From 4e24336dd29d3c89c6233801d9795bcbb3f84971 Mon Sep 17 00:00:00 2001 From: Steve Rhoades Date: Thu, 28 Oct 2021 06:37:41 -0700 Subject: [PATCH] Remove support for Lcobucci\JWT < 4.1 due to vulnerability. --- composer.json | 2 +- src/IdTokenResponse.php | 11 +++++------ 2 files changed, 6 insertions(+), 7 deletions(-) diff --git a/composer.json b/composer.json index 50a1886..235e2af 100644 --- a/composer.json +++ b/composer.json @@ -10,7 +10,7 @@ ], "require": { "league/oauth2-server": "^5.1|^6.0|^7.0|^8.0", - "lcobucci/jwt": "^3.4.3|^4.1" + "lcobucci/jwt": "4.1.5" }, "require-dev": { "phpunit/phpunit": "^5.0|^9.5", diff --git a/src/IdTokenResponse.php b/src/IdTokenResponse.php index fce31ca..2a24e68 100644 --- a/src/IdTokenResponse.php +++ b/src/IdTokenResponse.php @@ -14,6 +14,9 @@ use League\OAuth2\Server\Entities\ScopeEntityInterface; use League\OAuth2\Server\ResponseTypes\BearerTokenResponse; use Lcobucci\JWT\Signer\Rsa\Sha256; +use Lcobucci\JWT\Encoding\ChainedFormatter; +use Lcobucci\JWT\Token\Builder; +use Lcobucci\JWT\Encoding\JoseEncoder; class IdTokenResponse extends BearerTokenResponse { @@ -37,12 +40,8 @@ public function __construct( protected function getBuilder(AccessTokenEntityInterface $accessToken, UserEntityInterface $userEntity) { - if (class_exists("Lcobucci\JWT\Token\Builder")) { - $claimsFormatter = \Lcobucci\JWT\Encoding\ChainedFormatter::withUnixTimestampDates(); - $builder = new \Lcobucci\JWT\Token\Builder(new \Lcobucci\JWT\Encoding\JoseEncoder(), $claimsFormatter); - } else { - $builder = new \Lcobucci\JWT\Builder(); - } + $claimsFormatter = ChainedFormatter::withUnixTimestampDates(); + $builder = new Builder(new JoseEncoder(), $claimsFormatter); // Since version 8.0 league/oauth2-server returns \DateTimeImmutable $expiresAt = $accessToken->getExpiryDateTime();