search

paragonie / paseto

Platform-Agnostic Security Tokens
https://paseto.io
Other
3.25k stars 108 forks source link

setClaims overwrites what was defined with setExpiration in the php example #26

Closed gdhnz closed 6 years ago

gdhnz commented 6 years ago

Using the php example code at https://github.com/paragonie/past/tree/master/docs/02-PHP-Library, setClaims overwrites what was defined with setExpiration

$token     = (new JsonToken())
    ->setKey($sharedKey)
    ->setVersion(Version2::HEADER)
    ->setPurpose('local')
    ->setExpiration((new DateTime())->add(new DateInterval('P01D')))
    ->setClaims(['example' => 'Hello world', 'security' => 'Now as easy as PIE']);

For an expiration to be set correctly, setClaims needs to come before setExpiration.

$token     = (new JsonToken())
    ->setKey($sharedKey)
    ->setVersion(Version2::HEADER)
    ->setPurpose('local')
    ->setClaims(['example' => 'Hello world', 'security' => 'Now as easy as PIE'])
    ->setExpiration((new DateTime())->add(new DateInterval('P01D')));
gdhnz commented 6 years ago

The same happens if setClaims is also called after setAudience, setIssuedAt, setIssuer, setJti, setNotBefore, and setSubject.

paragonie-scott commented 6 years ago

Yes, because it's doing naive assignment rather than merging.

gdhnz commented 6 years ago

Would something as simple as replacing $this->claims = $claims; with $this->claims = array_merge($this->claims, $claims); in JsonToken.php resolve the issue or is there something else I'm missing?

paragonie-scott commented 6 years ago

It's actually a little simpler to fix.