Skip to content
This repository has been archived by the owner on Sep 11, 2024. It is now read-only.

Upgrading firebase/php-jwt to v6 #225

Closed
wants to merge 8 commits into from

Conversation

JimTools
Copy link
Contributor

@JimTools JimTools commented Aug 6, 2022

Upgrading firebase/php-jwt to v6 this has a significant change in usage, the secret and algorithm need to be known a head of time to build the key.

changes now manipulate the algorithm option when only one secret is provided.

[
    'secret' => [
        'foo' => 'keepItSecret',
        'bar' => 'tooManySecrets',
    ],
    'algorithm' => [
        'HS256',
    ],
]

will become

[
    'secret' => [
        'foo' => 'keepItSecret',
        'bar' => 'tooManySecrets',
    ],
    'algorithm' => [
        'foo' => 'HS256',
        'bar' => 'HS256',
    ],
]

closes (#217)

@JimTools JimTools changed the title Upgrading firebase/php-jwt to v6 (#223) Upgrading firebase/php-jwt to v6 (#217) Aug 6, 2022
@JimTools JimTools changed the title Upgrading firebase/php-jwt to v6 (#217) Upgrading firebase/php-jwt to v6 Aug 6, 2022
@icetee
Copy link

icetee commented Aug 29, 2023

Is this PR dead? I really should upgrade to 6.x.

The 6.8.1 resolve my problem. firebase/php-jwt#488

@tuupola
Copy link
Owner

tuupola commented Aug 30, 2023

Not dead, just focus elsewhere at the moment.. Ie the usual "paid work comes first situation".

@tuupola tuupola self-assigned this Aug 30, 2023
@zwalden
Copy link

zwalden commented Dec 6, 2023

@tuupola, is there something we can do to help forward this along?

GHSA-8xf4-w7qw-pjjw

Removing the key id from when only one secret/algorithm is supplied
When only one algorithm is passed into the configuration but multiple secrets are provided the algorithm
array then needs to be manipulated into a key value store, using the key from the secrets list and the
algorithm being used for the value.

for example:
```
[
    'secret' => [
        'foo' => 'keepItSecret',
        'bar' => 'tooManySecrets',
    ],
    'algorithm' => [
        'HS256',
    ],
]
```

will become
```
[
    'secret' => [
        'foo' => 'keepItSecret',
        'bar' => 'tooManySecrets',
    ],
    'algorithm' => [
        'foo' => 'HS256',
        'bar' => 'HS256',
    ],
]
```
Updatig the readme to explain whe the KID is now needed when passing
when decodig the token also why the token need the KID to be set in the
header
@JimTools
Copy link
Contributor Author

I’ve updated the PR with the latest changes from upstream.

Just want to reiterate merging this a BC with the way multiple algorithms/secrets are handed but that is unavoidable.

@pwoszczyk
Copy link

This PR is crucial to unlock the ability to update other dependencies, like google/auth.

@JimTools
Copy link
Contributor Author

@pwoszczyk As this issue has been open for a while now I've decided to fork and release the package myself with this patch applied however it is not just a drop-in replacement.

fork

@tuupola
Copy link
Owner

tuupola commented Mar 14, 2024

@JimTools I don't think I will have time to work on this in any near future. Especially since it is impossible to do without a BC break. I also don't do much PHP at the moment. So I am happy to deprecate this package and point to your fork.

Since it is a BC brake anyway you could start with 1.0 and a good idea to remove slim from the name too.

@pwoszczyk
Copy link

@JimTools thank you! I will check!

@tuupola would be great to have a replacement declared by abandoned in composer.json

@JimTools JimTools closed this Mar 24, 2024
@JimTools JimTools deleted the feature/php-jwt-v6 branch March 24, 2024 07:17
@tuupola
Copy link
Owner

tuupola commented Mar 24, 2024

@JimTools Is it ok for you to mark jimtools/jwt-auth as replacement for tuupola/slim-jwt-auth in Packagist?

@JimTools
Copy link
Contributor Author

@tuupola yes it's not an issue! I can raise a PR if you'd like.

@JimTools
Copy link
Contributor Author

I guess the other alternative is you give me write access to this repo and I handle the next release.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants