From 0f4701d272bdfab0fdc2cb65989bdec30ce2f872 Mon Sep 17 00:00:00 2001
From: Ercan Ozkaya <ercan@timble.net>
Date: Wed, 17 Jan 2018 14:02:17 +0300
Subject: [PATCH] #74 Require an algorithm in KHttpToken::verify

---
 .../koowa/libraries/http/token/interface.php       |  8 ++++----
 .../libraries/koowa/libraries/http/token/token.php | 14 +++++++-------
 2 files changed, 11 insertions(+), 11 deletions(-)

diff --git a/code/libraries/koowa/libraries/http/token/interface.php b/code/libraries/koowa/libraries/http/token/interface.php
index 1a407f51e..ca9cf7fa3 100644
--- a/code/libraries/koowa/libraries/http/token/interface.php
+++ b/code/libraries/koowa/libraries/http/token/interface.php
@@ -205,14 +205,14 @@ public function fromString($token);
     /**
      * Verify the token
      *
-     * This method is used to verify the digitally signed JWT token. It does nothing, if the token is not signed
-     * (i.e., the crypto segment of the JWT token is an empty string).
+     * This method is used to verify the digitally signed JWT token.
+     *
+     * It makes sure the algorithm is NOT set to 'none' if a secret is passed.
      *
      * @param mixed   $secret  The secret to be used to verify the HMAC signature bytes of the JWT token
-     * @param boolean $signed  Ensure the token is signed. If FALSE, unsigned tokens will pass verification
      * @return bool  Returns TRUE if the signature of the JWT token is valid, FALSE otherwise.
      */
-    public function verify($secret, $signed = false);
+    public function verify($secret);
 
     /**
      * Sign the token
diff --git a/code/libraries/koowa/libraries/http/token/token.php b/code/libraries/koowa/libraries/http/token/token.php
index a1b0d3c7b..b6ab349a4 100644
--- a/code/libraries/koowa/libraries/http/token/token.php
+++ b/code/libraries/koowa/libraries/http/token/token.php
@@ -452,18 +452,18 @@ public function fromString($token)
     /**
      * Verify the token
      *
-     * This method is used to verify the digitally signed JWT token. It does nothing, if the token is not signed
-     * (i.e., the crypto segment of the JWT token is an empty string).
+     * This method is used to verify the digitally signed JWT token.
+     *
+     * It makes sure the algorithm is NOT set to 'none' if a secret is passed.
      *
      * @param mixed   $secret  The secret to be used to verify the HMAC signature bytes of the JWT token
-     * @param boolean $signed  Ensure the token is signed. If FALSE, unsigned tokens will pass verification
      * @return bool  Returns TRUE if the signature of the JWT token is valid, FALSE otherwise.
      */
-    public function verify($secret, $signed = true)
+    public function verify($secret)
     {
-        //An unsigned JWT is using the "none" "alg" header parameter value; and an empty string for its signature.
-        if(!$signed && empty($this->_signature) && $this->getAlgorithm() == 'none') {
-           return true;
+        // Force an algorithm to be provided if there is a secret key
+        if ($secret && $this->getAlgorithm() == 'none') {
+            return false;
         }
 
         //Verify the signature