Merge branch '3.2.x' into 3.1.x-merge-up-into-3.2.x_y5PglacC

Author: Spomky

.github/workflows/release-on-milestone-closed.yml

@@ -17,7 +17,7 @@ jobs:
         uses: "actions/checkout@v3"
 
       - name: "Release"
-        uses: "laminas/automatic-releases@1.15.0"
+        uses: "laminas/automatic-releases@1.24.0"
         with:
           command-name: "laminas:automatic-releases:release"
         env:
@@ -28,7 +28,7 @@ jobs:
           "GIT_AUTHOR_EMAIL": ${{ secrets.GIT_AUTHOR_EMAIL }}
 
       - name: "Create Merge-Up Pull Request"
-        uses: "laminas/automatic-releases@1.15.0"
+        uses: "laminas/automatic-releases@1.24.0"
         with:
           command-name: "laminas:automatic-releases:create-merge-up-pull-request"
         env:
@@ -39,7 +39,7 @@ jobs:
           "GIT_AUTHOR_EMAIL": ${{ secrets.GIT_AUTHOR_EMAIL }}
 
       - name: "Create and/or Switch to new Release Branch"
-        uses: "laminas/automatic-releases@1.15.0"
+        uses: "laminas/automatic-releases@1.24.0"
         with:
           command-name: "laminas:automatic-releases:switch-default-branch-to-next-minor"
         env:
@@ -50,7 +50,7 @@ jobs:
           "GIT_AUTHOR_EMAIL": ${{ secrets.GIT_AUTHOR_EMAIL }}
 
       - name: "Bump Changelog Version On Originating Release Branch"
-        uses: "laminas/automatic-releases@1.15.0"
+        uses: "laminas/automatic-releases@1.24.0"
         with:
           command-name: "laminas:automatic-releases:bump-changelog"
         env:
@@ -61,7 +61,7 @@ jobs:
           "GIT_AUTHOR_EMAIL": ${{ secrets.GIT_AUTHOR_EMAIL }}
 
       - name: "Create new milestones"
-        uses: "laminas/automatic-releases@1.15.0"
+        uses: "laminas/automatic-releases@1.24.0"
         with:
           command-name: "laminas:automatic-releases:create-milestones"
         env:

Makefile

@@ -1,5 +1,5 @@
 mu: vendor ## Mutation tests
-	vendor/bin/infection -s --threads=$(nproc) --min-msi=40 --min-covered-msi=40
+	vendor/bin/infection -s --threads=$$(nproc) --min-msi=40 --min-covered-msi=40
 
 tests: vendor ## Run all tests
 	vendor/bin/phpunit  --color
@@ -8,7 +8,7 @@ cc: vendor ## Show test coverage rates (HTML)
 	vendor/bin/phpunit --coverage-html ./build
 
 cs: vendor ## Fix all files using defined ECS rules
-	vendor/bin/ecs check --fix
+	XDEBUG_MODE=off vendor/bin/ecs check --fix
 
 tu: vendor ## Run only unit tests
 	vendor/bin/phpunit --color --group Unit
@@ -20,19 +20,19 @@ tf: vendor ## Run only functional tests
 	vendor/bin/phpunit --color --group Functional
 
 st: vendor ## Run static analyse
-	vendor/bin/phpstan analyse
+	XDEBUG_MODE=off vendor/bin/phpstan analyse
 
 
 ################################################
 
 ci-mu: vendor ## Mutation tests (for Github only)
-	vendor/bin/infection --logger-github -s --threads=$(nproc) --min-msi=40 --min-covered-msi=40
+	vendor/bin/infection --logger-github -s --threads=$$(nproc) --min-msi=40 --min-covered-msi=40
 
 ci-cc: vendor ## Show test coverage rates (console)
 	vendor/bin/phpunit --coverage-text
 
 ci-cs: vendor ## Check all files using defined ECS rules
-	vendor/bin/ecs check
+	XDEBUG_MODE=off vendor/bin/ecs check
 
 ################################################
 
@@ -42,7 +42,7 @@ vendor: composer.json composer.lock
 	composer install
 
 rector: vendor ## Check all files using Rector
-	vendor/bin/rector process --ansi --dry-run --xdebug
+	XDEBUG_MODE=off vendor/bin/rector process --ansi --dry-run --xdebug
 
 .DEFAULT_GOAL := help
 help:

README.md

@@ -1,13 +1,7 @@
 PHP JWT Framework
 =================
 
-![Build Status](https://github.com/web-token/jwt-framework/workflows/Coding%20Standards/badge.svg)
-![Build Status](https://github.com/web-token/jwt-framework/workflows/Static%20Analyze/badge.svg)
-![Build Status](https://github.com/web-token/jwt-framework/workflows/Rector%20Checkstyle/badge.svg)
-
-![Build Status](https://github.com/web-token/jwt-framework/workflows/Unit%20and%20Functional%20Tests/badge.svg)
-
-![Build Status](https://github.com/web-token/jwt-framework/workflows/Mutation%20Testing/badge.svg)
+![Build Status](https://github.com/web-token/jwt-framework/workflows/Integrate/badge.svg)
 
 [![Latest Stable Version](https://poser.pugx.org/web-token/jwt-framework/v/stable.png)](https://packagist.org/packages/web-token/jwt-framework)
 [![Total Downloads](https://poser.pugx.org/web-token/jwt-framework/downloads.png)](https://packagist.org/packages/web-token/jwt-framework)

composer.json

@@ -59,6 +59,7 @@
         "ext-sodium": "*",
         "brick/math": "^0.9|^0.10|^0.11",
         "paragonie/constant_time_encoding": "^2.4",
+        "psr/clock": "^1.0",
         "psr/event-dispatcher": "^1.0",
         "psr/http-client": "^1.0",
         "psr/http-factory": "^1.0",
@@ -83,14 +84,13 @@
         "php-http/mock-client": "^1.5",
         "php-parallel-lint/php-parallel-lint": "^1.3",
         "phpbench/phpbench": "^1.2",
-        "phpstan/extension-installer": "^1.1",
         "phpstan/phpstan": "^1.8",
         "phpstan/phpstan-deprecation-rules": "^1.0",
         "phpstan/phpstan-phpunit": "^1.1",
         "phpstan/phpstan-strict-rules": "^1.4",
         "phpunit/phpunit": "^9.5.23",
         "qossmic/deptrac-shim": "^1.0",
-        "rector/rector": "^0.14",
+        "rector/rector": "^0.15",
         "roave/security-advisories": "dev-latest",
         "symfony/browser-kit": "^6.1.3",
         "symfony/finder": "^5.4|^6.0",
@@ -145,9 +145,10 @@
     "config": {
         "sort-packages": true,
         "allow-plugins": {
-            "phpstan/extension-installer": true,
             "infection/extension-installer": true,
-            "composer/package-versions-deprecated": true
+            "composer/package-versions-deprecated": true,
+            "phpstan/extension-installer": false,
+            "php-http/discovery": false
         }
     }
 }

rector.php

@@ -31,6 +31,8 @@
     $config->parallel();
     $config->paths([__DIR__ . '/src', __DIR__ . '/performance', __DIR__ . '/tests']);
     $config->skip([
+        \Rector\Php80\Rector\Class_\AnnotationToAttributeRector::class => __DIR__ . '/tests',
+        \Rector\PHPUnit\Rector\Class_\AnnotationWithValueToAttributeRector::class => __DIR__ . '/tests',
         __DIR__ . '/src/Component/Core/JWKSet.php',
         __DIR__ . '/src/Bundle/JoseFramework/DependencyInjection/Source/KeyManagement/JWKSource.php',
         __DIR__ . '/src/Bundle/JoseFramework/DependencyInjection/Source/KeyManagement/JWKSetSource.php',

src/Bundle/JoseFramework/DependencyInjection/Source/Checker/CheckerSource.php

@@ -45,6 +45,7 @@ public function load(array $configs, ContainerBuilder $container): void
         $loader = new PhpFileLoader($container, new FileLocator(__DIR__ . '/../../../Resources/config'));
         $loader->load('checkers.php');
 
+        $container->setAlias('jose.clock', $configs['clock']);
         if (array_key_exists('checkers', $configs)) {
             foreach ($this->sources as $source) {
                 $source->load($configs['checkers'], $container);
@@ -57,6 +58,13 @@ public function getNodeDefinition(NodeDefinition $node): void
         if (! $this->isEnabled()) {
             return;
         }
+        $node->children()
+            ->scalarNode('clock')
+            ->defaultValue('jose.internal_clock')
+            ->cannotBeEmpty()
+            ->info('PSR-20 clock')
+            ->end()
+            ->end();
         $childNode = $node
             ->children()
             ->arrayNode($this->name())

src/Bundle/JoseFramework/Resources/config/checkers.php

@@ -5,8 +5,11 @@
 use Jose\Bundle\JoseFramework\Services\ClaimCheckerManagerFactory;
 use Jose\Bundle\JoseFramework\Services\HeaderCheckerManagerFactory;
 use Jose\Component\Checker\ExpirationTimeChecker;
+use Jose\Component\Checker\InternalClock;
 use Jose\Component\Checker\IssuedAtChecker;
 use Jose\Component\Checker\NotBeforeChecker;
+use Symfony\Component\DependencyInjection\Loader\Configurator\ContainerConfigurator;
+use function Symfony\Component\DependencyInjection\Loader\Configurator\service;
 
 /*
  * The MIT License (MIT)
@@ -17,7 +20,6 @@
  * of the MIT license.  See the LICENSE file for details.
  */
 
-use Symfony\Component\DependencyInjection\Loader\Configurator\ContainerConfigurator;
 
 return function (ContainerConfigurator $container): void {
     $container = $container->services()
@@ -33,6 +35,7 @@
         ->public();
 
     $container->set(ExpirationTimeChecker::class)
+        ->arg('$clock', service('jose.internal_clock'))
         ->tag('jose.checker.claim', [
             'alias' => 'exp',
         ])
@@ -41,6 +44,7 @@
         ]);
 
     $container->set(IssuedAtChecker::class)
+        ->arg('$clock', service('jose.internal_clock'))
         ->tag('jose.checker.claim', [
             'alias' => 'iat',
         ])
@@ -49,10 +53,20 @@
         ]);
 
     $container->set(NotBeforeChecker::class)
+        ->arg('$clock', service('jose.internal_clock'))
         ->tag('jose.checker.claim', [
             'alias' => 'nbf',
         ])
         ->tag('jose.checker.header', [
             'alias' => 'nbf',
         ]);
+
+    $container->set('jose.internal_clock')
+        ->class(InternalClock::class)
+        ->deprecate(
+            'web-token/jwt-bundle',
+            '3.2.0',
+            'The service "%service_id%" is an internal service that will be removed in 4.0.0. Please use a PSR-20 compatible service as clock.'
+        )
+        ->private();
 };

src/Component/Checker/ExpirationTimeChecker.php

@@ -6,6 +6,7 @@
 
 use function is_float;
 use function is_int;
+use Psr\Clock\ClockInterface;
 
 /**
  * This class is a claim checker. When the "exp" is present, it will compare the value with the current timestamp.
@@ -14,10 +15,22 @@ final class ExpirationTimeChecker implements ClaimChecker, HeaderChecker
 {
     private const NAME = 'exp';
 
+    private readonly ClockInterface $clock;
+
     public function __construct(
         private readonly int $allowedTimeDrift = 0,
-        private readonly bool $protectedHeaderOnly = false
+        private readonly bool $protectedHeaderOnly = false,
+        ?ClockInterface $clock = null,
     ) {
+        if ($clock === null) {
+            trigger_deprecation(
+                'web-token/jwt-checker',
+                '3.2.0',
+                'The parameter "$clock" will become mandatory in 4.0.0. Please set a valid PSR Clock implementation instead of "null".'
+            );
+            $clock = new InternalClock();
+        }
+        $this->clock = $clock;
     }
 
     /**
@@ -28,7 +41,10 @@ public function checkClaim(mixed $value): void
         if (! is_float($value) && ! is_int($value)) {
             throw new InvalidClaimException('"exp" must be an integer.', self::NAME, $value);
         }
-        if (time() > $value + $this->allowedTimeDrift) {
+
+        $now = $this->clock->now()
+            ->getTimestamp();
+        if ($now > $value + $this->allowedTimeDrift) {
             throw new InvalidClaimException('The token expired.', self::NAME, $value);
         }
     }
@@ -43,7 +59,10 @@ public function checkHeader(mixed $value): void
         if (! is_float($value) && ! is_int($value)) {
             throw new InvalidHeaderException('"exp" must be an integer.', self::NAME, $value);
         }
-        if (time() > $value + $this->allowedTimeDrift) {
+
+        $now = $this->clock->now()
+            ->getTimestamp();
+        if ($now > $value + $this->allowedTimeDrift) {
             throw new InvalidHeaderException('The token expired.', self::NAME, $value);
         }
     }

src/Component/Checker/InternalClock.php

@@ -0,0 +1,19 @@
+<?php
+
+declare(strict_types=1);
+
+namespace Jose\Component\Checker;
+
+use DateTimeImmutable;
+use Psr\Clock\ClockInterface;
+
+/**
+ * @internal
+ */
+final class InternalClock implements ClockInterface
+{
+    public function now(): DateTimeImmutable
+    {
+        return new DateTimeImmutable();
+    }
+}

src/Component/Checker/IssuedAtChecker.php

@@ -6,6 +6,7 @@
 
 use function is_float;
 use function is_int;
+use Psr\Clock\ClockInterface;
 
 /**
  * This class is a claim checker. When the "iat" is present, it will compare the value with the current timestamp.
@@ -14,10 +15,22 @@ final class IssuedAtChecker implements ClaimChecker, HeaderChecker
 {
     private const NAME = 'iat';
 
+    private readonly ClockInterface $clock;
+
     public function __construct(
         private readonly int $allowedTimeDrift = 0,
-        private readonly bool $protectedHeaderOnly = false
+        private readonly bool $protectedHeaderOnly = false,
+        ?ClockInterface $clock = null,
     ) {
+        if ($clock === null) {
+            trigger_deprecation(
+                'web-token/jwt-checker',
+                '3.2.0',
+                'The parameter "$clock" will become mandatory in 4.0.0. Please set a valid PSR Clock implementation instead of "null".'
+            );
+            $clock = new InternalClock();
+        }
+        $this->clock = $clock;
     }
 
     /**
@@ -28,7 +41,10 @@ public function checkClaim(mixed $value): void
         if (! is_float($value) && ! is_int($value)) {
             throw new InvalidClaimException('"iat" must be an integer.', self::NAME, $value);
         }
-        if (time() < $value - $this->allowedTimeDrift) {
+
+        $now = $this->clock->now()
+            ->getTimestamp();
+        if ($now < $value - $this->allowedTimeDrift) {
             throw new InvalidClaimException('The JWT is issued in the future.', self::NAME, $value);
         }
     }
@@ -43,7 +59,10 @@ public function checkHeader(mixed $value): void
         if (! is_float($value) && ! is_int($value)) {
             throw new InvalidHeaderException('The header "iat" must be an integer.', self::NAME, $value);
         }
-        if (time() < $value - $this->allowedTimeDrift) {
+
+        $now = $this->clock->now()
+            ->getTimestamp();
+        if ($now < $value - $this->allowedTimeDrift) {
             throw new InvalidHeaderException('The JWT is issued in the future.', self::NAME, $value);
         }
     }