Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ensures JWT leeway is restored after we set it #1122

Merged
merged 1 commit into from
Jan 6, 2017
Merged

ensures JWT leeway is restored after we set it #1122

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 6 additions & 3 deletions src/Google/AccessToken/Verify.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -48,8 +48,11 @@ class Google_AccessToken_Verify
* Instantiates the class, but does not initiate the login flow, leaving it
* to the discretion of the caller.
*/
public function __construct(ClientInterface $http = null, CacheItemPoolInterface $cache = null)
{
public function __construct(
ClientInterface $http = null,
CacheItemPoolInterface $cache = null,
$jwt = null
) {
if (is_null($http)) {
$http = new Client();
}
Expand All @@ -60,7 +63,7 @@ public function __construct(ClientInterface $http = null, CacheItemPoolInterface

$this->http = $http;
$this->cache = $cache;
$this->jwt = $this->getJwtService();
$this->jwt = $jwt ?: $this->getJwtService();
}

/**
Expand Down
7 changes: 6 additions & 1 deletion src/Google/Client.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -138,6 +138,10 @@ public function __construct(array $config = array())
// function to be called when an access token is fetched
// follows the signature function ($cacheKey, $accessToken)
'token_callback' => null,

// Service class used in Google_Client::verifyIdToken.
// Explicitly pass this in to avoid setting JWT::$leeway
'jwt' => null,
],
$config
);
Expand Down Expand Up @@ -686,7 +690,8 @@ public function verifyIdToken($idToken = null)
{
$tokenVerifier = new Google_AccessToken_Verify(
$this->getHttpClient(),
$this->getCache()
$this->getCache(),
$this->jwt
);

if (is_null($idToken)) {
Expand Down
27 changes: 27 additions & 0 deletions tests/Google/AccessToken/VerifyTest.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -87,6 +87,33 @@ public function testValidateIdToken()
$this->assertTrue(strlen($payload['sub']) > 0);
}

/**
* Most of the logic for ID token validation is in AuthTest -
* this is just a general check to ensure we verify a valid
* id token if one exists.
*/
public function testLeewayIsUnchangedWhenPassingInJwt()
{
$this->checkToken();

$jwt = $this->getJwtService();
// set arbitrary leeway so we can check this later
$jwt::$leeway = $leeway = 1.5;
$client = $this->getClient();
$token = $client->getAccessToken();
if ($client->isAccessTokenExpired()) {
$token = $client->fetchAccessTokenWithRefreshToken();
}
$segments = explode('.', $token['id_token']);
$this->assertEquals(3, count($segments));
// Extract the client ID in this case as it wont be set on the test client.
$data = json_decode($jwt->urlSafeB64Decode($segments[1]));
$verify = new Google_AccessToken_Verify($client->getHttpClient(), null, $jwt);
$payload = $verify->verifyIdToken($token['id_token'], $data->aud);
// verify the leeway is set as it was
$this->assertEquals($leeway, $jwt::$leeway);
}

public function testRetrieveCertsFromLocation()
{
$client = $this->getClient();
Expand Down