From 5ae53cfc14377ed6dc5ff6647a4c021c64fb6a6b Mon Sep 17 00:00:00 2001 From: Kumi Date: Tue, 25 Jun 2024 19:33:02 +0200 Subject: [PATCH] fix: update JWT decode method to use Key object Modified the JWT::decode method to use the Key object for decoding JWTs. This enhances security by explicitly specifying the algorithm used (HS256) and aligns with recent updates in the Firebase JWT library. --- classes/core_jwt_manager.php | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/classes/core_jwt_manager.php b/classes/core_jwt_manager.php index eb6a114..0fd08ea 100644 --- a/classes/core_jwt_manager.php +++ b/classes/core_jwt_manager.php @@ -19,6 +19,7 @@ namespace auth_jwt; require_once(__DIR__ . '/../vendor/autoload.php'); use \Firebase\JWT\JWT; +use \Firebase\JWT\Key; /** * Key manager class. @@ -96,7 +97,7 @@ class core_jwt_manager $secret = $this->config->jwtsecret; try { - $decoded = JWT::decode($keyvalue, $secret); + $decoded = JWT::decode($keyvalue, new Key($secret, 'HS256')); } catch (\Exception $e) { throw new \moodle_exception('invalidkey'); }