Add Firebase JWT v6 compatibility

Author: jakubboucek

README.md

@@ -20,12 +20,16 @@ Package is optimized for invoking in very early lifecycle phase of your App
 ## Requirements
 Package requires:
 
-- PHP version at least 7.4
+- PHP version 7.4, 8.0 or 8.1
 
 Enabler requires:
 
 - Temporary directory with writable access
 
+SignUrl plugin requires:
+
+- [Firebase JWT](https://github.com/firebase/php-jwt) v5 or v6
+
 ## Installation
 ```shell
 composer require redbitcz/debug-mode-enabler

composer.json

@@ -20,7 +20,7 @@
         "nette/utils": "^3.0"
     },
     "require-dev": {
-        "firebase/php-jwt": "^5.0",
+        "firebase/php-jwt": "^5.0||^6.0",
         "nette/tester": "2.4.2",
         "phpstan/phpstan": "1.8.2"
     },
@@ -38,7 +38,7 @@
         }
     },
     "scripts": {
-        "phpstan": "phpstan analyze src -c phpstan.neon --level 8",
+        "phpstan": "phpstan analyze -c phpstan.neon --level 5",
         "tester": "tester tests"
     }
 }

phpstan.neon

@@ -1,6 +1,16 @@
 parameters:
+    paths:
+        - src
+    excludePaths:
+        analyse:
+        - src/Plugin/JWT/*
+
     ignoreErrors:
         -
             message: '#Parameter \#3 \$options of function setcookie expects .+#'
             path: src/Enabler.php
             count: 2
+        -  '#.+ has unknown class (OpenSSLAsymmetricKey|OpenSSLCertificate) as its type.#' # PHP 7 compatibility
+        -  '#.+ has invalid type (OpenSSLAsymmetricKey|OpenSSLCertificate).#' # PHP 7 compatibility
+
+    reportUnmatchedIgnoredErrors: false

src/Plugin/JWT/JWTFirebaseV5.php

@@ -0,0 +1,51 @@
+<?php
+
+/**
+ * The MIT License (MIT)
+ * Copyright (c) 2022 Redbit s.r.o., Jakub Bouček
+ */
+
+declare(strict_types=1);
+
+namespace Redbitcz\DebugMode\Plugin\JWT;
+
+use Firebase\JWT\JWT;
+use ReflectionMethod;
+use stdClass;
+
+class JWTFirebaseV5 implements JWTImpl
+{
+    public static function isAvailable(): bool
+    {
+        if (class_exists(JWT::class) === false) {
+            return false;
+        }
+
+        $params = (new ReflectionMethod(JWT::class, 'decode'))->getParameters();
+
+        // JWT v5 has second parameter named `$key`
+        if ($params[1]->getName() === 'key') {
+            return true;
+        }
+
+        // JWT v5.5.0 already second parameter named `$keyOrKeyArray`, detect by third param (future compatibility)
+        return $params[1]->getName() === 'keyOrKeyArray'
+            && isset($params[2])
+            && $params[2]->getName() === 'allowed_algs';
+    }
+
+    public function decode(string $jwt, $key, string $alg): stdClass
+    {
+        return JWT::decode($jwt, $key, [$alg]);
+    }
+
+    public function encode(array $payload, $key, string $alg): string
+    {
+        return JWT::encode($payload, $key, $alg);
+    }
+
+    public function setTimestamp(?int $timestamp): void
+    {
+        JWT::$timestamp = $timestamp;
+    }
+}

src/Plugin/JWT/JWTFirebaseV6.php

@@ -0,0 +1,42 @@
+<?php
+
+/**
+ * The MIT License (MIT)
+ * Copyright (c) 2022 Redbit s.r.o., Jakub Bouček
+ */
+
+declare(strict_types=1);
+
+namespace Redbitcz\DebugMode\Plugin\JWT;
+
+use Firebase\JWT\JWT;
+use Firebase\JWT\Key;
+use ReflectionMethod;
+use stdClass;
+
+class JWTFirebaseV6 extends JWTFirebaseV5
+{
+    public static function isAvailable(): bool
+    {
+        if (class_exists(JWT::class) === false) {
+            return false;
+        }
+
+        $params = (new ReflectionMethod(JWT::class, 'decode'))->getParameters();
+
+        // JWT v6 has always second parameter named `$keyOrKeyArray`
+        if ($params[1]->getName() !== 'keyOrKeyArray') {
+            return false;
+        }
+
+        // JWT v5.5.0 already second parameter named `$keyOrKeyArray`, detect by third param (future compatibility)
+        return isset($params[2]) === false || $params[2]->getName() !== 'allowed_algs';
+    }
+
+    public function decode(string $jwt, $key, string $alg): stdClass
+    {
+        return JWT::decode($jwt, new Key($key, $alg));
+    }
+
+
+}

src/Plugin/JWT/JWTImpl.php

@@ -0,0 +1,23 @@
+<?php
+
+/**
+ * The MIT License (MIT)
+ * Copyright (c) 2022 Redbit s.r.o., Jakub Bouček
+ */
+
+declare(strict_types=1);
+
+namespace Redbitcz\DebugMode\Plugin\JWT;
+
+use stdClass;
+
+interface JWTImpl
+{
+    public static function isAvailable(): bool;
+
+    public function decode(string $jwt, $key, string $alg): stdClass;
+
+    public function encode(array $payload, $key, string $alg): string;
+
+    public function setTimestamp(?int $timestamp): void;
+}

src/Plugin/SignedUrl.php

@@ -1,18 +1,26 @@
 <?php
+
 /**
  * The MIT License (MIT)
  * Copyright (c) 2022 Redbit s.r.o., Jakub Bouček
+ *
+ * @noinspection PhpComposerExtensionStubsInspection OpenSSL only optional dependency
+ * @noinspection PhpElementIsNotAvailableInCurrentPhpVersionInspection PHP 7 compatibility
  */
 
 declare(strict_types=1);
 
 namespace Redbitcz\DebugMode\Plugin;
 
 use DateTimeInterface;
-use Firebase\JWT\JWT;
 use LogicException;
 use Nette\Utils\DateTime;
+use OpenSSLAsymmetricKey;
+use OpenSSLCertificate;
 use Redbitcz\DebugMode\Detector;
+use Redbitcz\DebugMode\Plugin\JWT\JWTFirebaseV5;
+use Redbitcz\DebugMode\Plugin\JWT\JWTFirebaseV6;
+use Redbitcz\DebugMode\Plugin\JWT\JWTImpl;
 use RuntimeException;
 
 /**
@@ -37,21 +45,32 @@ class SignedUrl implements Plugin
     private const URL_QUERY_TOKEN_KEY = '_debug';
     private const ISSUER_ID = 'cz.redbit.debug.url';
 
-    /** @var resource|string */
+    /** @var resource|string|OpenSSLAsymmetricKey|OpenSSLCertificate */
     private $key;
     private string $algorithm;
     private ?string $audience;
     private ?int $timestamp;
 
+    private JWTImpl $jwt;
+
     /**
-     * @param string|resource $key The key.
+     * @param string|resource|OpenSSLAsymmetricKey|OpenSSLCertificate $key The key.
      * @param string $algorithm Supported algorithms are 'ES384','ES256', 'HS256', 'HS384', 'HS512', 'RS256', 'RS384', and 'RS512'
      * @param string|null $audience Recipient for which the JWT is intended
+     * @noinspection PhpRedundantVariableDocTypeInspection
      */
     public function __construct($key, string $algorithm = 'HS256', ?string $audience = null)
     {
-        if (class_exists(JWT::class) === false) {
-            throw new LogicException(__CLASS__ . ' requires JWT library: firebase/php-jwt');
+        /** @var class-string<JWTImpl> $impl */
+        foreach ([JWTFirebaseV5::class, JWTFirebaseV6::class] as $impl) {
+            if ($impl::isAvailable()) {
+                $this->jwt = new $impl;
+                break;
+            }
+        }
+
+        if (isset($this->jwt) === false) {
+            throw new LogicException(__CLASS__ . ' requires JWT library: firebase/php-jwt version ~5.0 or ~6.0');
         }
 
         $this->key = $key;
@@ -115,7 +134,7 @@ public function getToken(
             'val' => $value,
         ];
 
-        return JWT::encode($payload, $this->key, $this->algorithm);
+        return $this->jwt->encode($payload, $this->key, $this->algorithm);
     }
 
     public function __invoke(Detector $detector): ?bool
@@ -153,7 +172,7 @@ public function verifyRequest(bool $allowRedirect = false, ?string $url = null,
         $url = $url ?? $this->urlFromGlobal();
         $method = $method ?? $_SERVER['REQUEST_METHOD'];
 
-        [$allowedMethods, $mode, $value, $expires] = $this->verifyUrl($url);
+        [$allowedMethods, $mode, $value, $expires] = $this->verifyUrl($url, $allowRedirect);
 
         if (in_array(strtolower($method), $allowedMethods, true) === false) {
             throw new SignedUrlVerificationException('HTTP method doesn\'t match signed HTTP method');
@@ -227,7 +246,7 @@ public function verifyToken(string $token): array
     {
         try {
             /** @var ClaimsSet $payload */
-            $payload = JWT::decode($token, $this->key, [$this->algorithm]);
+            $payload = $this->jwt->decode($token, $this->key, $this->algorithm);
         } catch (RuntimeException $e) {
             throw new SignedUrlVerificationException('JWT Token invalid', 0, $e);
         }
@@ -324,6 +343,11 @@ public function setTimestamp(?int $timestamp): void
         $this->timestamp = $timestamp;
     }
 
+    public function getJwt(): JWTImpl
+    {
+        return $this->jwt;
+    }
+
     protected function sendRedirectResponse(string $canonicalUrl): void
     {
         header('Cache-Control: s-maxage=0, max-age=0, must-revalidate', true, 302);