[v4.0] Add stricter ValidAt constraint

Hi, it seems to me that the new ValidAt constraint is very dangerous:

jwt/test/unit/Validation/Constraint/ValidAtTest.php

Lines 218 to 225 in 6d8665c

    
           public function assertShouldNotRaiseExceptionWhenTokenDoesNotHaveTimeClaims(): void 
        
           { 
        
               $token      = $this->buildToken(); 
        
               $constraint = new ValidAt($this->clock); 
        
               $constraint->assert($token); 
        
               $this->addToAssertionCount(1); 
        
           }

It creates a false sense of security, and it's easy to mess with: I've already had a successful token misused because no time claim was set.

I propose to rename ValidAt to LooseValidAt, and introduce a new StrictValidAt that requires all time claims to be set

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

	public function assertShouldNotRaiseExceptionWhenTokenDoesNotHaveTimeClaims(): void
	{
	$token = $this->buildToken();
	$constraint = new ValidAt($this->clock);

	$constraint->assert($token);
	$this->addToAssertionCount(1);
	}

Uh oh!

Description

Metadata

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Issue actions