behat-api-extension icon indicating copy to clipboard operation
behat-api-extension copied to clipboard

Published 20 hours ago verified publisher icon imbo

Add support for firebase/php-jwt at version 6

Open pixelfantasy opened this issue 1 year ago • 5 comments

As the firebase/php-jwt has an active vulnerability with a CVSS score of 7.5 (high) for every version below 6, there should be the possibility to upgrade that package. I made it optional to give the opportunity for other to adapt their code, if any dependencies are present.

Details of vulnerability can be found here: https://security.snyk.io/vuln/SNYK-PHP-FIREBASEPHPJWT-2434829

pixelfantasy avatar Aug 23 '22 09:08 pixelfantasy

Hello Christer,

I set back the content of the .gitignore to the former state.

Greetings, Klaus

pixelfantasy avatar Sep 01 '22 07:09 pixelfantasy

The build is still failing.

christeredvartsen avatar Sep 08 '22 06:09 christeredvartsen

Local run of composer validate --strict was successful. Pushed changes to main on forked repo.

pixelfantasy avatar Sep 19 '22 08:09 pixelfantasy

@pixelfantasy You also have to update unit tests, simply changing composer.json is not enough.

jawira avatar Sep 26 '22 11:09 jawira

Sorry guys,

but did not manage to fix the unit tests. The new Firebase JWT now demands a kid (Key ID) which is used to locate the secret. The kid node must be part of the header information. The tests consist of many comparisons which involve pregenerated JWT tokens. I tried to refactor the tests by adjusting the arrays and regenerate the jwt tokens with the help of https://jwt.io, but could not get it running.

Honestly I am not so deep into this thematics and maybe somebody else has to take over at this point.

Primary involved files: tests/ArrayContainsComparator/Matcher/JWTTest.php src/ArrayContainsComparator/Matcher/JWT.php vendor/firebase/php-jwt/src/JWT.php (functions decode() and later on getKey() which throws exception)

Information about kid: https://stackoverflow.com/questions/37408684/is-it-still-possible-to-do-server-side-verification-of-tokens-in-firebase-3?noredirect=1#comment62518682_37408684

Resource for valid kid: https://www.googleapis.com/robot/v1/metadata/x509/[email protected]

My approach was something like this on the test array data:

[
    'jwt' => 'jwt_token_with_new_structure',
    'name' => 'my jwt',
    'kid' => '21e6c0c6b4e3095247c0680000e1b43182386d50'
    'payload' => [
        'sub' => '1234567890',
        'name' => 'John Doe',
        'admin' => true,
    ],
    'secret' => [
    	'21e6c0c6b4e3095247c0680000e1b43182386d50' => 'secret'
    ],
]

pixelfantasy avatar Sep 26 '22 17:09 pixelfantasy

Hi, any updates there? Can the maintainers of the library to fix the issue? I've also faced with it one project, where I need to upgrade firebase/php-jwt, but can't due the issue :(

khiminrm avatar Nov 29 '22 13:11 khiminrm

@christeredvartsen is this only problem only with hardcoded tokens in tests as described in https://github.com/imbo/behat-api-extension/pull/121#issuecomment-1258358307 ? How we can fix it? Is it safe just upgrade the firebase/php-jwt to latest version as temporary fix on a project we're using both libraries? Will behat-api-extension work in such case without errors? Could you, please, help?

khiminrm avatar Dec 01 '22 13:12 khiminrm

Hi there, Have you any news about this issue ? Thank you

syl20b avatar Feb 20 '23 15:02 syl20b

#125

christeredvartsen avatar Mar 13 '23 10:03 christeredvartsen