From 9941a96feba4d4e8d793816194bc4ba1004ee620 Mon Sep 17 00:00:00 2001 From: Martin Dzibela Date: Tue, 22 May 2018 14:13:20 +0200 Subject: [PATCH 1/2] Fix uncaught exception produced by unsigned token --- src/AuthorizationValidators/BearerTokenValidator.php | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/src/AuthorizationValidators/BearerTokenValidator.php b/src/AuthorizationValidators/BearerTokenValidator.php index 6f299ce4..2efa3c8e 100644 --- a/src/AuthorizationValidators/BearerTokenValidator.php +++ b/src/AuthorizationValidators/BearerTokenValidator.php @@ -65,8 +65,12 @@ class BearerTokenValidator implements AuthorizationValidatorInterface try { // Attempt to parse and validate the JWT $token = (new Parser())->parse($jwt); - if ($token->verify(new Sha256(), $this->publicKey->getKeyPath()) === false) { - throw OAuthServerException::accessDenied('Access token could not be verified'); + try { + if ($token->verify(new Sha256(), $this->publicKey->getKeyPath()) === false) { + throw OAuthServerException::accessDenied('Access token could not be verified'); + } + } catch (\BadMethodCallException $exception) { + throw OAuthServerException::accessDenied('Access token is not signed'); } // Ensure access token hasn't expired From 02609c37ccdfb781970e57a801ee0b280c2d1780 Mon Sep 17 00:00:00 2001 From: Andrew Millington Date: Tue, 22 May 2018 18:10:19 +0100 Subject: [PATCH 2/2] Update changelog --- CHANGELOG.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index b3f974a7..d657b746 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,6 +6,9 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0. ## [Unreleased] +### Fixed +- Catch and handle `BadMethodCallException` from the `verify()` method of the JWT token in the `validateAuthorization` method (PR #904) + ## [7.1.1] - released 2018-05-21 ### Fixed