Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Delay signature verification properly #64

Merged
merged 1 commit into from
May 8, 2017
Merged

Delay signature verification properly #64

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 4 additions & 8 deletions src/Storageless/Http/SessionMiddleware.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -248,25 +248,21 @@ public function extractSessionContainer(Token $token = null) : SessionInterface
private function appendToken(SessionInterface $sessionContainer, Response $response, Token $token = null) : Response
{
$sessionContainerChanged = $sessionContainer->hasChanged();
$sessionContainerEmpty = $sessionContainer->isEmpty();
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This was cached on purpose to avoid calling isEmpty() twice, since the sessiondata is potentially mutable: can it be restored, or is this removal part of tge fix?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's part of the fix as described on the PR's decription

Moving sessionContainer#isEmpty() calls to the end of the expressions delays the initialisation properly.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Basically that leads to the question: do we want to keep this lazy initialisation thing or not?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Seen now - this is described in #63

do we want to keep this lazy initialisation thing or not?

Yes, reading/writing to session in each request, as well as running crypto, is otherwise a very good way to keep data-centers warm. Let's not do that :-)


if ($sessionContainerChanged && $sessionContainerEmpty) {
if ($sessionContainerChanged && $sessionContainer->isEmpty()) {
return FigResponseCookies::set($response, $this->getExpirationCookie());
}

if ($sessionContainerChanged || (! $sessionContainerEmpty && $token && $this->shouldTokenBeRefreshed($token))) {
if ($sessionContainerChanged || ($this->shouldTokenBeRefreshed($token) && ! $sessionContainer->isEmpty())) {
return FigResponseCookies::set($response, $this->getTokenCookie($sessionContainer));
}

return $response;
}

/**
* {@inheritDoc}
*/
private function shouldTokenBeRefreshed(Token $token) : bool
private function shouldTokenBeRefreshed(Token $token = null) : bool
{
if (! $token->hasClaim(self::ISSUED_AT_CLAIM)) {
if (! $token || ! $token->hasClaim(self::ISSUED_AT_CLAIM)) {
return false;
}

Expand Down
4 changes: 4 additions & 0 deletions test/StoragelessTest/Http/SessionMiddlewareTest.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,7 @@
use Lcobucci\JWT\Builder;
use Lcobucci\JWT\Parser;
use Lcobucci\JWT\Signer;
use Lcobucci\JWT\Signature;
use Lcobucci\JWT\Signer\Hmac\Sha256;
use Lcobucci\JWT\Token;
use PHPUnit_Framework_TestCase;
Expand Down Expand Up @@ -373,6 +374,7 @@ public function testSessionTokenParsingIsDelayedWhenSessionIsNotBeingUsed()
$signer = $this->createMock(Signer::class);

$signer->expects($this->never())->method('verify');
$signer->method('getAlgorithmId')->willReturn('HS256');

$currentTimeProvider = new SystemCurrentTime();
$setCookie = SetCookie::create(SessionMiddleware::DEFAULT_COOKIE);
Expand All @@ -381,6 +383,8 @@ public function testSessionTokenParsingIsDelayedWhenSessionIsNotBeingUsed()
->withCookieParams([
SessionMiddleware::DEFAULT_COOKIE => (string) (new Builder())
->set(SessionMiddleware::SESSION_CLAIM, DefaultSessionData::fromTokenData(['foo' => 'bar']))
->setIssuedAt(time())
->sign(new Sha256(), 'foo')
->getToken()
]);

Expand Down