Merge pull request #43 from steverhoades/fix-dependebot-vulnerability

Remove support for Lcobucci\JWT < 4.1 due to vulnerability.
steverhoades · Oct 28, 2021 · 5f8f024 · 5f8f024
2 parents bfe62d1 + 4e24336
commit 5f8f024
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 7 deletions.
diff --git a/composer.json b/composer.json
@@ -10,7 +10,7 @@
  ],
  "require": {
  "league/oauth2-server": "^5.1|^6.0|^7.0|^8.0",
- "lcobucci/jwt": "^3.4.3|^4.1"
+ "lcobucci/jwt": "4.1.5"
  },
  "require-dev": {
  "phpunit/phpunit": "^5.0|^9.5",

diff --git a/src/IdTokenResponse.php b/src/IdTokenResponse.php
@@ -14,6 +14,9 @@
 use League\OAuth2\Server\Entities\ScopeEntityInterface;
 use League\OAuth2\Server\ResponseTypes\BearerTokenResponse;
 use Lcobucci\JWT\Signer\Rsa\Sha256;
+use Lcobucci\JWT\Encoding\ChainedFormatter;
+use Lcobucci\JWT\Token\Builder;
+use Lcobucci\JWT\Encoding\JoseEncoder;
 
 class IdTokenResponse extends BearerTokenResponse
 {
@@ -37,12 +40,8 @@ public function __construct(
 
  protected function getBuilder(AccessTokenEntityInterface $accessToken, UserEntityInterface $userEntity)
  {
- if (class_exists("Lcobucci\JWT\Token\Builder")) {
- $claimsFormatter = \Lcobucci\JWT\Encoding\ChainedFormatter::withUnixTimestampDates();
- $builder = new \Lcobucci\JWT\Token\Builder(new \Lcobucci\JWT\Encoding\JoseEncoder(), $claimsFormatter);
- } else {
- $builder = new \Lcobucci\JWT\Builder();
- }
+ $claimsFormatter = ChainedFormatter::withUnixTimestampDates();
+ $builder = new Builder(new JoseEncoder(), $claimsFormatter);
 
  // Since version 8.0 league/oauth2-server returns \DateTimeImmutable
  $expiresAt = $accessToken->getExpiryDateTime();