Merge pull request #66 from RobDWaller/4.0.2

4.0.2
RobDWaller · Apr 6, 2021 · a292f6e · a292f6e
2 parents eba7970 + 9645410
commit a292f6e
Show file tree

Hide file tree

Showing 4 changed files with 87 additions and 3 deletions.
diff --git a/README.md b/README.md
@@ -353,14 +353,15 @@ $validate->structure();
 $validate->signature();
 ```
 
-Six validation methods are available which can all be chained:
+Seven validation methods are available which can all be chained:
 
 - `structure()` confirms the structure of the token is correct.
 - `signature()` confirms the token signature is valid.
 - `expiration()` confirms the token expiration claim (`exp`) has not expired.
 - `notBefore()` confirms the token not before claim (`nbf`) has elapsed.
 - `audience()` confirms the token audience claim (`aud`) matches what is expected.
 - `algorithm()` confirms the token algorithm claim (`alg`) matches what is expected and is valid (See: [RFC 7518](https://www.rfc-editor.org/rfc/rfc7518.html)).
+- `algorithmNotNone()` confirms the token algorithm claim (`alg`) is not set to none.
 
 Each validation method will throw a `ReallySimpleJWT\Exception\ValidateException` if there is anything wrong with the supplied token.
 
@@ -404,6 +405,7 @@ There are four exception types that may be thrown:
 | 11   | Audience claim is not set.      | Attempt was made to validate an `aud` claim which does not exist. |
 | 12   | Algorithm claim is not valid.   | Algorithm should be a valid Digital Signature or MAC Algorithm, or none. See [RFC 7518](https://tools.ietf.org/html/rfc7518). |
 | 13   | Algorithm claim is not set.      | Attempt was made to validate an `alg` claim which does not exist. |
+| 14   | Algorithm claim should not be none.      | The `alg` claim should not be set to none. |
 
 ## Token Security
 

diff --git a/src/Tokens.php b/src/Tokens.php
@@ -134,8 +134,9 @@ public function validate(string $token, string $secret): bool
         $validate = $this->validator($token, $secret);
 
         try {
-            $validate->structure();
-            $validate->signature();
+            $validate->structure()
+                ->algorithmNotNone()
+                ->signature();
             return true;
         } catch (ValidateException $e) {
             return false;

diff --git a/src/Validate.php b/src/Validate.php
@@ -110,6 +110,23 @@ public function algorithm(array $algorithms): Validate
         return $this;
     }
 
+    /**
+     * Validate the token's alg claim is not none.
+     *
+     * @throws ValidateException
+     */
+    public function algorithmNotNone(): Validate
+    {
+        if ($this->validate->algorithm(strtolower($this->parse->getAlgorithm()), ['none'])) {
+            throw new ValidateException(
+                'Algorithm claim should not be none.',
+                14
+            );
+        }
+
+        return $this;
+    }
+
     /**
      * Validate the JWT's signature. The signature taken from the JWT should
      * match a new one generated from the JWT header and payload, and secret.

diff --git a/tests/Unit/ValidateTest.php b/tests/Unit/ValidateTest.php
@@ -303,4 +303,68 @@ public function testValidateAlgorithmFail(): void
         $this->expectExceptionCode(12);
         $validate->algorithm([]);
     }
+
+    public function testValidateAlgorithmNotNone(): void
+    {
+        $parse = $this->createMock(Parse::class);
+        $parse->expects($this->once())
+            ->method('getAlgorithm')
+            ->willReturn('HS256');
+
+        $validator = $this->createMock(Validator::class);
+        $validator->expects($this->once())
+            ->method('algorithm')
+            ->with('hs256', ['none'])
+            ->willReturn(false);
+
+        $encode = $this->createMock(EncodeHS256::class);
+
+        $validate = new Validate($parse, $encode, $validator);
+
+        $this->assertInstanceOf(Validate::class, $validate->algorithmNotNone());
+    }
+
+    public function testValidateAlgorithmNotNoneFail(): void
+    {
+        $parse = $this->createMock(Parse::class);
+        $parse->expects($this->once())
+            ->method('getAlgorithm')
+            ->willReturn('none');
+
+        $validator = $this->createMock(Validator::class);
+        $validator->expects($this->once())
+            ->method('algorithm')
+            ->with('none', ['none'])
+            ->willReturn(true);
+
+        $encode = $this->createMock(EncodeHS256::class);
+
+        $validate = new Validate($parse, $encode, $validator);
+
+        $this->expectException(ValidateException::class);
+        $this->expectExceptionMessage('Algorithm claim should not be none.');
+        $this->expectExceptionCode(14);
+        $validate->algorithmNotNone();
+    }
+
+    public function testValidateAlgorithmNotNoneCapitalCaseFail(): void
+    {
+        $encode = $this->createMock(EncodeHS256::class);
+
+        $validator = $this->createMock(Validator::class);
+        $validator->expects($this->once())
+            ->method('algorithm')
+            ->with('none', ['none'])
+            ->willReturn(true);
+
+        $parse = $this->createMock(Parse::class);
+        $parse->expects($this->once())
+            ->method('getAlgorithm')
+            ->willReturn('None');
+
+        $validate = new Validate($parse, $encode, $validator);
+
+        $this->expectException(ValidateException::class);
+        $validate->algorithmNotNone();
+    }
 }