From dffa536d77af1f7a72bbd991f3e13195413d8cfd Mon Sep 17 00:00:00 2001 From: Emil Masiakowski Date: Mon, 27 Nov 2023 18:28:54 +0100 Subject: [PATCH] Allow changing JWT leeway parameter --- src/MessageBird/RequestValidator.php | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) diff --git a/src/MessageBird/RequestValidator.php b/src/MessageBird/RequestValidator.php index 374f1ee..370df7f 100644 --- a/src/MessageBird/RequestValidator.php +++ b/src/MessageBird/RequestValidator.php @@ -49,16 +49,27 @@ class RequestValidator */ private $skipURLValidation; + /** + * Allows the JWT token to be that many seconds after the expiration date + * without being considered it expired. Useful to account for server + * clocks being slightly out of sync or for integration testing with + * a known good token. Should be kept reasonably low in production. + * + * @var int + */ + private $leewaySeconds; + /** * RequestValidator constructor. * * @param string $signingKey customer signature key. Can be retrieved through Developer Settings. This is NOT your API key. * @param bool $skipURLValidation whether url_hash claim validation should be skipped. Note that when true, no query parameters should be trusted. */ - public function __construct(string $signingKey, bool $skipURLValidation = false) + public function __construct(string $signingKey, bool $skipURLValidation = false, int $leewaySeconds = 1) { $this->signingKey = $signingKey; $this->skipURLValidation = $skipURLValidation; + $this->leewaySeconds = $leewaySeconds; } /** @@ -139,7 +150,7 @@ public function validateSignature(string $signature, string $url, string $body) throw new ValidationException("URL cannot be empty"); } - JWT::$leeway = 1; + JWT::$leeway = $this->leewaySeconds; try { $headb64 = \explode('.', $signature)[0]; $headerRaw = JWT::urlsafeB64Decode($headb64);