Double signature verification - Githubissues

auth0 / auth0-PHP

PHP SDK for Auth0 Authentication and Management APIs.

https://auth0.com/docs/libraries/auth0-php

MIT License

380 stars 209 forks source link

Double signature verification #741

Closed seruymt closed 9 months ago

seruymt commented 9 months ago

Checklist

[X] This can be reproduced in the quickstart sample application.
[X] I have reviewed the README.md and have not found a solution.
[X] I have reviewed the EXAMPLES.md and have not found a solution.
[X] I have searched previous issues and have not found a solution.
[X] I have searched the Auth0 Community and have not found a solution.
[X] I agree to adhere to the Auth0 General Contribution Guidelines.
[X] I agree to uphold the Auth0 Code of Conduct.

SDK Version

8.7

PHP Version

PHP 8.2

Description

The signature is verified two times per request according to \Auth0\SDK\Token\Parser::verify()

        $verifier = new Verifier(
            $this->configuration,
            implode('.', [$parts[0], $parts[1]]),
            $signature,
            $headers,
            $algorithm,
            $jwksUri,
            $clientSecret,
            $cacheExpires,
            $cache,
        );

        $verifier->verify();

First time in the Verifier class constructor, then again after the declaration.

How can we reproduce this issue?

Do a call with \Auth0\SDK\Token\Parser::verify

evansims commented 9 months ago

Hey @seruymt 👋 Thanks for reporting this! Good catch! Overlooked this when we refactored this class some time ago. Definitely a redundant call there. I'm preparing a PR to fix that.