Make a 2.x release series compatible with 6.x releases for JWT library

Created on 2 February 2023, almost 2 years ago
Updated 20 March 2023, almost 2 years ago

Problem/Motivation

The JWT library has api changes as of the 6.x release series.
https://github.com/firebase/php-jwt/releases/tag/v6.0.0

Older versions may be flagged as insecure, even though this module's use of the library is secure.

Proposed resolution

Create a 2.x branch that requires a recent 6.x JWT version

Remaining tasks

Make api changes, update tests

User interface changes

n/a

API changes

Minor based on JWT library changes

Data model changes

n/a

๐Ÿ“Œ Task
Status

Fixed

Version

1.0

Component

Code

Created by

๐Ÿ‡บ๐Ÿ‡ธUnited States pwolanin

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

  • Issue created by @pwolanin
  • ๐Ÿ‡ฎ๐Ÿ‡ณIndia Holka_a

    Can we try this patch.

  • Status changed to RTBC almost 2 years ago
  • ๐Ÿ‡ฎ๐Ÿ‡ณIndia kuhikar

    Reviewed and Tested. php_jwt_v6.patch patch is working as expected.

  • Status changed to Needs review almost 2 years ago
  • ๐Ÿ‡ฌ๐Ÿ‡งUnited Kingdom alexpott ๐Ÿ‡ช๐Ÿ‡บ๐ŸŒ

    We need to update the minimum version to 5.5 (note that this is still considered insecure) and make some changes to fix the BC breaking changes in 6.0.

  • ๐Ÿ‡ฌ๐Ÿ‡งUnited Kingdom alexpott ๐Ÿ‡ช๐Ÿ‡บ๐ŸŒ

    I think we might need a new 2.x release for this one...

  • ๐Ÿ‡ท๐Ÿ‡บRussia a.kovrigin Penza

    a.kovrigin โ†’ made their first commit to this issueโ€™s fork.

  • @akovrigin opened merge request.
  • ๐Ÿ‡ฌ๐Ÿ‡งUnited Kingdom alexpott ๐Ÿ‡ช๐Ÿ‡บ๐ŸŒ

    @a.kovrigin how come you made a merge request? What's wrong with the patch in #7? Reviewing that patch would be more valuable.

  • ๐Ÿ‡บ๐Ÿ‡ฆUkraine andriy khomych

    It seems that MR is a good way to include this in the composer https://getcomposer.org/doc/05-repositories.md#vcs
    Otherwise, if you have firebase 6 deps in another package it isn't possible to include drupal/jwt.
    Is it possible to have this patch/MR RTBC?

  • ๐Ÿ‡ฌ๐Ÿ‡งUnited Kingdom alexpott ๐Ÿ‡ช๐Ÿ‡บ๐ŸŒ

    @Andriy Khomych - that's not a good way to do that. If you use the branch for the MR then anyone can get access and inject code into your site by uploading code here. Only real way of doing something like that is fork the module to some other code hosting service where only you have commit access and use that.

  • ๐Ÿ‡ฌ๐Ÿ‡งUnited Kingdom alexpott ๐Ÿ‡ช๐Ÿ‡บ๐ŸŒ

    @Andriy Khomych with respect to RTBC - maybe that's something you can do after testing the new version with upgraded dependencies on your site.

  • ๐Ÿ‡บ๐Ÿ‡ฆUkraine andriy khomych

    @Alex Pott , thank you for suggestions.
    Well, making own Drupal fork is better, but we can use another fork by relying on the specific commit hash - which I think should be fine and safe (I don't think it is easy to bypass/hack git commit hash with another code) and it seems a common practice to do so.

    Totally agree with you, I'll perform testing of the MR. So far it looks good to me.

  • ๐Ÿ‡ฌ๐Ÿ‡งUnited Kingdom alexpott ๐Ÿ‡ช๐Ÿ‡บ๐ŸŒ

    @Andriy Khomych nice idea relying on the commit hash - that would be more secure.

  • ๐Ÿ‡บ๐Ÿ‡ธUnited States pwolanin

    I'm happy this only requires a smallish patch.

    For \Drupal\users_jwt\UsersJwtKeyRepository::offsetGet(). I think I added the attribute #[\ReturnTypeWillChange] with this transition in mind. Given we are making a new major version, that should be removed since this is the change. Also from the interface.

    A really complete update might be to make class \Drupal\users_jwt\UsersKey extend \Firebase\JWT\Keybut that seems more complicated and would require updating any stored keys.

  • ๐Ÿ‡บ๐Ÿ‡ธUnited States pwolanin

    Why is there a cast to array in this change in the prior patches?

    -    $encoded = $this->transcoder->encode($jwt->getPayload(), $key, $this->algorithm);
    +    $encoded = $this->transcoder->encode((array) $jwt->getPayload(), $key, $this->algorithm);
    

    both array and object should work, and stdClass object is actually better since it it's empty it encodes to a JSON object as {} vs an empty array that encodes to [].

    I've reverted that change in this patch.

  • ๐Ÿ‡บ๐Ÿ‡ธUnited States pwolanin

    Ah, I see:

    TypeError: Argument 1 passed to Firebase\JWT\JWT::encode() must be of the type array, object given, called in /var/www/html/modules/contrib/jwt/src/Transcoder/JwtTranscoder.php on line 201

    I didn't realize that additional API change. Pus back the array cast.

  • ๐Ÿ‡บ๐Ÿ‡ธUnited States pwolanin

    Looking at the test coverage, especially for users_jwt

    I think it's reasonably complete, though it would be good to add there a few more checks that 200 response codes indicating authentication also have the expected page content (in \Drupal\Tests\users_jwt\Functional\FormsTest::testForms()). Also, would be nice to try switching around the algorithm from RSA to HMAC just to verify it fails.

    Still, I think this is gtg to make a 2.x if someone would like to verify that they have tested it in a real-world situation and mark it RTBC.

  • ๐Ÿ‡บ๐Ÿ‡ธUnited States pwolanin

    Also... looking at ๐Ÿ“Œ Drupal 10 roadmap/hitlist (make 2.0 release) Fixed

    There are a couple more deprecation fixes there that should be done before a 2.0 release (everything but ed25519 signatures) so that we minimize any other api/class changes.

  • Status changed to Fixed almost 2 years ago
  • Automatically closed - issue fixed for 2 weeks with no activity.

Production build 0.71.5 2024