hotfix/jwks-fix #56
Merged
hotfix/jwks-fix #56
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Contributor
There was a problem hiding this comment.
Pull request overview
This pull request refactors the JWKS token decoder implementation to use the Firebase JWT library's built-in JWK parsing functionality instead of custom ASN.1 encoding and manual PEM conversion. The changes improve security by enforcing server-side algorithm validation and strengthen URL validation for JWKS endpoints.
Key changes:
- Replaced custom
jwkToPem()and ASN.1 encoding methods with Firebase JWT'sJWK::parseKeySet()for more robust key parsing - Enhanced JWT validation with explicit format checking (3-part structure) and server-side algorithm enforcement
- Made HTTP client mandatory for JWKS fetching (removed file_get_contents fallback) and added configurable timeout options
- Added comprehensive test coverage for edge cases including missing kid, algorithm mismatches, empty JWKS, expired tokens, and invalid issuers
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 7 comments.
| File | Description |
|---|---|
| src/Token/JWKSTokenDecoder.php | Refactored to use Firebase JWT's JWK::parseKeySet instead of custom PEM conversion; added JWT format validation, server-side algorithm enforcement, and enhanced security checks; removed readonly constraint from options property; made HTTP client required |
| tests/Token/JWKSTokenDecoderTest.php | Added JSON_THROW_ON_ERROR flag for consistency; implemented previously stubbed testRequiresHttpsForJwksEndpoint test; added 7 new comprehensive test cases covering missing kid, algorithm mismatch, kid not in JWKS, empty JWKS, expired tokens, invalid issuer, and invalid JWT format |
Comments suppressed due to low confidence (1)
src/Token/JWKSTokenDecoder.php:102
- The catch block for TokenDecoderException has been removed, but this creates a problem. When TokenDecoderException is thrown from helper methods like getKeyForKid() or fetchJwks(), it will now be caught by the generic Exception handler at line 100-102, which will wrap it in another TokenDecoderException. This results in double-wrapping of the exception and loss of the original specific error context. The TokenDecoderException catch block should be restored to preserve the original exception when it's already of the correct type.
}
catch (\JsonException $e) {
throw TokenDecoderException::forDecodingError('JSON parsing failed: ' . $e->getMessage(), $e);
}
catch (\Exception $e) {
throw TokenDecoderException::forDecodingError($e->getMessage(), $e);
}
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
…nd improve validation logic
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.