📖 back to readme
Auth-middleware follows semantic versioning.
Any issues should be reported.
This update reflects security vulnerability patch for CVE-2021-46743 from firebase/php-jwt
package in version 5.5 and 6.
As a result, the interface of FirebaseJwtDecoder
and certain AuthWizard
methods that create the decoder have been changed.
- [BC break] dropped PHP 7 support; PHP 8 is now required
- [BC break] removed
AuthFactory::defaultDecoderFactory
, please usefn() => AuthWizard::defaultDecoder( new Secret($secret,$algo) )
instead - [BC break] changed the constructor of
FirebaseJwtDecoder
to only acceptSecretContract
implementations - [BC break] using
AuthWizard::defaultDecoder
,AuthWizard::decodeTokens()
andAuthWizard::factory()->decodeTokens()
withstring
$secret
argument will now only decode tokens using the single defaultHS256
algorithm- previously the same calls resulted in use of any one of the three
HS256
,HS512
,HS384
algorithms (the attack vector) - to mitigate the issue, use an array of key-algo pairs (
Secret[]
) along withkid
header parameter (see section 4.5 of RFC 7517)
- previously the same calls resulted in use of any one of the three
- the default
FirebaseJwtDecoder
now only works withfirebase/php-jwt
versions 5.5 and 6+ (5.5.* - 6.*
) - added
AuthWizard::defaultDecoder
method that directly returns an instance of theFirebaseJwtDecoder
decoder
For more details, see this issue or release notes.
Provides means for mitigation of security vulnerability CVE-2021-46743 by using the new Secret
configuration object.
The peer library for handling tokens firebase/php-jwt
must be upgraded to v5.5 in order to do so.
- use a single secret+algorithm combination
- either using the
Secret
object instead of string constants when usingAuthWizard
orAuthFactory
- or passing an array with a single algorithm to the
$algos
parameter ofFirebaseJwtDecoder
constructor when using the decoder as standalone
- either using the
- use multiple
Secret
objects and pass them to the$secret
parameter AND use "kid" JWT header parameter when encoding the JWT- the JWT encoding must also factor-in the
kid
parameter when using multiple possible secret+algorithm combinations
- the JWT encoding must also factor-in the
For more information, see firebase/php-jwt#351.
Improved default injector:
TokenManipulators::attributeInjector
now accepts a callable with signaturefn(Throwable): mixed
for producing a value to be written to the error attribute.- The default injector will no longer prefix the exception messages with
Token Error:
prefix.
The initial release.