Skip to content

fix: JWT config setters#385

Merged
binaryfire merged 9 commits into
0.4from
fix/jwt-config-setters
May 12, 2026
Merged

fix: JWT config setters#385
binaryfire merged 9 commits into
0.4from
fix/jwt-config-setters

Conversation

@binaryfire
Copy link
Copy Markdown
Collaborator

@binaryfire binaryfire commented May 12, 2026

This PR fixes the JWT provider setters so changes to the configured algorithm, secret, or asymmetric keys actually take effect when using the Lcobucci provider.

Lcobucci builds and caches its signer and Configuration object during construction. The inherited setAlgo(), setSecret(), and setKeys() methods only updated the raw provider properties, so the cached signer/configuration continued using the original values. That meant calls such as setSecret() or setKeys() appeared to succeed via the getters, but newly encoded tokens were still signed with the old signing state.

Changes

  • Added a protected onConfigurationChanged() hook to the base JWT provider.
  • Call that hook from setAlgo(), setSecret(), and setKeys().
  • Rebuild Lcobucci's cached signer and configuration when those provider settings change.
  • Documented the JWT provider and blacklist setters as boot-time configuration only, since these objects are cached for the worker lifetime and runtime mutation would affect later requests across coroutines.
  • Moved JWT keypair fixtures into tests/JWT/Fixtures/keys.
  • Added a second RSA keypair fixture for key-rotation coverage.

Tests

Added coverage proving:

  • setAlgo() changes the algorithm used when encoding tokens.
  • setSecret() signs with the rotated secret, and the old secret no longer verifies the token.
  • setKeys() signs with the rotated asymmetric keypair, and the old keypair no longer verifies the token.
  • The base provider setKeys() getter/setter round trip works like the existing algorithm and secret setter tests.

binaryfire added 9 commits May 12, 2026 18:32
@binaryfire
Add method override routing tests
828c047
@binaryfire
Port console testing docs
e282e48
@binaryfire
Flag JWT Blacklist setters as boot-only
bde6462
@binaryfire
Add onConfigurationChanged hook to JWT Provider and flag setters as b…
3799c9a 
…oot-only

setAlgo, setSecret, and setKeys now call a protected onConfigurationChanged
hook so subclasses that cache derived state can rebuild it. The base
implementation is a no-op. Also adds docblock warnings noting that providers
are cached on the singleton JWTManager.
@binaryfire
Rebuild Lcobucci signer and config when configuration changes
651fbdd 
Override onConfigurationChanged to rebuild $signer (depends on $algo) then
$config (depends on $signer plus the key material) so setAlgo, setSecret,
and setKeys actually take effect. Previously these setters were silent
no-ops because Lcobucci cached both derived properties in the constructor
and never recomputed them.
@binaryfire
Add setKeys roundtrip test for JWT Provider
8ed8ef4
@binaryfire
Test that Lcobucci setters actually rebuild signing state
adbc436 
Three behavioral tests: setAlgo (verifies JWT header alg field reflects the
new algorithm), setSecret (verifies the new secret signs and the old one
can no longer verify), and setKeys (asymmetric variant using two RSA
keypairs). Also moves the keypair helper paths to tests/JWT/Fixtures/keys,
adds alt-keypair helpers, and calls parent::setUp.
@binaryfire
Add second RSA keypair fixture for JWT key-rotation tests
ce7f1f4
@binaryfire
Move JWT keypair fixtures into the Fixtures directory
a5ae41f 
Per the porting guide convention that test support files (including non-PHP
files like key material) live under tests/{Package}/Fixtures.
@binaryfire binaryfire merged commit 878650f into 0.4 May 12, 2026
34 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@binaryfire