Merge branch 'release/2.1.0'

lcobucci · Mar 7, 2015 · 2a62dd3 · 2a62dd3
2 parents 581e70a + 5fd26a4
commit 2a62dd3
Show file tree

Hide file tree

Showing 59 changed files with 3,237 additions and 649 deletions.
diff --git a/.gitignore b/.gitignore
@@ -1,5 +1,2 @@
-.buildpath
-.project
-.settings/
 vendor
-build
+phpunit.xml
diff --git a/.scrutinizer.yml b/.scrutinizer.yml
@@ -0,0 +1,54 @@
+build:
+    environment:
+        mysql: false
+        redis: false
+        php:
+            version: 5.6
+tools:
+    php_sim: true
+    php_pdepend: true
+    php_analyzer: true
+    php_changetracking: true
+    php_code_sniffer:
+        config:
+            standard: "PSR2"
+    php_mess_detector: true
+checks:
+    php:
+        argument_type_checks: true
+        assignment_of_null_return: true
+        avoid_conflicting_incrementers: true
+        avoid_useless_overridden_methods: true
+        catch_class_exists: true
+        closure_use_modifiable: true
+        closure_use_not_conflicting: true
+        code_rating: true
+        deprecated_code_usage: true
+        duplication: true
+        method_calls_on_non_object: true
+        missing_arguments: true
+        no_duplicate_arguments: true
+        no_non_implemented_abstract_methods: true
+        no_property_on_interface: true
+        parameter_non_unique: true
+        precedence_in_conditions: true
+        precedence_mistakes: true
+        require_php_tag_first: true
+        security_vulnerabilities: true
+        sql_injection_vulnerabilities: true
+        too_many_arguments: true
+        unreachable_code: true
+        unused_methods: true
+        unused_parameters: true
+        unused_properties: true
+        unused_variables: true
+        use_statement_alias_conflict: true
+        useless_calls: true
+        variable_existence: true
+        verify_access_scope_valid: true
+        verify_argument_usable_as_reference: true
+        verify_property_names: true
+
+filter:
+    excluded_paths:
+        - test/*
diff --git a/.travis.yml b/.travis.yml
@@ -1,6 +1,17 @@
 language: php
 php:
   - 5.5
+  - 5.6
+  - 7.0
+  - hhvm
+  - hhvm-nightly
+
+matrix:
+  allow_failures:
+    - php: 7.0
+    - php: hhvm
+    - php: hhvm-nightly
+
 before_script:
   - composer selfupdate
   - composer install --prefer-dist -o
diff --git a/LICENSE b/LICENSE
@@ -1,4 +1,4 @@
-Copyright (c) 2014, Luís Otávio Cobucci Oblonczyk
+Copyright (c) 2014-2015, Luís Otávio Cobucci Oblonczyk
 All rights reserved.
 
 Redistribution and use in source and binary forms, with or without
@@ -24,4 +24,4 @@ DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
 SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
 CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
 OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
-OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
diff --git a/README.md b/README.md
@@ -1,24 +1,33 @@
-# JWT
+k# JWT
+[![Gitter](https://img.shields.io/badge/GITTER-JOIN%20CHAT%20%E2%86%92-brightgreen.svg?style=flat-square)](https://gitter.im/lcobucci/jwt?utm_source=badge&utm_medium=badge&utm_campaign=pr-badge&utm_content=badge) [![Total Downloads](https://img.shields.io/packagist/dt/lcobucci/jwt.svg?style=flat-square)](https://packagist.org/packages/lcobucci/jwt) [![Latest Stable Version](https://img.shields.io/packagist/v/lcobucci/jwt.svg?style=flat-square)](https://packagist.org/packages/lcobucci/jwt)
 
-master
-[![Build Status](https://secure.travis-ci.org/lcobucci/jwt.png?branch=master)](http://travis-ci.org/#!/lcobucci/jwt)
-[![Scrutinizer Code Quality](https://scrutinizer-ci.com/g/lcobucci/jwt/badges/quality-score.png?b=master)](https://scrutinizer-ci.com/g/lcobucci/jwt/?branch=master)
-[![Code Coverage](https://scrutinizer-ci.com/g/lcobucci/jwt/badges/coverage.png?b=master)](https://scrutinizer-ci.com/g/lcobucci/jwt/?branch=master)
+![Branch master](https://img.shields.io/badge/branch-master-brightgreen.svg?style=flat-square)
+[![Build Status](https://img.shields.io/travis/lcobucci/jwt/master.svg?style=flat-square)](http://travis-ci.org/#!/lcobucci/jwt)
+[![Scrutinizer Code Quality](https://img.shields.io/scrutinizer/g/lcobucci/jwt/master.svg?style=flat-square)](https://scrutinizer-ci.com/g/lcobucci/jwt/?branch=master)
+[![Code Coverage](https://img.shields.io/scrutinizer/coverage/g/lcobucci/jwt/master.svg?style=flat-square)](https://scrutinizer-ci.com/g/lcobucci/jwt/?branch=master)
 
-develop
-[![Build Status](https://secure.travis-ci.org/lcobucci/jwt.png?branch=develop)](http://travis-ci.org/#!/lcobucci/jwt)
-[![Scrutinizer Code Quality](https://scrutinizer-ci.com/g/lcobucci/jwt/badges/quality-score.png?b=develop)](https://scrutinizer-ci.com/g/lcobucci/jwt/?branch=develop)
-[![Code Coverage](https://scrutinizer-ci.com/g/lcobucci/jwt/badges/coverage.png?b=develop)](https://scrutinizer-ci.com/g/lcobucci/jwt/?branch=develop)
+![Branch develop](https://img.shields.io/badge/branch-develop-brightgreen.svg?style=flat-square)
+[![Build Status](https://img.shields.io/travis/lcobucci/jwt/develop.svg?style=flat-square)](http://travis-ci.org/#!/lcobucci/jwt)
+[![Scrutinizer Code Quality](https://img.shields.io/scrutinizer/g/lcobucci/jwt/develop.svg?style=flat-square)](https://scrutinizer-ci.com/g/lcobucci/jwt/?branch=develop)
+[![Code Coverage](https://img.shields.io/scrutinizer/coverage/g/lcobucci/jwt/develop.svg?style=flat-square)](https://scrutinizer-ci.com/g/lcobucci/jwt/?branch=develop)
 
-[![Total Downloads](https://poser.pugx.org/lcobucci/jwt/downloads.png)](https://packagist.org/packages/lcobucci/jwt)
-[![Latest Stable Version](https://poser.pugx.org/lcobucci/jwt/v/stable.png)](https://packagist.org/packages/lcobucci/jwt)
 
 A simple library to work with JSON Web Token and JSON Web Signature (requires PHP 5.5+).
-The implementation is based on the [current draft](http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-31).
+The implementation is based on the [current draft](http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-32).
 
-## Instalation
+## Installation
 
-Just add to your composer.json: ```"lcobucci/jwt": "*"```
+Package is available on [Packagist](http://packagist.org/packages/lcobucci/jwt),
+you can install it using [Composer](http://getcomposer.org).
+
+```shell
+composer require lcobucci/jwt
+```
+
+### Dependencies
+
+- PHP 5.5+
+- OpenSSL Extension
 
 ## Basic usage
 
@@ -27,29 +36,110 @@ Just add to your composer.json: ```"lcobucci/jwt": "*"```
 Just use the builder to create a new JWT/JWS tokens:
 
 ```php
-<?php
 use Lcobucci\JWT\Builder;
-use Lcobucci\JWT\Signer\Hmac\Sha256;
 
 $token = (new Builder())->setIssuer('http://example.com') // Configures the issuer (iss claim)
                         ->setAudience('http://example.org') // Configures the audience (aud claim)
                         ->setId('4f1g23a12aa', true) // Configures the id (jti claim), replicating as a header item
+                        ->setIssuedAt(time()) // Configures the time that the token was issue (iat claim)
+                        ->setNotBefore(time() + 60) // Configures the time that the token can be used (nbf claim)
+                        ->setExpiration(time() + 3600) // Configures the expiration time of the token (nbf claim)
                         ->set('uid', 1) // Configures a new claim, called "uid"
-                        ->sign(new Sha256(), 'my key') // Signs the token with HS256 using "my key" as key
                         ->getToken(); // Retrieves the generated token
-
+
+
+$token->getHeader(); // Retrieves the token header
+$token->getClaims(); // Retrieves the token claims
+
+echo $token->getClaim('iss'); // will print "http://example.com"
+echo $token->getClaim('uid'); // will print "1"
 echo $token; // The string representation of the object is a JWT string (pretty easy, right?)
 ```
+
 ### Parsing from strings
 
-Use the parser to create a new token from a JWT string:
+Use the parser to create a new token from a JWT string (using the previous token as example):
 
 ```php
-<?php
 use Lcobucci\JWT\Parser;
 
-$token = (new Parser())->parse('...'); // Parses from a string
+$token = (new Parser())->parse((string) $token); // Parses from a string
 $token->getHeader(); // Retrieves the token header
 $token->getClaims(); // Retrieves the token claims
-$token->verify('my key'); // Verifies if the signature was created with given key (if token is signed)
+
+echo $token->getClaim('iss'); // will print "http://example.com"
+echo $token->getClaim('uid'); // will print "1"
+```
+
+### Validating
+
+We can easily validate if the token is valid (using the previous token as example):
+
+```php
+use Lcobucci\JWT\ValidationData;
+
+$data = new ValidationData(); // It will use the current time to validate (iat, nbf and exp)
+$data->setIssuer('http://example.com');
+$data->setAudience('http://example.org');
+$data->setId('4f1g23a12aa');
+
+var_dump($token->validate($data)); // true, because validation information is equals to data contained on the token
+
+$data->setCurrentTime(time() + 4000); // changing the validation time to future
+
+var_dump($token->validate($data)); // false, because token is expired since current time is greater than exp
+```
+
+## Token signature
+
+We can use signatures to be able to verify if the token was not modified after its generation. This library implements Hmac, RSA and ECDSA signatures (using 256, 384 and 512).
+
+### Hmac
+
+Hmac signatures are really simple to be used:
+
+```php
+use Lcobucci\JWT\Builder;
+use Lcobucci\JWT\Signer\Hmac\Sha256;
+
+$token = (new Builder())->setIssuer('http://example.com') // Configures the issuer (iss claim)
+                        ->setAudience('http://example.org') // Configures the audience (aud claim)
+                        ->setId('4f1g23a12aa', true) // Configures the id (jti claim), replicating as a header item
+                        ->setIssuedAt(time()) // Configures the time that the token was issue (iat claim)
+                        ->setNotBefore(time() + 60) // Configures the time that the token can be used (nbf claim)
+                        ->setExpiration(time() + 3600) // Configures the expiration time of the token (nbf claim)
+                        ->set('uid', 1) // Configures a new claim, called "uid"
+                        ->sign(new Sha256(), 'testing') // creates a signature using "testing" as key
+                        ->getToken(); // Retrieves the generated token
+
+
+var_dump($token->verify('testing 1')); // false, because the key is different
+var_dump($token->verify('testing')); // true, because the key is the same
 ```
+
+### RSA and ECDSA
+
+RSA and ECDSA signatures are based on public and private keys so you have to generate using the private key and verify using the public key:
+
+```php
+use Lcobucci\JWT\Builder;
+use Lcobucci\JWT\Signer\Keychain; // just to make our life simpler
+use Lcobucci\JWT\Signer\Rsa\Sha256; // you can use Lcobucci\JWT\Signer\Ecdsa\Sha256 if you're using ECDSA keys
+
+$keychain = new Keychain();
+
+$token = (new Builder())->setIssuer('http://example.com') // Configures the issuer (iss claim)
+                        ->setAudience('http://example.org') // Configures the audience (aud claim)
+                        ->setId('4f1g23a12aa', true) // Configures the id (jti claim), replicating as a header item
+                        ->setIssuedAt(time()) // Configures the time that the token was issue (iat claim)
+                        ->setNotBefore(time() + 60) // Configures the time that the token can be used (nbf claim)
+                        ->setExpiration(time() + 3600) // Configures the expiration time of the token (nbf claim)
+                        ->set('uid', 1) // Configures a new claim, called "uid"
+                        ->sign(new Sha256(), $keychain->getPrivateKey('file://{path to your private key}')) // creates a signature using your private key
+                        ->getToken(); // Retrieves the generated token
+
+
+var_dump($token->verify($keychain->getPublicKey('file://{path to your public key}')); // true when the public key was generated by the private one =)
+```
+
+**It's important to say that if you're using RSA keys your shouldn't invoke ECDSA signers (and vice-versa), otherwise ```sign()``` and ```verify()``` will raise an exception!**
diff --git a/composer.json b/composer.json
@@ -1,27 +1,37 @@
 {
-    "name" : "lcobucci/jwt",
-    "description" : "A simple library to work with JSON Web Token and JSON Web Signature",
-    "type" : "library",
-    "authors" : [
+    "name": "lcobucci/jwt",
+    "description": "A simple library to work with JSON Web Token and JSON Web Signature",
+    "type": "library",
+    "authors": [
         {
-            "name" : "Luís Otávio Cobucci Obloncz",
-            "email" : "[email protected]",
+            "name": "Luís Otávio Cobucci Obloncz",
+            "email": "[email protected]",
             "role": "Developer"
         }
     ],
-    "keywords" : ["JWT", "JWS"],
-    "license" : ["BSD-3-Clause"],
-    "require" : {
-        "php" : ">=5.5"
+    "keywords": [
+        "JWT",
+        "JWS"
+    ],
+    "license": [
+        "BSD-3-Clause"
+    ],
+    "require": {
+        "php": ">=5.5",
+        "ext-openssl": "*"
     },
-    "require-dev" : {
-        "phpunit/phpunit" : "~4.3",
-        "squizlabs/php_codesniffer" : "~1.5",
-        "phpmd/phpmd" : "~2.1"
+    "require-dev": {
+        "phpunit/phpunit": "~4.5",
+        "squizlabs/php_codesniffer": "~2.3",
+        "phpmd/phpmd": "~2.2",
+        "phpunit/php-invoker": "~1.1"
     },
-    "autoload" : {
-        "psr-4" : {
-            "Lcobucci\\JWT\\" : ["src", "test"]
+    "autoload": {
+        "psr-4": {
+            "Lcobucci\\JWT\\": [
+                "src",
+                "test"
+            ]
         }
     }
 }