Merge pull request #240 from kelvinmo/chore/jwt-check-missing-alg

Add check for missing alg header

Author: kelvinmo

src/SimpleJWT/JWT.php

@@ -134,6 +134,7 @@ public static function decode(string $token, KeySet $keys, string $expected_alg,
         }
 
         // Check signatures
+        if (!isset($headers['alg'])) throw new InvalidTokenException('alg parameter missing', InvalidTokenException::TOKEN_PARSE_ERROR);
         if ($headers['alg'] != $expected_alg) throw new InvalidTokenException('Unexpected algorithm', InvalidTokenException::SIGNATURE_VERIFICATION_ERROR);
         /** @var SignatureAlgorithm $signer */
         $signer = AlgorithmFactory::create($expected_alg);

tests/JWTTest.php

@@ -335,6 +335,16 @@ function testCrit() {
         $this->assertTrue($jwt->getClaim('iss'));
     }
 
+    function testMissingAlg() {
+        $this->expectException('SimpleJWT\InvalidTokenException');
+        $this->expectExceptionCode(InvalidTokenException::TOKEN_PARSE_ERROR);
+
+        $set = $this->getPublicKeySet();
+        $token = 'eyJ0eXAiOiAiSldUIn0.eyJpc3MiOiJqb2UiLCJleHAiOjEzMDA4MTkzODB9.lLajjIbnhRpthOPhbJTaxoQ8JHYSAwSUl1Vxc4eQcIU';
+        $jwt = JWT::decode($token, $set, 'HS256');
+        $this->assertTrue($jwt->getClaim('iss'));
+    }
+
     function testInvalidToken() {
         $this->expectException('SimpleJWT\InvalidTokenException');