Add checking of nbf claim

Brendan Abbott · Brendan Abbott · commit 0b01cd0b1727 · 2014-11-13T12:04:38.000+10:00
diff --git a/Authentication/JWT.php b/Authentication/JWT.php
@@ -61,12 +61,22 @@ public static function decode($jwt, $key = null, $verify = true)
                     throw new DomainException('"kid" empty, unable to lookup correct key');
                 }
             }
+
+            // Check the signature
             if (!JWT::verify("$headb64.$bodyb64", $sig, $key, $header->alg)) {
                 throw new UnexpectedValueException('Signature verification failed');
             }
+
             // Check token expiry time if defined.
             if (isset($payload->exp) && time() >= $payload->exp) {
-                throw new UnexpectedValueException('Expired Token');
+                throw new UnexpectedValueException('Expired token');
+            }
+
+            // Check if the nbf if it is defined.
+            if (isset($payload->nbf) && $payload->nbf > time()) {
+                throw new UnexpectedValueException(
+                    'Cannot handle token prior to ' . date(DateTime::ISO8601, $payload->nbf)
+                );
             }
         }
         return $payload;
diff --git a/tests/JWTTest.php b/tests/JWTTest.php
@@ -45,6 +45,16 @@ public function testExpiredToken()
         JWT::decode($encoded);
     }
 
+    public function testTooEarlyToken()
+    {
+        $this->setExpectedException('UnexpectedValueException');
+        $payload = array(
+            "message" => "abc",
+            "nbf" => time() + 20); // time in the past
+        $encoded = JWT::encode($payload, 'my_key');
+        JWT::decode($encoded);
+    }
+
     public function testValidToken()
     {
         $payload = array(
@@ -55,6 +65,17 @@ public function testValidToken()
         $this->assertEquals($decoded->message, 'abc');
     }
 
+    public function testValidTokenWithNbf()
+    {
+        $payload = array(
+            "message" => "abc",
+            "exp" => time() + 20, // time in the future
+            "nbf" => time() - 20);
+        $encoded = JWT::encode($payload, 'my_key');
+        $decoded = JWT::decode($encoded, 'my_key');
+        $this->assertEquals($decoded->message, 'abc');
+    }
+
     public function testInvalidToken()
     {
         $payload = array(

Original file line number	Diff line number	Diff line change
`@@ -61,12 +61,22 @@ public static function decode($jwt, $key = null, $verify = true)`
`61`	`61`	`throw new DomainException('"kid" empty, unable to lookup correct key');`
`62`	`62`	`}`
`63`	`63`	`}`
	`64`	`+`
	`65`	`+ // Check the signature`
`64`	`66`	`if (!JWT::verify("$headb64.$bodyb64", $sig, $key, $header->alg)) {`
`65`	`67`	`throw new UnexpectedValueException('Signature verification failed');`
`66`	`68`	`}`
	`69`	`+`
`67`	`70`	`// Check token expiry time if defined.`
`68`	`71`	`if (isset($payload->exp) && time() >= $payload->exp) {`
`69`		`- throw new UnexpectedValueException('Expired Token');`
	`72`	`+ throw new UnexpectedValueException('Expired token');`
	`73`	`+ }`
	`74`	`+`
	`75`	`+ // Check if the nbf if it is defined.`
	`76`	`+ if (isset($payload->nbf) && $payload->nbf > time()) {`
	`77`	`+ throw new UnexpectedValueException(`
	`78`	`+ 'Cannot handle token prior to ' . date(DateTime::ISO8601, $payload->nbf)`
	`79`	`+ );`
`70`	`80`	`}`
`71`	`81`	`}`
`72`	`82`	`return $payload;`