Merge pull request #7 from facile-it/jwt-framework3

chore: allow jwt-framework v3

.github/workflows/continuous-integration.yml

@@ -24,6 +24,7 @@ jobs:
           - "7.3"
           - "7.4"
           - "8.0"
+          - "8.1"
 
     steps:
       - name: "Checkout"
@@ -47,14 +48,54 @@ jobs:
         run: "composer update --no-interaction --no-progress --no-suggest --prefer-dist"
 
       - name: "Run psalm"
-        run: "vendor/bin/psalm --long-progress --output-format=github --report=psalm.sarif"
+        run: "vendor/bin/psalm --long-progress --output-format=github --report=psalm.sarif --php-version=${{ matrix.php-version }}"
 
       - name: "Upload SARIF file"
         uses: github/codeql-action/upload-sarif@v1
         continue-on-error: true
         with:
           sarif_file: psalm.sarif
 
+  codestyle:
+    name: "Code Style"
+    runs-on: "ubuntu-20.04"
+
+    strategy:
+      matrix:
+        php-version:
+          - "8.1"
+        deps:
+          - "latest"
+        coverage:
+          - "false"
+
+    steps:
+      - name: "Checkout"
+        uses: "actions/checkout@v2"
+        with:
+          fetch-depth: 2
+
+      - name: "Install PHP"
+        uses: "shivammathur/setup-php@v2"
+        with:
+          php-version: "${{ matrix.php-version }}"
+          coverage: "pcov"
+          ini-values: "zend.assertions=1"
+          extensions: "bcmath gmp"
+
+      - name: "Cache dependencies installed with composer"
+        uses: "actions/cache@v2"
+        with:
+          path: "~/.composer/cache"
+          key: "php-${{ matrix.php-version }}-composer-${{ hashFiles('composer.lock') }}"
+          restore-keys: "php-${{ matrix.php-version }}-composer-"
+
+      - name: "Install dependencies with composer"
+        run: "composer update --no-interaction --no-progress --no-suggest --prefer-dist"
+
+      - name: "Run PHPCS check"
+        run: "composer cs-check"
+
   phpunit:
     name: "PHPUnit"
     runs-on: "ubuntu-20.04"
@@ -66,13 +107,14 @@ jobs:
           - "7.3"
           - "7.4"
           - "8.0"
+          - "8.1"
         deps:
           - "lowest"
           - "latest"
         coverage:
           - "false"
         include:
-          - php-version: "7.4"
+          - php-version: "8.1"
             deps: "latest"
             coverage: "true"
 
@@ -109,10 +151,6 @@ jobs:
         run: "vendor/bin/phpunit -c phpunit.xml.dist"
         if: "${{ matrix.coverage != 'true' }}"
 
-      - name: "Run PHPCS check"
-        run: "composer cs-check"
-        if: "${{ matrix.coverage == 'true' }}"
-
       - name: "Run PHPUnit with coverage"
         run: "vendor/bin/phpunit -c phpunit.xml.dist --coverage-clover=coverage-report.xml"
         if: "${{ matrix.coverage == 'true' }}"

composer.json

@@ -36,15 +36,14 @@
         "php-http/discovery": "^1.7",
         "psr/http-client": "^1.0",
         "psr/http-message": "^1.0",
-        "psr/simple-cache": "^1.0",
+        "psr/simple-cache": "^1.0 || ^2.0 || ^3.0",
         "spomky-labs/base64url": "^2.0.1",
         "symfony/polyfill-mbstring": "^1.15",
-        "web-token/jwt-checker": "^2.2.0",
-        "web-token/jwt-core": "^2.2.0",
-        "web-token/jwt-easy": "^2.2.0",
-        "web-token/jwt-key-mgmt": "^2.2.0",
-        "web-token/jwt-signature": "^2.2.0",
-        "web-token/jwt-signature-algorithm-rsa": "^2.2.0"
+        "web-token/jwt-checker": "^2.2.0 || ^3.0",
+        "web-token/jwt-core": "^2.2.0 || ^3.0",
+        "web-token/jwt-key-mgmt": "^2.2.0 || ^3.0",
+        "web-token/jwt-signature": "^2.2.0 || ^3.0",
+        "web-token/jwt-signature-algorithm-rsa": "^2.2.0 || ^3.0"
     },
     "autoload": {
         "files": [
@@ -67,28 +66,28 @@
         "php-http/curl-client": "^2.1",
         "phpspec/prophecy-phpunit": "^1.1 || ^2.0",
         "phpunit/phpunit": "^8.5.14 || ^9.3",
-        "vimeo/psalm": "^4.4.1",
-        "web-token/jwt-encryption": "^2.2.0",
-        "web-token/jwt-encryption-algorithm-aescbc": "^2.2.0",
-        "web-token/jwt-encryption-algorithm-aesgcm": "^2.2.0",
-        "web-token/jwt-encryption-algorithm-aesgcmkw": "^2.2.0",
-        "web-token/jwt-encryption-algorithm-aeskw": "^2.2.0",
-        "web-token/jwt-encryption-algorithm-dir": "^2.2.0",
-        "web-token/jwt-encryption-algorithm-ecdh-es": "^2.2.0",
-        "web-token/jwt-encryption-algorithm-experimental": "^2.2.0",
-        "web-token/jwt-encryption-algorithm-pbes2": "^2.2.0",
-        "web-token/jwt-encryption-algorithm-rsa": "^2.2.0",
-        "web-token/jwt-nested-token": "^2.2.0",
-        "web-token/jwt-signature-algorithm-ecdsa": "^2.2.0",
-        "web-token/jwt-signature-algorithm-experimental": "^2.2.0",
-        "web-token/jwt-signature-algorithm-hmac": "^2.2.0",
-        "web-token/jwt-signature-algorithm-none": "^2.2.0",
-        "web-token/jwt-util-ecc": "^2.2.0"
+        "vimeo/psalm": "^4.23",
+        "web-token/jwt-encryption": "^2.2.0 || ^3.0",
+        "web-token/jwt-encryption-algorithm-aescbc": "^2.2.0 || ^3.0",
+        "web-token/jwt-encryption-algorithm-aesgcm": "^2.2.0 || ^3.0",
+        "web-token/jwt-encryption-algorithm-aesgcmkw": "^2.2.0 || ^3.0",
+        "web-token/jwt-encryption-algorithm-aeskw": "^2.2.0 || ^3.0",
+        "web-token/jwt-encryption-algorithm-dir": "^2.2.0 || ^3.0",
+        "web-token/jwt-encryption-algorithm-ecdh-es": "^2.2.0 || ^3.0",
+        "web-token/jwt-encryption-algorithm-experimental": "^2.2.0 || ^3.0",
+        "web-token/jwt-encryption-algorithm-pbes2": "^2.2.0 || ^3.0",
+        "web-token/jwt-encryption-algorithm-rsa": "^2.2.0 || ^3.0",
+        "web-token/jwt-nested-token": "^2.2.0 || ^3.0",
+        "web-token/jwt-signature-algorithm-ecdsa": "^2.2.0 || ^3.0",
+        "web-token/jwt-signature-algorithm-experimental": "^2.2.0 || ^3.0",
+        "web-token/jwt-signature-algorithm-hmac": "^2.2.0 || ^3.0",
+        "web-token/jwt-signature-algorithm-none": "^2.2.0 || ^3.0",
+        "web-token/jwt-util-ecc": "^2.2.0 || ^3.0"
     },
     "scripts": {
         "cs-check": "php-cs-fixer fix --dry-run --diff --allow-risky=yes",
         "cs-fix": "php-cs-fixer fix --diff --allow-risky=yes",
-        "psalm": "psalm",
+        "psalm": "psalm --php-version=8.1",
         "test": "phpunit",
         "test-coverage": "phpunit --coverage-text",
         "check": [

src/AbstractTokenVerifier.php

@@ -4,9 +4,9 @@
 
 namespace Facile\JoseVerifier;
 
-use Facile\JoseVerifier\ClaimChecker\AuthTimeChecker;
-use Facile\JoseVerifier\ClaimChecker\AzpChecker;
-use Facile\JoseVerifier\ClaimChecker\NonceChecker;
+use Facile\JoseVerifier\Checker\AuthTimeChecker;
+use Facile\JoseVerifier\Checker\AzpChecker;
+use Facile\JoseVerifier\Checker\NonceChecker;
 use Facile\JoseVerifier\Decrypter\TokenDecrypterInterface;
 use Facile\JoseVerifier\Exception\InvalidArgumentException;
 use Facile\JoseVerifier\Exception\InvalidTokenException;
@@ -15,6 +15,12 @@
 use Facile\JoseVerifier\JWK\MemoryJwksProvider;
 use Facile\JoseVerifier\Validate\Validate;
 use function is_array;
+use Jose\Component\Checker\AlgorithmChecker;
+use Jose\Component\Checker\AudienceChecker;
+use Jose\Component\Checker\ExpirationTimeChecker;
+use Jose\Component\Checker\IssuedAtChecker;
+use Jose\Component\Checker\IssuerChecker;
+use Jose\Component\Checker\NotBeforeChecker;
 use Jose\Component\Core\JWK;
 use Jose\Component\Core\JWKSet;
 use Jose\Component\Core\Util\JsonConverter;
@@ -189,38 +195,37 @@ protected function create(string $jwt): Validate
 
         if ($this->aadIssValidation) {
             $payload = $this->getPayload($jwt);
-            $expectedIssuer = str_replace('{tenantid}', $payload['tid'] ?? '', $expectedIssuer);
+            $expectedIssuer = str_replace('{tenantid}', (string) ($payload['tid'] ?? ''), $expectedIssuer);
         }
 
         $validator = Validate::token($jwt)
             ->keyset($this->buildJwks($jwt))
-            ->iss($expectedIssuer)
-            ->iat($this->clockTolerance)
-            ->aud($this->clientId)
-            ->exp($this->clockTolerance)
-            ->nbf($this->clockTolerance);
+            ->claim(new IssuerChecker([$expectedIssuer], true))
+            ->claim(new IssuedAtChecker($this->clockTolerance, true))
+            ->claim(new AudienceChecker($this->clientId, true))
+            ->claim(new ExpirationTimeChecker($this->clockTolerance))
+            ->claim(new NotBeforeChecker($this->clockTolerance, true));
 
         if (null !== $this->azp) {
-            $validator = $validator->claim('azp', new AzpChecker($this->azp));
+            $validator = $validator->claim(new AzpChecker($this->azp));
         }
 
         if (null !== $this->expectedAlg) {
-            $validator = $validator->alg($this->expectedAlg);
+            $validator = $validator->header(new AlgorithmChecker([$this->expectedAlg], true));
         }
 
         if (null !== $this->nonce) {
-            $validator = $validator->claim('nonce', new NonceChecker($this->nonce));
+            $validator = $validator->claim(new NonceChecker($this->nonce));
         }
 
         if (null !== $this->maxAge) {
-            $validator = $validator->claim('auth_time', new AuthTimeChecker($this->maxAge, $this->clockTolerance));
+            $validator = $validator->claim(new AuthTimeChecker($this->maxAge, $this->clockTolerance));
         }
 
         if ((int) $this->maxAge > 0 || null !== $this->maxAge) {
             $mandatoryClaims[] = 'auth_time';
         }
 
-        /** @var Validate $validator */
         $validator = $validator->mandatory($mandatoryClaims);
 
         return $validator;

src/ClaimChecker/AbstractHashChecker.php → src/Checker/AbstractHashChecker.php

@@ -2,7 +2,7 @@
 
 declare(strict_types=1);
 
-namespace Facile\JoseVerifier\ClaimChecker;
+namespace Facile\JoseVerifier\Checker;
 
 use Base64Url\Base64Url;
 use function hash;
@@ -13,6 +13,9 @@
 use function strlen;
 use function substr;
 
+/**
+ * @internal
+ */
 abstract class AbstractHashChecker implements ClaimChecker
 {
     /** @var string */
@@ -45,7 +48,7 @@ private function getShaSize(string $alg): string
     }
 
     /**
-     * {@inheritdoc}
+     * @param mixed $value
      */
     public function checkClaim($value): void
     {

src/ClaimChecker/AtHashChecker.php → src/Checker/AtHashChecker.php

@@ -2,8 +2,11 @@
 
 declare(strict_types=1);
 
-namespace Facile\JoseVerifier\ClaimChecker;
+namespace Facile\JoseVerifier\Checker;
 
+/**
+ * @internal
+ */
 final class AtHashChecker extends AbstractHashChecker
 {
     private const CLAIM_NAME = 'at_hash';

src/ClaimChecker/AuthTimeChecker.php → src/Checker/AuthTimeChecker.php

@@ -2,13 +2,16 @@
 
 declare(strict_types=1);
 
-namespace Facile\JoseVerifier\ClaimChecker;
+namespace Facile\JoseVerifier\Checker;
 
 use function is_int;
 use Jose\Component\Checker\ClaimChecker;
 use Jose\Component\Checker\InvalidClaimException;
 use function time;
 
+/**
+ * @internal
+ */
 final class AuthTimeChecker implements ClaimChecker
 {
     private const CLAIM_NAME = 'auth_time';
@@ -26,7 +29,7 @@ public function __construct(int $maxAge, int $allowedTimeDrift = 0)
     }
 
     /**
-     * {@inheritdoc}
+     * @param mixed $value
      */
     public function checkClaim($value): void
     {

src/ClaimChecker/AzpChecker.php → src/Checker/AzpChecker.php

@@ -2,12 +2,15 @@
 
 declare(strict_types=1);
 
-namespace Facile\JoseVerifier\ClaimChecker;
+namespace Facile\JoseVerifier\Checker;
 
 use Jose\Component\Checker\ClaimChecker;
 use Jose\Component\Checker\InvalidClaimException;
 use function sprintf;
 
+/**
+ * @internal
+ */
 final class AzpChecker implements ClaimChecker
 {
     private const CLAIM_NAME = 'azp';
@@ -21,7 +24,7 @@ public function __construct(string $azp)
     }
 
     /**
-     * {@inheritdoc}
+     * @param mixed $value
      */
     public function checkClaim($value): void
     {

src/ClaimChecker/CHashChecker.php → src/Checker/CHashChecker.php

@@ -2,8 +2,11 @@
 
 declare(strict_types=1);
 
-namespace Facile\JoseVerifier\ClaimChecker;
+namespace Facile\JoseVerifier\Checker;
 
+/**
+ * @internal
+ */
 final class CHashChecker extends AbstractHashChecker
 {
     private const CLAIM_NAME = 'c_hash';