@@ -30,8 +30,11 @@ class JWT
3030 * @param bool $verify Don't skip verification process
3131 *
3232 * @return object The JWT's payload as a PHP object
33- * @throws UnexpectedValueException Provided JWT was invalid
3433 * @throws DomainException Algorithm was not provided
34+ * @throws UnexpectedValueException Provided JWT was invalid
35+ * @throws BeforeValidException Provided JWT is trying to be used before it's eligible as defined by 'nbf'
36+ * @throws BeforeValidException Provided JWT is trying to be used before it's been created as defined by 'iat'
37+ * @throws ExpiredException Provided JWT has since expired, as defined by the 'exp' claim
3538 *
3639 * @uses jsonDecode
3740 * @uses urlsafeB64Decode
@@ -67,17 +70,27 @@ public static function decode($jwt, $key = null, $verify = true)
6770 throw new SignatureInvalidException ('Signature verification failed ' );
6871 }
6972
70- // Check token expiry time if defined.
71- if (isset ($ payloadexp ) && time () >= $ payloadexp ) {
72- throw new ExpiredException ('Expired token ' );
73- }
74-
75- // Check if the nbf if it is defined.
73+ // Check if the nbf if it is defined. This is the time that the
74+ // token can actually be used. If it's not yet that time, abort.
7675 if (isset ($ payloadnbf ) && $ payloadnbf > time ()) {
7776 throw new BeforeValidException (
7877 'Cannot handle token prior to ' . date (DateTime::ISO8601 , $ payloadnbf )
7978 );
8079 }
80+
81+ // Check that this token has been created before 'now'. This prevents
82+ // using tokens that have been created for later use (and haven't
83+ // correctly used the nbf claim).
84+ if (isset ($ payloadiat ) && $ payloadiat > time ()) {
85+ throw new BeforeValidException (
86+ 'Cannot handle token prior to ' . date (DateTime::ISO8601 , $ payloadiat )
87+ );
88+ }
89+
90+ // Check if this token has expired.
91+ if (isset ($ payloadexp ) && time () >= $ payloadexp ) {
92+ throw new ExpiredException ('Expired token ' );
93+ }
8194 }
8295
8396 return $ payload
0 commit comments