Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add constraint for private claim validation #827

Merged
merged 1 commit into from
Aug 17, 2022
Merged

Add constraint for private claim validation #827

merged 1 commit into from
Aug 17, 2022

Conversation

james-bw
Copy link

Re: #826

Slamdunk
Slamdunk previously requested changes Mar 30, 2022
View reviewed changes
src/Token.php Outdated Show resolved Hide resolved
@Slamdunk
Copy link
Collaborator

@Ocramius https://github.com/lcobucci/jwt/runs/5749877948?check_suite_focus=true#step:4:250

[BC] ADDED: Method hasClaimWithValue() was added to interface Lcobucci\JWT\UnencryptedToken
[BC] ADDED: Method hasClaimWithValue() was added to interface Lcobucci\JWT\Token
2 backwards-incompatible changes detected

Why adding a method to an interface should be considered a BC Break?

@SvenRtbg
Copy link
Collaborator

Adding new methods to an interface requires implementation of it in every class implementing the interface. This is incompatible with "I just update and everything works". :)

@Slamdunk
Copy link
Collaborator

Ok, now I see the need for https://wiki.php.net/rfc/sealed_classes as in this context Lcobucci\JWT\UnencryptedToken and Lcobucci\JWT\Token are not meant to be implemented outside this library

lcobucci
lcobucci requested changes Mar 31, 2022
View reviewed changes
src/Validation/Constraint/HasClaimWithValue.php Outdated Show resolved Hide resolved
src/Token/Plain.php Outdated Show resolved Hide resolved
src/Validation/Constraint/HasClaimWithValue.php Outdated Show resolved Hide resolved
@lcobucci lcobucci added this to the 4.2.0 milestone Mar 31, 2022
@Ocramius
Copy link
Collaborator

@lcobucci before adding this, please check the premise in #826 - the entire idea (so far) smells, IMO

@lcobucci
Copy link
Owner

lcobucci commented Apr 1, 2022

@lcobucci before adding this, please check the premise in #826 - the entire idea (so far) smells, IMO

@Ocramius I saw it... I'm honestly abstracting that page because I think it's useful to have a generic constraint for custom claims in the lib.

@lcobucci
Copy link
Owner

lcobucci commented Apr 4, 2022
edited
Loading

Just to expand on the reason for a closure... the initial motivation to introduce this is related to hash comparison and doing that operation with === opens a security issue (timing attacks) - that's why we use hash_equals().

@james-bw have you thought about that? This PR does NOT add a safe way to perform hash comparison.

@lcobucci
Copy link
Owner

lcobucci commented Apr 4, 2022

Also, you can run make to execute most of the checks and solve the problems locally.

@james-bw
Copy link
Author

james-bw commented Apr 5, 2022
edited
Loading

Just to expand on the reason for a closure... the initial motivation to introduce this is related to hash comparison and doing that operation with === opens a security issue (timing attacks) - that's why we use hash_equals().

@james-bw have you thought about that? This PR does NOT add a safe way to perform hash comparison.

I did not. I am not aware of how === leads to a timing attack. I'll have to investigate further.

...

OK I understand the timing attack now, and understand why === is not to be used for cryptographic stuff. However, custom claim validation is no different to existing code:

    public function isIdentifiedBy(string $id): bool
    {
        return $this->claims->get(RegisteredClaims::ID) === $id;
    }

    public function isRelatedTo(string $subject): bool
    {
        return $this->claims->get(RegisteredClaims::SUBJECT) === $subject;
    }

I think this validation should be consistent.

@james-bw
Copy link
Author

james-bw commented Apr 5, 2022

Also, you can run make to execute most of the checks and solve the problems locally.

I'm developing on Windows/git bash, so don't have make natively. I've been trying to get my IDE working with the equivalent tests. At this stage I'm about to walk away and leave you to it, I was just trying to help with a quick win and this is turning into ben hur.

@lcobucci lcobucci removed this from the 4.2.0 milestone Jul 24, 2022
@lcobucci lcobucci force-pushed the feature/add-with-claim-token-validation branch from efc1328 to 6709e42 Compare August 17, 2022 23:00
@lcobucci lcobucci linked an issue Aug 17, 2022 that may be closed by this pull request
Add withClaim validation for custom claim validation #826
Closed
@lcobucci lcobucci self-assigned this Aug 17, 2022
@lcobucci lcobucci added this to the 4.2.0 milestone Aug 17, 2022
@lcobucci lcobucci force-pushed the feature/add-with-claim-token-validation branch from 6709e42 to 817f241 Compare August 17, 2022 23:01
@lcobucci lcobucci changed the title Added withClaim token constraint Add constraint for private claim validation Aug 17, 2022
@lcobucci lcobucci dismissed Slamdunk’s stale review August 17, 2022 23:03

Changes addressed

@lcobucci lcobucci merged commit 587cb9b into lcobucci:4.2.x Aug 17, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@SvenRtbg SvenRtbg SvenRtbg left review comments

@lcobucci lcobucci lcobucci approved these changes

@Slamdunk Slamdunk Slamdunk left review comments

Assignees

@lcobucci lcobucci

Labels
Improvement
Projects
None yet
Milestone
4.2.0
Development

Successfully merging this pull request may close these issues.

Add withClaim validation for custom claim validation
5 participants
@james-bw @Slamdunk @SvenRtbg @Ocramius @lcobucci