bug fix

Author: cdoco

README.md

@@ -155,6 +155,157 @@ $decoded_token = jwt_decode($token, $publicKey, ['algorithm' => 'ES256']);
 print_r($decoded_token);
 ```
 
+## Support for reserved claim names
+
+JSON Web Token defines some reserved claim names and defines how they should be used. JWT supports these reserved claim names:
+
+- 'exp' (Expiration Time) Claim
+- 'nbf' (Not Before Time) Claim
+- 'iss' (Issuer) Claim
+- 'aud' (Audience) Claim
+- 'jti' (JWT ID) Claim
+- 'iat' (Issued At) Claim
+- 'sub' (Subject) Claim
+
+### Expiration Time Claim
+
+> The `exp` (expiration time) claim identifies the expiration time on or after which the JWT MUST NOT be accepted for processing. The processing of the `exp` claim requires that the current date/time MUST be before the expiration date/time listed in the `exp` claim. Implementers MAY provide for some small `leeway`, usually no more than a few minutes, to account for clock skew. Its value MUST be a number containing a **NumericDate** value. Use of this claim is OPTIONAL.
+
+#### Handle Expiration Claim
+
+```php
+$payload = ['data' => 'data', 'exp' => time() + 4 * 3600];
+
+$token = jwt_encode($payload, $hmackey, 'HS256');
+
+try {
+    $decoded_token = jwt_decode($token, $hmackey, ['algorithm' => 'HS256']);
+} catch (Exception $e) {
+    // Expired token
+    $e->getMessage();
+}
+```
+
+#### Adding Leeway
+
+```php
+$payload = ['data' => 'data', 'exp' => time() - 10];
+
+// build expired token
+$token = jwt_encode($payload, $hmackey, 'HS256');
+
+try {
+    $decoded_token = jwt_decode($token, $hmackey, ['leeway' => 30, 'algorithm' => 'HS256']);
+} catch (Exception $e) {
+    // Expired token
+}
+```
+
+### Not Before Time Claim
+
+> The `nbf` (not before) claim identifies the time before which the JWT MUST NOT be accepted for processing. The processing of the `nbf` claim requires that the current date/time MUST be after or equal to the not-before date/time listed in the `nbf` claim. Implementers MAY provide for some small `leeway`, usually no more than a few minutes, to account for clock skew. Its value MUST be a number containing a **NumericDate** value. Use of this claim is OPTIONAL.
+
+#### Handle Not Before Claim
+
+```php
+$payload = ['data' => 'data', 'nbf' => time() - 3600];
+
+$token = jwt_encode($payload, $hmackey, 'HS256');
+
+try {
+    $decoded_token = jwt_decode($token, $hmackey, ['algorithm' => 'HS256']);
+} catch (Exception $e) {
+    // Handle invalid token
+}
+```
+
+#### Adding Leeway
+
+```php
+$payload = ['data' => 'data', 'nbf' => time() + 10];
+
+// build expired token
+$token = jwt_encode($payload, $hmackey, 'HS256');
+
+try {
+    $decoded_token = jwt_decode($token, $hmackey, ['leeway' => 30, 'algorithm' => 'HS256']);
+} catch (Exception $e) {
+    // Handle invalid token
+}
+```
+
+### Issuer Claim
+
+> The `iss` (issuer) claim identifies the principal that issued the JWT. The processing of this claim is generally application specific. The `iss` value is a case-sensitive string containing a **StringOrURI** value. Use of this claim is OPTIONAL.
+
+```php
+$payload = ['data' => 'data', 'iss' => 'http://example.org'];
+
+$token = jwt_encode($payload, $hmackey, 'HS256');
+
+try {
+    $decoded_token = jwt_decode($token, $hmackey, ['iss' => 'http://example.org', 'algorithm' => 'HS256']);
+} catch (Exception $e) {
+     // Handle invalid token
+}
+```
+
+### Audience Claim
+
+```php
+$payload = ['data' => 'data', 'aud' => 'Young Man'];
+
+$token = jwt_encode($payload, $hmackey, 'HS256');
+
+try {
+    $decoded_token = jwt_decode($token, $hmackey, ['iss' => 'Young Man', 'algorithm' => 'HS256']);
+} catch (Exception $e) {
+     // Handle invalid token
+}
+```
+
+### JWT ID Claim
+
+```php
+$payload = ['data' => 'data', 'jti' => md5('id')];
+
+$token = jwt_encode($payload, $hmackey, 'HS256');
+
+try {
+    $decoded_token = jwt_decode($token, $hmackey, ['jti' => md5('id'), 'algorithm' => 'HS256']);
+} catch (Exception $e) {
+     // Handle invalid token
+}
+```
+
+### Issued At Claim
+
+```php
+$payload = ['data' => 'data', 'iat' => time()];
+
+$token = jwt_encode($payload, $hmackey, 'HS256');
+
+try {
+    $decoded_token = jwt_decode($token, $hmackey, ['algorithm' => 'HS256']);
+} catch (Exception $e) {
+     // Handle invalid token
+}
+```
+
+### Subject Claim
+
+```php
+$payload = ['data' => 'data', 'sub' => 'Subject'];
+
+$token = jwt_encode($payload, $hmackey, 'HS256');
+
+try {
+    $decoded_token = jwt_decode($token, $hmackey, ['sub' => 'Subject', 'algorithm' => 'HS256']);
+} catch (Exception $e) {
+     // Handle invalid token
+}
+```
+
 ## Benchmarks
 
 ![Benchmarks](https://cdoco.com/images/jwt-benchmarks.png "Benchmarks")

jwt.c

@@ -235,9 +235,21 @@ char *jwt_hash_str_find_str(zval *arr, char *key)
     return str;
 }
 
+long jwt_hash_str_find_long(zval *arr, char *key)
+{
+    zval *zv = zend_hash_str_find(Z_ARRVAL_P(arr), key, strlen(key));
+
+    if (zv != NULL) {
+        return Z_LVAL_P(zv);
+    }
+
+    return 0;
+}
+
 int jwt_verify_claims(zval *arr, char *key, char *str)
 {
-    if (strcmp(jwt_hash_str_find_str(arr, key), str)) {
+    char *rs = jwt_hash_str_find_str(arr, key);
+    if (rs && strcmp(rs, str)) {
         return FAILURE;
     }
 
@@ -272,8 +284,14 @@ int jwt_verify_body(char *body, zval *return_value)
         err_msg = "Iss verify fail";
 
     /* iat */
-    if (jwt_options->iat && jwt_verify_claims(return_value, "iat", jwt_options->iat))
-        err_msg = "Iat verify fail";
+    if (jwt_options->iat && jwt_options->iat > (curr_time + jwt_options->leeway)) {
+        struct tm *timeinfo;
+        char buf[128];
+
+        timeinfo = localtime(&curr_time);
+        strftime(buf, sizeof(buf), "Cannot handle token prior to %Y-%m-%d %H:%M:%S", timeinfo);
+        err_msg = buf;
+    }
 
     /* jti */
     if (jwt_options->jti && jwt_verify_claims(return_value, "jti", jwt_options->jti))
@@ -308,15 +326,9 @@ int jwt_parse_options(zval *options)
                     jwt_options->algorithm = alg;
                 }
 
-                /* leeway */
-                zval *zv_leeway = zend_hash_str_find(Z_ARRVAL_P(options), "leeway", strlen("leeway"));
-                if (zv_leeway != NULL) {
-                    jwt_options->leeway = Z_LVAL_P(zv_leeway);
-                }
-                
                 /* options */
+                jwt_options->leeway = jwt_hash_str_find_long(options, "leeway");
                 jwt_options->iss = jwt_hash_str_find_str(options, "iss");
-                jwt_options->iat = jwt_hash_str_find_str(options, "iat");
                 jwt_options->jti = jwt_hash_str_find_str(options, "jti");
                 jwt_options->aud = jwt_hash_str_find_str(options, "aud");
                 jwt_options->sub = jwt_hash_str_find_str(options, "sub");
@@ -361,15 +373,9 @@ PHP_FUNCTION(jwt_encode)
     }
 
     /* set expiration and not before */
-    zval *zv_exp = zend_hash_str_find(Z_ARRVAL_P(claims), "exp", 3);
-    if (zv_exp) {
-        jwt_options->expiration = Z_LVAL_P(zv_exp);
-    }
-
-    zval *zv_nbf = zend_hash_str_find(Z_ARRVAL_P(claims), "nbf", 3);
-    if (zv_nbf) {
-        jwt_options->not_before = Z_LVAL_P(zv_nbf);
-    }
+    jwt_options->expiration = jwt_hash_str_find_long(claims, "exp");
+    jwt_options->not_before = jwt_hash_str_find_long(claims, "nbf");
+    jwt_options->iat = jwt_hash_str_find_long(claims, "iat");
 
     /* init */
     array_init(&header);

jwt.php

@@ -11,7 +11,6 @@
         "name" => "ZiHang Gao",
         "admin" => true
     ],
-    "iss" => "http://example.org",
     "sub" => "1234567890",
     "nbf" => time() + 10
 );
@@ -20,4 +19,4 @@
 $token = jwt_encode($claims, $key);
 
 echo $token . PHP_EOL;
-print_r(jwt_decode($token, $key, ['leeway' => 1, "iss" => "http://example.org"]));
+print_r(jwt_decode($token, $key, ['leeway' => 20, "iss" => "http://example.org"]));

php_jwt.h

@@ -59,7 +59,7 @@ typedef struct options {
   time_t expiration;
   time_t not_before;
   char *iss;
-  char *iat;
+  time_t iat;
   char *jti;
   char *aud;
   char *sub;