Delay signature verification properly

Signature verification was never being delayed because an unsecured token was being used and `Token#verify()` was throwing an exception instead. Closes #63
psr7-sessions · May 8, 2017 · 510172c · 510172c
1 parent 609f52e
commit 510172c
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 8 deletions.
diff --git a/src/Storageless/Http/SessionMiddleware.php b/src/Storageless/Http/SessionMiddleware.php
@@ -248,25 +248,21 @@ public function extractSessionContainer(Token $token = null) : SessionInterface
  private function appendToken(SessionInterface $sessionContainer, Response $response, Token $token = null) : Response
  {
  $sessionContainerChanged = $sessionContainer->hasChanged();
- $sessionContainerEmpty = $sessionContainer->isEmpty();
 
- if ($sessionContainerChanged && $sessionContainerEmpty) {
+ if ($sessionContainerChanged && $sessionContainer->isEmpty()) {
  return FigResponseCookies::set($response, $this->getExpirationCookie());
  }
 
- if ($sessionContainerChanged || (! $sessionContainerEmpty && $token && $this->shouldTokenBeRefreshed($token))) {
+ if ($sessionContainerChanged || ($this->shouldTokenBeRefreshed($token) && ! $sessionContainer->isEmpty())) {
  return FigResponseCookies::set($response, $this->getTokenCookie($sessionContainer));
  }
 
  return $response;
  }
 
- /**
- * {@inheritDoc}
- */
- private function shouldTokenBeRefreshed(Token $token) : bool
+ private function shouldTokenBeRefreshed(Token $token = null) : bool
  {
- if (! $token->hasClaim(self::ISSUED_AT_CLAIM)) {
+ if (! $token || ! $token->hasClaim(self::ISSUED_AT_CLAIM)) {
  return false;
  }
 

diff --git a/test/StoragelessTest/Http/SessionMiddlewareTest.php b/test/StoragelessTest/Http/SessionMiddlewareTest.php
@@ -26,6 +26,7 @@
 use Lcobucci\JWT\Builder;
 use Lcobucci\JWT\Parser;
 use Lcobucci\JWT\Signer;
+use Lcobucci\JWT\Signature;
 use Lcobucci\JWT\Signer\Hmac\Sha256;
 use Lcobucci\JWT\Token;
 use PHPUnit_Framework_TestCase;
@@ -373,6 +374,7 @@ public function testSessionTokenParsingIsDelayedWhenSessionIsNotBeingUsed()
  $signer = $this->createMock(Signer::class);
 
  $signer->expects($this->never())->method('verify');
+ $signer->method('getAlgorithmId')->willReturn('HS256');
 
  $currentTimeProvider = new SystemCurrentTime();
  $setCookie = SetCookie::create(SessionMiddleware::DEFAULT_COOKIE);
@@ -381,6 +383,8 @@ public function testSessionTokenParsingIsDelayedWhenSessionIsNotBeingUsed()
  ->withCookieParams([
  SessionMiddleware::DEFAULT_COOKIE => (string) (new Builder())
  ->set(SessionMiddleware::SESSION_CLAIM, DefaultSessionData::fromTokenData(['foo' => 'bar']))
+ ->setIssuedAt(time())
+ ->sign(new Sha256(), 'foo')
  ->getToken()
  ]);