Merge pull request #562 from b-water/audienceSingleElementArray

Fix validation of the audience claim on the new API

src/Token.php

@@ -308,7 +308,7 @@ public function isExpired(DateTimeInterface $now = null)
      */
     public function isPermittedFor($audience)
     {
-        return $this->claims->get(RegisteredClaims::AUDIENCE) === $audience;
+        return in_array($audience, $this->claims->get(RegisteredClaims::AUDIENCE, []), true);
     }
 
     /**

test/functional/CompatibilityLayerTest.php

@@ -3,6 +3,7 @@
 namespace Lcobucci\JWT\FunctionalTests;
 
 use DateTimeImmutable;
+use Lcobucci\Clock\FrozenClock;
 use Lcobucci\JWT\CheckForDeprecations;
 use Lcobucci\JWT\Configuration;
 use Lcobucci\JWT\Keys;
@@ -12,7 +13,12 @@
 use Lcobucci\JWT\Token\DataSet;
 use Lcobucci\JWT\Token\Plain;
 use Lcobucci\JWT\Token\Signature;
+use Lcobucci\JWT\Validation\Constraint\IdentifiedBy;
+use Lcobucci\JWT\Validation\Constraint\IssuedBy;
+use Lcobucci\JWT\Validation\Constraint\PermittedFor;
+use Lcobucci\JWT\Validation\Constraint\RelatedTo;
 use Lcobucci\JWT\Validation\Constraint\SignedWith;
+use Lcobucci\JWT\Validation\Constraint\ValidAt;
 use PHPUnit\Framework\TestCase;
 
 use function base64_encode;
@@ -39,7 +45,12 @@
  * @covers \Lcobucci\JWT\Token
  * @covers \Lcobucci\JWT\Token\DataSet
  * @covers \Lcobucci\JWT\Validation\Validator
+ * @covers \Lcobucci\JWT\Validation\Constraint\IssuedBy
+ * @covers \Lcobucci\JWT\Validation\Constraint\IdentifiedBy
+ * @covers \Lcobucci\JWT\Validation\Constraint\PermittedFor
+ * @covers \Lcobucci\JWT\Validation\Constraint\RelatedTo
  * @covers \Lcobucci\JWT\Validation\Constraint\SignedWith
+ * @covers \Lcobucci\JWT\Validation\Constraint\ValidAt
  */
 final class CompatibilityLayerTest extends TestCase
 {
@@ -91,6 +102,36 @@ public function registeredDateClaimsShouldBeConvertedToDateObjects()
         self::assertEquals($expectedNow->modify('+1 hour'), $token2->claims()->get('exp'));
     }
 
+    /** @test */
+    public function tokenCanBeValidated()
+    {
+        $now = new DateTimeImmutable();
+
+        $config = Configuration::forSymmetricSigner(new HmacSha256(), Key\InMemory::plainText('testing'));
+        $config->setValidationConstraints(
+            new IdentifiedBy('123'),
+            new IssuedBy('one', 'two', 'three'),
+            new PermittedFor('me'),
+            new RelatedTo('user123'),
+            new ValidAt(new FrozenClock($now->modify('+10 minutes'))),
+            new SignedWith($config->signer(), $config->verificationKey())
+        );
+
+        $token = $config->builder()
+            ->issuedAt($now)
+            ->issuedBy('two')
+            ->permittedFor('me')
+            ->identifiedBy('123')
+            ->relatedTo('user123')
+            ->canOnlyBeUsedAfter($now->modify('+5 minutes'))
+            ->expiresAt($now->modify('+1 hour'))
+            ->getToken($config->signer(), $config->signingKey());
+
+        $config->validator()->assert($token, ...$config->validationConstraints());
+
+        $this->addToAssertionCount(1);
+    }
+
     /**
      * @test
      *

test/unit/TokenTest.php

@@ -536,7 +536,7 @@ public function isPermittedForShouldReturnFalseWhenAudienceDoesNotMatch()
     {
         $token = new Token(
             [],
-            [RegisteredClaims::AUDIENCE => 'test']
+            [RegisteredClaims::AUDIENCE => ['test']]
         );
 
         self::assertFalse($token->isPermittedFor('testing'));
@@ -554,7 +554,7 @@ public function isPermittedForShouldReturnFalseWhenAudienceTypeDoesNotMatch()
     {
         $token = new Token(
             [],
-            [RegisteredClaims::AUDIENCE => 10]
+            [RegisteredClaims::AUDIENCE => [10]]
         );
 
         self::assertFalse($token->isPermittedFor('10'));
@@ -572,7 +572,7 @@ public function isPermittedForShouldReturnTrueWhenAudienceMatches()
     {
         $token = new Token(
             [],
-            [RegisteredClaims::AUDIENCE => 'testing']
+            [RegisteredClaims::AUDIENCE => ['testing']]
         );
 
         self::assertTrue($token->isPermittedFor('testing'));

test/unit/Validation/Constraint/PermittedForTest.php

@@ -42,7 +42,7 @@ public function assertShouldRaiseExceptionWhenAudienceValueDoesNotMatch()
         $this->expectExceptionMessage('The token is not allowed to be used by this audience');
 
         $constraint = new PermittedFor('test.com');
-        $constraint->assert($this->buildToken([RegisteredClaims::AUDIENCE => 'aa.com']));
+        $constraint->assert($this->buildToken([RegisteredClaims::AUDIENCE => ['aa.com']]));
     }
 
     /**
@@ -57,7 +57,7 @@ public function assertShouldRaiseExceptionWhenAudienceTypeDoesNotMatch()
         $this->expectExceptionMessage('The token is not allowed to be used by this audience');
 
         $constraint = new PermittedFor('123');
-        $constraint->assert($this->buildToken([RegisteredClaims::AUDIENCE => 123]));
+        $constraint->assert($this->buildToken([RegisteredClaims::AUDIENCE => [123]]));
     }
 
     /**
@@ -68,7 +68,7 @@ public function assertShouldRaiseExceptionWhenAudienceTypeDoesNotMatch()
      */
     public function assertShouldNotRaiseExceptionWhenAudienceMatches()
     {
-        $token      = $this->buildToken([RegisteredClaims::AUDIENCE => 'test.com']);
+        $token      = $this->buildToken([RegisteredClaims::AUDIENCE => ['test.com']]);
         $constraint = new PermittedFor('test.com');
 
         $constraint->assert($token);