#74 Require an algorithm in KHttpToken::verify

joomlatools · Jan 17, 2018 · 0f4701d · 0f4701d
1 parent 47d5de1
commit 0f4701d
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 11 deletions.
diff --git a/code/libraries/koowa/libraries/http/token/interface.php b/code/libraries/koowa/libraries/http/token/interface.php
@@ -205,14 +205,14 @@ public function fromString($token);
     /**
      * Verify the token
      *
-     * This method is used to verify the digitally signed JWT token. It does nothing, if the token is not signed
-     * (i.e., the crypto segment of the JWT token is an empty string).
+     * This method is used to verify the digitally signed JWT token.
+     *
+     * It makes sure the algorithm is NOT set to 'none' if a secret is passed.
      *
      * @param mixed   $secret  The secret to be used to verify the HMAC signature bytes of the JWT token
-     * @param boolean $signed  Ensure the token is signed. If FALSE, unsigned tokens will pass verification
      * @return bool  Returns TRUE if the signature of the JWT token is valid, FALSE otherwise.
      */
-    public function verify($secret, $signed = false);
+    public function verify($secret);
 
     /**
      * Sign the token

diff --git a/code/libraries/koowa/libraries/http/token/token.php b/code/libraries/koowa/libraries/http/token/token.php
@@ -452,18 +452,18 @@ public function fromString($token)
     /**
      * Verify the token
      *
-     * This method is used to verify the digitally signed JWT token. It does nothing, if the token is not signed
-     * (i.e., the crypto segment of the JWT token is an empty string).
+     * This method is used to verify the digitally signed JWT token.
+     *
+     * It makes sure the algorithm is NOT set to 'none' if a secret is passed.
      *
      * @param mixed   $secret  The secret to be used to verify the HMAC signature bytes of the JWT token
-     * @param boolean $signed  Ensure the token is signed. If FALSE, unsigned tokens will pass verification
      * @return bool  Returns TRUE if the signature of the JWT token is valid, FALSE otherwise.
      */
-    public function verify($secret, $signed = true)
+    public function verify($secret)
     {
-        //An unsigned JWT is using the "none" "alg" header parameter value; and an empty string for its signature.
-        if(!$signed && empty($this->_signature) && $this->getAlgorithm() == 'none') {
-           return true;
+        // Force an algorithm to be provided if there is a secret key
+        if ($secret && $this->getAlgorithm() == 'none') {
+            return false;
         }
 
         //Verify the signature