Token validation ! about jwt HOT 9 CLOSED

Thanks @absolux for your contribution.

The ValidationData is not a validator, but is "bag" to define your expectations about the token. In that way you're required to inform what do you want to be validated.

To make your code work you have to do this:

$builder = new Builder();
$token = $builder->setSubject(1)->getToken();
$validator = new ValidationData();
$validator->setSubject(2); // if you don't set this the "sub" claim will be just ignored in the validation.
$this->assertFalse($token->validate($validator));

My ideia was to say: hey token are you valid against this data?

from jwt.

But you remind me to create a new issue about the token validation process 😄

from jwt.

I think this should be explained better in the documentation section

from jwt.

yes indeed, but ValidationData object has by default 3 claims [iat, exp, nbf] not validated by the token, because they are absent, and my test will always fail in case the token is not signed.

So, for that reason, ValidationData should know about required claims, and returns false before checking claims values

from jwt.

Thanks again @absolux.
After taking more time to analyse your report I've found the reason why you're getting the wrong return from Token::validate() method.

It's not related with what you're saying, but actually with types and === comparison used by Claims\EqualsTo.

Builder converts the subject claim to a string, but ValidationData doesn't. So when you're using int as subject things get messy 😄. I'll be fixing it right now and adding more tests.

from jwt.

BTW token validation and signature verification are different things. That's why this isn't related with having unsigned tokens.

from jwt.

@absolux I just released the version 3.0.3 with this fix, can you check if everything is fine now?

from jwt.

Thanks a lot for the update, and the documentation is more clear now. 👍

from jwt.

Awesome @absolux! Some 🍻 to you for reporting this!

from jwt.