How get Claims after encode token

[lpj145]

I'm try to get claim on middleware.
Using Version 4.0@dev

But parse function return Plain, this is a error ?

[lcobucci]

@lpj145 that's a forward compatibility layer. As stated on #6 we plan to support encrypted tokens (which will implement that interface).

Since parse() deals with untrusted data, users are supposed to verify if they have the expected type of token, like:

$token = $this->parser->parse($jwt);

if (! $token instanceof Plain) {
    // You should have your own exception for that, sure =)
    throw new \RuntimeException('The provided token is not valid');
}

[lcobucci]

btw don't forget to validate the token properly using the validator 😉

[lpj145]

yep i'm using:

/**
     * @param Plain $token
     * @return bool
     */
    private function tokenIsValid(Plain $token)
    {
        if ($token->isExpired((new SystemClock())->now())) {
            return false;
        }

        try {
            $this->validator->assert($token, new SignedWith($this->signer, $this->key));
        }catch (ConstraintViolationException $exception) {
            return false;
        }

        return true;
    }

[lcobucci]

@lpj145 if you're not using the exception, I'd suggest to use this instead (I really need to work on the documentation 😭 ):

return $this->validator->validate(
    $token,
    new ValidAt(new SystemClock()),
    new SignedWith($this->signer, $this->key)
);

The benefits with that approach are: the validator will stop its process when the first error comes and the constraints will be processed in the order you called the method - so you can leave the "expensive" operations to the end of your validation chain.

I'd also suggest to have the list of constraints injected, so it makes it easier for you (we're planning to add it to the Configuration object):

return $this->validator->validate($token, ...$this->constraints);

[lcobucci]

@lpj145 let me know if your question has been answered and we can close this issue 👍

[lpj145]

I think this is a good solution, but need tests. in hour i answer to you.

public function process(ServerRequestInterface $request, DelegateInterface $delegate)
    {
        if (
            $this->middlewareConfig['secure'] &&
            $request->getUri()->getScheme() !== 'https' ||
            !$request->hasHeader('Authorization')
        ) {
            return new Unauthorized();
        }

        $jwt = $this->getTokenWithoutBearer($request->getHeaderLine('Authorization'));

        /** @var Plain $token */
        $token = $this->parser->parse($jwt);
        if (
            !$token instanceof Plain ||
            !$this->tokenIsValid($token)
        ) {
            return new Unauthorized();
        }

        return $delegate->process($request);
    }