param string|resource|OpenSSLAsymmetricKey|OpenSSLCertificate $key The secret key.
* @param string $alg Supported algorithms are 'EdDSA', 'ES384', 'ES256', 'ES256K', 'HS256',
* @param string|resource|OpenSSLAsymmetricKey|OpenSSLCertificate|Key $key The secret key.
* @param ?string $alg Supported algorithms are 'EdDSA', 'ES384', 'ES256', 'ES256K', 'HS256',
* 'HS384', 'HS512', 'RS256', 'RS384', and 'RS512'
*
* @return string An encrypted message
*
* @throws DomainException Unsupported algorithm or bad key was specified
* @throws InvalidArgumentException
*/
public static function sign(
string $msg,
$key,
string $alg
?string $alg = null
): string {
if (is_a($key, Key::class)) {
if ($alg !== null) {
throw new InvalidArgumentException('If key is instance of Key alg must be null');
}
$alg = $key->getAlgorithm();
$key = $key->getKeyMaterial();
} elseif ($alg === null) {
throw new InvalidArgumentException('alg cannot be null unless key is instance of Key');
}
if (empty(static::$supported_algs[$alg])) {
throw new DomainException('Algorithm not supported');
}
Expand Down
23 changes: 23 additions & 0 deletions tests/JWTTest.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -547,6 +547,29 @@ public function testAdditionalHeaderOverrides()
$this->assertEquals('HS256', $headers->alg, 'alg param not overridden');
}

public function testNullAlgFails()
{
$this->expectException(InvalidArgumentException::class);
JWT::encode(['message' => 'abc'], 'my_key');
}

public function testEncodingWithKeyObject()
{
$payload = [
'message' => 'abc'
];
$key = new Key('my_key', 'HS256');
$encoded = JWT::encode($payload, $key);
$decoded = JWT::decode($encoded, $key);
$this->assertSame($decoded->message, 'abc');
}

public function testNotNullAlgWhenUsingKeyObjectFails()
{
$this->expectException(InvalidArgumentException::class);
JWT::encode(['message' => 'abc'], new Key('my_key', 'HS256'), 'HS256');
}

public function testDecodeExpectsIntegerIat()
{
$this->expectException(UnexpectedValueException::class);
Expand Down