Merge pull request #256 from lsfiege/fix-not-refreshing-iat

Fix to refresh the IAT when a token is refreshed
PHP-Open-Source-Saver · Jul 3, 2024 · 0d354ac · 0d354ac
2 parents eaf0c57 + 9b0f260
commit 0d354ac
Show file tree

Hide file tree

Showing 3 changed files with 40 additions and 1 deletion.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -8,6 +8,7 @@ You can find and compare releases at the GitHub release page.
 
 ## [Unreleased]
 - SetSecret regenerates config with new secret in the Lcobucci provider
+- Refresh iat claim when refreshing a token
 
 ### Added
 - Support for lcobucci/jwt^5.0 (and dropped support for ^4.0)

diff --git a/src/Manager.php b/src/Manager.php
@@ -17,6 +17,7 @@
 use PHPOpenSourceSaver\JWTAuth\Exceptions\TokenBlacklistedException;
 use PHPOpenSourceSaver\JWTAuth\Support\CustomClaims;
 use PHPOpenSourceSaver\JWTAuth\Support\RefreshFlow;
+use PHPOpenSourceSaver\JWTAuth\Support\Utils;
 
 class Manager
 {
@@ -181,7 +182,7 @@ protected function buildRefreshClaims(Payload $payload)
             $persistentClaims,
             [
                 'sub' => $payload['sub'],
-                'iat' => $payload['iat'],
+                'iat' => Utils::now()->timestamp,
             ]
         );
     }

diff --git a/tests/ManagerTest.php b/tests/ManagerTest.php
@@ -12,6 +12,7 @@
 
 namespace PHPOpenSourceSaver\JWTAuth\Test;
 
+use Illuminate\Support\Carbon;
 use Mockery\LegacyMockInterface;
 use PHPOpenSourceSaver\JWTAuth\Blacklist;
 use PHPOpenSourceSaver\JWTAuth\Claims\Collection;
@@ -183,6 +184,42 @@ public function testItShouldRefreshAToken()
         $this->assertEquals('baz.bar.foo', $token);
     }
 
+    public function testBuildRefreshClaimsMethodWillRefreshTheIAT()
+    {
+        $claims = [
+            new Subject(1),
+            new Issuer('http://example.com'),
+            new Expiration($this->testNowTimestamp - 3600),
+            new NotBefore($this->testNowTimestamp),
+            new IssuedAt($this->testNowTimestamp),
+            new JwtId('foo'),
+        ];
+        $collection = Collection::make($claims);
+
+        $this->validator->shouldReceive('setRefreshFlow->check')->andReturn($collection);
+        $payload = new Payload($collection, $this->validator);
+
+        $managerClass = new \ReflectionClass(Manager::class);
+        $buildRefreshClaimsMethod = $managerClass->getMethod('buildRefreshClaims');
+        $buildRefreshClaimsMethod->setAccessible(true);
+        $managerInstance = new Manager($this->jwt, $this->blacklist, $this->factory);
+
+        $firstResult = $buildRefreshClaimsMethod->invokeArgs($managerInstance, [$payload]);
+        Carbon::setTestNow(Carbon::now()->addMinutes(2));
+        $secondResult = $buildRefreshClaimsMethod->invokeArgs($managerInstance, [$payload]);
+
+        $this->assertIsInt($firstResult['iat']);
+        $this->assertIsInt($secondResult['iat']);
+
+        $carbonTimestamp = Carbon::createFromTimestamp($firstResult['iat']);
+        $this->assertInstanceOf(Carbon::class, $carbonTimestamp);
+
+        $carbonTimestamp = Carbon::createFromTimestamp($secondResult['iat']);
+        $this->assertInstanceOf(Carbon::class, $carbonTimestamp);
+
+        $this->assertNotEquals($firstResult['iat'], $secondResult['iat']);
+    }
+
     /**
      * @throws InvalidClaimException
      */