Added support for multiple keys in SignedWith validation

src/Validation/Constraint/SignedWith.php

@@ -9,10 +9,19 @@
 use Lcobucci\JWT\Validation\ConstraintViolation;
 use Lcobucci\JWT\Validation\SignedWith as SignedWithInterface;
 
+use function is_array;
+
 final class SignedWith implements SignedWithInterface
 {
-    public function __construct(private readonly Signer $signer, private readonly Signer\Key $key)
+    private readonly Signer\Key|array $keys;
+
+    public function __construct(private readonly Signer $signer, Signer\Key|array $keys)
     {
+        if (! is_array($keys)) {
+            $keys = [$keys];
+        }
+
+        $this->keys = $keys;
     }
 
     public function assert(Token $token): void
@@ -25,7 +34,17 @@ public function assert(Token $token): void
             throw ConstraintViolation::error('Token signer mismatch', $this);
         }
 
-        if (! $this->signer->verify($token->signature()->hash(), $token->payload(), $this->key)) {
+        $hash    = $token->signature()->hash();
+        $payload = $token->payload();
+        $match   = false;
+        foreach ($this->keys as $key) {
+            if ($this->signer->verify($hash, $payload, $key)) {
+                $match = true;
+                break;
+            }
+        }
+
+        if (! $match) {
             throw ConstraintViolation::error('Token signature mismatch', $this);
         }
     }

tests/Validation/Constraint/SignedWithTest.php

@@ -4,6 +4,7 @@
 namespace Lcobucci\JWT\Tests\Validation\Constraint;
 
 use Lcobucci\JWT\Signer;
+use Lcobucci\JWT\Signer\Key;
 use Lcobucci\JWT\Token;
 use Lcobucci\JWT\Token\Signature;
 use Lcobucci\JWT\Validation\Constraint\SignedWith;
@@ -24,6 +25,8 @@ final class SignedWithTest extends ConstraintTestCase
     /** @var Signer&MockObject */
     private Signer $signer;
     private Signer\Key $key;
+    /** @var Signer\Key[] */
+    private array $keys;
     private Signature $signature;
 
     /** @before */
@@ -33,6 +36,10 @@ public function createDependencies(): void
         $this->signer->method('algorithmId')->willReturn('RS256');
 
         $this->key       = Signer\Key\InMemory::plainText('123');
+        $this->keys      = [
+            Signer\Key\InMemory::plainText('abc'),
+            Signer\Key\InMemory::plainText('123'),
+        ];
         $this->signature = new Signature('1234', '5678');
     }
 
@@ -92,4 +99,33 @@ public function assertShouldRaiseExceptionWhenSignatureIsValid(): void
         $constraint->assert($token);
         $this->addToAssertionCount(1);
     }
+
+    /** @test */
+    public function assertShouldNotRaiseExceptionWhenSignatureIsValidWithMultipleKeys(): void
+    {
+        $token = $this->buildToken([], ['alg' => 'RS256'], $this->signature);
+        $this->signer->expects(self::exactly(2))
+            ->method('verify')
+            ->willReturnCallback(fn (string $expected, string $payload, Key $key) => $key->contents() === '123');
+
+        $constraint = new SignedWith($this->signer, $this->keys);
+        $constraint->assert($token);
+        $this->addToAssertionCount(1);
+    }
+
+    /** @test */
+    public function assertShouldRaiseExceptionWhenSignatureIsInValidWithMultipleKeys(): void
+    {
+        $token = $this->buildToken([], ['alg' => 'RS256'], $this->signature);
+        $this->signer->expects(self::exactly(2))
+            ->method('verify')
+            ->willReturn(false);
+
+        $this->expectException(ConstraintViolation::class);
+        $this->expectExceptionMessage('Token signature mismatch');
+
+        $constraint = new SignedWith($this->signer, $this->keys);
+        $constraint->assert($token);
+        $this->addToAssertionCount(1);
+    }
 }