Support psr/clock

Author: tscni

composer.json

@@ -59,11 +59,13 @@
         "ext-sodium": "*",
         "brick/math": "^0.9|^0.10|^0.11",
         "paragonie/constant_time_encoding": "^2.4",
+        "psr/clock": "^1.0",
         "psr/event-dispatcher": "^1.0",
         "psr/http-client": "^1.0",
         "psr/http-factory": "^1.0",
         "spomky-labs/aes-key-wrap": "^7.0",
         "spomky-labs/pki-framework": "^1.0",
+        "symfony/clock": "^6.2",
         "symfony/config": "^5.4|^6.0",
         "symfony/console": "^5.4|^6.0",
         "symfony/dependency-injection": "^5.4|^6.0",

src/Component/Checker/ExpirationTimeChecker.php

@@ -4,6 +4,8 @@
 
 namespace Jose\Component\Checker;
 
+use Psr\Clock\ClockInterface;
+use Symfony\Component\Clock\NativeClock;
 use function is_float;
 use function is_int;
 
@@ -16,7 +18,8 @@ final class ExpirationTimeChecker implements ClaimChecker, HeaderChecker
 
     public function __construct(
         private readonly int $allowedTimeDrift = 0,
-        private readonly bool $protectedHeaderOnly = false
+        private readonly bool $protectedHeaderOnly = false,
+        private readonly ClockInterface $clock = new NativeClock(),
     ) {
     }
 
@@ -28,7 +31,9 @@ public function checkClaim(mixed $value): void
         if (! is_float($value) && ! is_int($value)) {
             throw new InvalidClaimException('"exp" must be an integer.', self::NAME, $value);
         }
-        if (time() > $value + $this->allowedTimeDrift) {
+
+        $now = $this->clock->now()->getTimestamp();
+        if ($now > $value + $this->allowedTimeDrift) {
             throw new InvalidClaimException('The token expired.', self::NAME, $value);
         }
     }
@@ -43,7 +48,9 @@ public function checkHeader(mixed $value): void
         if (! is_float($value) && ! is_int($value)) {
             throw new InvalidHeaderException('"exp" must be an integer.', self::NAME, $value);
         }
-        if (time() > $value + $this->allowedTimeDrift) {
+
+        $now = $this->clock->now()->getTimestamp();
+        if ($now > $value + $this->allowedTimeDrift) {
             throw new InvalidHeaderException('The token expired.', self::NAME, $value);
         }
     }

src/Component/Checker/IssuedAtChecker.php

@@ -4,6 +4,8 @@
 
 namespace Jose\Component\Checker;
 
+use Psr\Clock\ClockInterface;
+use Symfony\Component\Clock\NativeClock;
 use function is_float;
 use function is_int;
 
@@ -16,7 +18,8 @@ final class IssuedAtChecker implements ClaimChecker, HeaderChecker
 
     public function __construct(
         private readonly int $allowedTimeDrift = 0,
-        private readonly bool $protectedHeaderOnly = false
+        private readonly bool $protectedHeaderOnly = false,
+        private readonly ClockInterface $clock = new NativeClock(),
     ) {
     }
 
@@ -28,7 +31,9 @@ public function checkClaim(mixed $value): void
         if (! is_float($value) && ! is_int($value)) {
             throw new InvalidClaimException('"iat" must be an integer.', self::NAME, $value);
         }
-        if (time() < $value - $this->allowedTimeDrift) {
+
+        $now = $this->clock->now()->getTimestamp();
+        if ($now < $value - $this->allowedTimeDrift) {
             throw new InvalidClaimException('The JWT is issued in the future.', self::NAME, $value);
         }
     }
@@ -43,7 +48,9 @@ public function checkHeader(mixed $value): void
         if (! is_float($value) && ! is_int($value)) {
             throw new InvalidHeaderException('The header "iat" must be an integer.', self::NAME, $value);
         }
-        if (time() < $value - $this->allowedTimeDrift) {
+
+        $now = $this->clock->now()->getTimestamp();
+        if ($now < $value - $this->allowedTimeDrift) {
             throw new InvalidHeaderException('The JWT is issued in the future.', self::NAME, $value);
         }
     }

src/Component/Checker/NotBeforeChecker.php

@@ -4,6 +4,8 @@
 
 namespace Jose\Component\Checker;
 
+use Psr\Clock\ClockInterface;
+use Symfony\Component\Clock\NativeClock;
 use function is_float;
 use function is_int;
 
@@ -16,7 +18,8 @@ final class NotBeforeChecker implements ClaimChecker, HeaderChecker
 
     public function __construct(
         private readonly int $allowedTimeDrift = 0,
-        private readonly bool $protectedHeaderOnly = false
+        private readonly bool $protectedHeaderOnly = false,
+        private readonly ClockInterface $clock = new NativeClock(),
     ) {
     }
 
@@ -28,7 +31,9 @@ public function checkClaim(mixed $value): void
         if (! is_float($value) && ! is_int($value)) {
             throw new InvalidClaimException('"nbf" must be an integer.', self::NAME, $value);
         }
-        if (time() < $value - $this->allowedTimeDrift) {
+
+        $now = $this->clock->now()->getTimestamp();
+        if ($now < $value - $this->allowedTimeDrift) {
             throw new InvalidClaimException('The JWT can not be used yet.', self::NAME, $value);
         }
     }
@@ -43,7 +48,9 @@ public function checkHeader(mixed $value): void
         if (! is_float($value) && ! is_int($value)) {
             throw new InvalidHeaderException('"nbf" must be an integer.', self::NAME, $value);
         }
-        if (time() < $value - $this->allowedTimeDrift) {
+
+        $now = $this->clock->now()->getTimestamp();
+        if ($now < $value - $this->allowedTimeDrift) {
             throw new InvalidHeaderException('The JWT can not be used yet.', self::NAME, $value);
         }
     }

src/Component/Checker/composer.json

@@ -39,6 +39,8 @@
     },
     "require": {
         "php": ">=8.1",
+        "psr/clock": "^1.0",
+        "symfony/clock": "^6.2",
         "web-token/jwt-core": "^3.0"
     }
 }

tests/Component/Checker/ClaimCheckerManagerFactoryTest.php

@@ -12,6 +12,8 @@
 use Jose\Component\Checker\MissingMandatoryClaimException;
 use Jose\Component\Checker\NotBeforeChecker;
 use PHPUnit\Framework\TestCase;
+use Psr\Clock\ClockInterface;
+use Symfony\Component\Clock\MockClock;
 
 /**
  * @internal
@@ -55,15 +57,17 @@ public function iCanCreateAClaimCheckerManager(): void
      */
     public function iCanCheckValidPayloadClaims(): void
     {
+        $clock = new MockClock();
+        $now = $clock->now()->getTimestamp();
         $payload = [
-            'exp' => time() + 3600,
-            'iat' => time() - 1000,
-            'nbf' => time() - 100,
+            'exp' => $now + 3600,
+            'iat' => $now - 1000,
+            'nbf' => $now - 100,
             'foo' => 'bar',
         ];
         $expected = $payload;
         unset($expected['foo']);
-        $manager = $this->getClaimCheckerManagerFactory()
+        $manager = $this->getClaimCheckerManagerFactory($clock)
             ->create(['exp', 'iat', 'nbf', 'aud']);
         $result = $manager->check($payload);
         static::assertSame($expected, $result);
@@ -77,26 +81,28 @@ public function theMandatoryClaimsAreNotSet(): void
         $this->expectException(MissingMandatoryClaimException::class);
         $this->expectExceptionMessage('The following claims are mandatory: bar.');
 
+        $clock = new MockClock();
+        $now = $clock->now()->getTimestamp();
         $payload = [
-            'exp' => time() + 3600,
-            'iat' => time() - 1000,
-            'nbf' => time() - 100,
+            'exp' => $now + 3600,
+            'iat' => $now - 1000,
+            'nbf' => $now - 100,
             'foo' => 'bar',
         ];
         $expected = $payload;
         unset($expected['foo']);
-        $manager = $this->getClaimCheckerManagerFactory()
+        $manager = $this->getClaimCheckerManagerFactory($clock)
             ->create(['exp', 'iat', 'nbf', 'aud']);
         $manager->check($payload, ['exp', 'foo', 'bar']);
     }
 
-    private function getClaimCheckerManagerFactory(): ClaimCheckerManagerFactory
+    private function getClaimCheckerManagerFactory(ClockInterface $clock = new MockClock()): ClaimCheckerManagerFactory
     {
         if ($this->claimCheckerManagerFactory === null) {
             $this->claimCheckerManagerFactory = new ClaimCheckerManagerFactory();
-            $this->claimCheckerManagerFactory->add('exp', new ExpirationTimeChecker());
-            $this->claimCheckerManagerFactory->add('iat', new IssuedAtChecker());
-            $this->claimCheckerManagerFactory->add('nbf', new NotBeforeChecker());
+            $this->claimCheckerManagerFactory->add('exp', new ExpirationTimeChecker(clock: $clock));
+            $this->claimCheckerManagerFactory->add('iat', new IssuedAtChecker(clock: $clock));
+            $this->claimCheckerManagerFactory->add('nbf', new NotBeforeChecker(clock: $clock));
             $this->claimCheckerManagerFactory->add('aud', new AudienceChecker('My Service'));
         }
 

tests/Component/Checker/ExpirationTimeClaimCheckerTest.php

@@ -7,6 +7,7 @@
 use Jose\Component\Checker\ExpirationTimeChecker;
 use Jose\Component\Checker\InvalidClaimException;
 use PHPUnit\Framework\TestCase;
+use Symfony\Component\Clock\MockClock;
 
 /**
  * @internal
@@ -33,17 +34,19 @@ public function theExpirationTimeIsInThePast(): void
         $this->expectException(InvalidClaimException::class);
         $this->expectExceptionMessage('The token expired.');
 
-        $checker = new ExpirationTimeChecker();
-        $checker->checkClaim(time() - 1);
+        $clock = new MockClock();
+        $checker = new ExpirationTimeChecker(clock: $clock);
+        $checker->checkClaim($clock->now()->getTimestamp() - 1);
     }
 
     /**
      * @test
      */
     public function theExpirationTimeIsInTheFutur(): void
     {
-        $checker = new ExpirationTimeChecker();
-        $checker->checkClaim(time() + 3600);
+        $clock = new MockClock();
+        $checker = new ExpirationTimeChecker(clock: $clock);
+        $checker->checkClaim($clock->now()->getTimestamp() + 3600);
         static::assertSame('exp', $checker->supportedClaim());
     }
 }

tests/Component/Checker/IssuedAtClaimCheckerTest.php

@@ -7,6 +7,7 @@
 use Jose\Component\Checker\InvalidClaimException;
 use Jose\Component\Checker\IssuedAtChecker;
 use PHPUnit\Framework\TestCase;
+use Symfony\Component\Clock\MockClock;
 
 /**
  * @internal
@@ -33,17 +34,19 @@ public function theIssuedAtClaimIsInTheFutur(): void
         $this->expectException(InvalidClaimException::class);
         $this->expectExceptionMessage('The JWT is issued in the future.');
 
-        $checker = new IssuedAtChecker();
-        $checker->checkClaim(time() + 3600);
+        $clock = new MockClock();
+        $checker = new IssuedAtChecker(clock: $clock);
+        $checker->checkClaim($clock->now()->getTimestamp() + 3600);
     }
 
     /**
      * @test
      */
     public function theIssuedAtClaimIsInThePast(): void
     {
-        $checker = new IssuedAtChecker();
-        $checker->checkClaim(time() - 3600);
+        $clock = new MockClock();
+        $checker = new IssuedAtChecker(clock: $clock);
+        $checker->checkClaim($clock->now()->getTimestamp() - 3600);
         static::assertSame('iat', $checker->supportedClaim());
     }
 }

tests/Component/Checker/NotBeforeClaimCheckerTest.php

@@ -7,6 +7,7 @@
 use Jose\Component\Checker\InvalidClaimException;
 use Jose\Component\Checker\NotBeforeChecker;
 use PHPUnit\Framework\TestCase;
+use Symfony\Component\Clock\MockClock;
 
 /**
  * @internal
@@ -33,17 +34,19 @@ public function theNotBeforeClaimIsInTheFutur(): void
         $this->expectException(InvalidClaimException::class);
         $this->expectExceptionMessage('The JWT can not be used yet.');
 
-        $checker = new NotBeforeChecker();
-        $checker->checkClaim(time() + 3600);
+        $clock = new MockClock();
+        $checker = new NotBeforeChecker(clock: $clock);
+        $checker->checkClaim($clock->now()->getTimestamp() + 3600);
     }
 
     /**
      * @test
      */
     public function theNotBeforeClaimIsInThePast(): void
     {
-        $checker = new NotBeforeChecker();
-        $checker->checkClaim(time() - 3600);
+        $clock = new MockClock();
+        $checker = new NotBeforeChecker(clock: $clock);
+        $checker->checkClaim($clock->now()->getTimestamp() - 3600);
         static::assertSame('nbf', $checker->supportedClaim());
     }
 }