Merge pull request #5 from cdoco/develop

Add exception handling

Author: cdoco

README.md

@@ -36,7 +36,7 @@ $payload = array(
 // default HS256 algorithm
 $token = jwt_encode($payload, $key);
 
-//eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7Im5hbWUiOiJaaUhhbmcgR2FvIiwiYWRtaW4iOnRydWV9LCJpc3MiOiJodHRwOlwvXC9leGFtcGxlLm9yZyIsInN1YiI6IjEyMzQ1Njc4OTAifQ.UcrCt9o9rz38kKMTa-nCrm7JNQRNAId5Xg9C7EIl2Zc
+// eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7Im5hbWUiOiJaaUhhbmcgR2FvIiwiYWRtaW4iOnRydWV9LCJpc3MiOiJodHRwOlwvXC9leGFtcGxlLm9yZyIsInN1YiI6IjEyMzQ1Njc4OTAifQ.UcrCt9o9rz38kKMTa-nCrm7JNQRNAId5Xg9C7EIl2Zc
 echo $token;
 
 $decoded_token = jwt_decode($token, $key);
@@ -178,9 +178,8 @@ $token = jwt_encode($payload, $hmackey, 'HS256');
 
 try {
     $decoded_token = jwt_decode($token, $hmackey, ['algorithm' => 'HS256']);
-} catch (Exception $e) {
+} catch (ExpiredSignatureException $e) {
     // Expired token
-    $e->getMessage();
 }
 ```
 
@@ -194,7 +193,7 @@ $token = jwt_encode($payload, $hmackey, 'HS256');
 
 try {
     $decoded_token = jwt_decode($token, $hmackey, ['leeway' => 30, 'algorithm' => 'HS256']);
-} catch (Exception $e) {
+} catch (ExpiredSignatureException $e) {
     // Expired token
 }
 ```
@@ -212,7 +211,7 @@ $token = jwt_encode($payload, $hmackey, 'HS256');
 
 try {
     $decoded_token = jwt_decode($token, $hmackey, ['algorithm' => 'HS256']);
-} catch (Exception $e) {
+} catch (BeforeValidException $e) {
     // Handle invalid token
 }
 ```
@@ -227,7 +226,7 @@ $token = jwt_encode($payload, $hmackey, 'HS256');
 
 try {
     $decoded_token = jwt_decode($token, $hmackey, ['leeway' => 30, 'algorithm' => 'HS256']);
-} catch (Exception $e) {
+} catch (BeforeValidException $e) {
     // Handle invalid token
 }
 ```
@@ -243,7 +242,7 @@ $token = jwt_encode($payload, $hmackey, 'HS256');
 
 try {
     $decoded_token = jwt_decode($token, $hmackey, ['iss' => 'http://example.org', 'algorithm' => 'HS256']);
-} catch (Exception $e) {
+} catch (InvalidIssuerException $e) {
      // Handle invalid token
 }
 ```
@@ -259,7 +258,7 @@ $token = jwt_encode($payload, $hmackey, 'HS256');
 
 try {
     $decoded_token = jwt_decode($token, $hmackey, ['aud' => ['Young', 'Old'], 'algorithm' => 'HS256']);
-} catch (Exception $e) {
+} catch (InvalidAudException $e) {
      // Handle invalid token
 }
 ```
@@ -275,7 +274,7 @@ $token = jwt_encode($payload, $hmackey, 'HS256');
 
 try {
     $decoded_token = jwt_decode($token, $hmackey, ['jti' => md5('id'), 'algorithm' => 'HS256']);
-} catch (Exception $e) {
+} catch (InvalidJtiException $e) {
      // Handle invalid token
 }
 ```
@@ -291,7 +290,7 @@ $token = jwt_encode($payload, $hmackey, 'HS256');
 
 try {
     $decoded_token = jwt_decode($token, $hmackey, ['algorithm' => 'HS256']);
-} catch (Exception $e) {
+} catch (InvalidIatException $e) {
      // Handle invalid token
 }
 ```
@@ -307,7 +306,7 @@ $token = jwt_encode($payload, $hmackey, 'HS256');
 
 try {
     $decoded_token = jwt_decode($token, $hmackey, ['sub' => 'Subject', 'algorithm' => 'HS256']);
-} catch (Exception $e) {
+} catch (InvalidSubException $e) {
      // Handle invalid token
 }
 ```

jwt.c

@@ -27,6 +27,7 @@
 
 #include "zend_smart_str.h"
 #include "zend_exceptions.h"
+#include "ext/spl/spl_exceptions.h"
 #include "ext/json/php_json.h"
 #include "ext/standard/base64.h"
 #include "ext/standard/info.h"
@@ -37,6 +38,16 @@
 
 #include "php_jwt.h"
 
+/* Exceptions */
+PHP_JWT_API zend_class_entry *jwt_signature_invalid_cex;
+PHP_JWT_API zend_class_entry *jwt_before_valid_cex;
+PHP_JWT_API zend_class_entry *jwt_expired_signature_cex;
+PHP_JWT_API zend_class_entry *jwt_invalid_issuer_cex;
+PHP_JWT_API zend_class_entry *jwt_invalid_aud_cex;
+PHP_JWT_API zend_class_entry *jwt_invalid_jti_cex;
+PHP_JWT_API zend_class_entry *jwt_invalid_iat_cex;
+PHP_JWT_API zend_class_entry *jwt_invalid_sub_cex;
+
 ZEND_DECLARE_MODULE_GLOBALS(jwt)
 
 /* string to algorithm */
@@ -300,14 +311,15 @@ int jwt_array_equals(zend_array *arr1, zend_array *arr2) {
                     php_error_docref(NULL, E_WARNING, "Aud each item type must be string");
                 }
             }
-        }ZEND_HASH_FOREACH_END();
+        } ZEND_HASH_FOREACH_END();
     }
 
     return 0;
 }
 
 int jwt_verify_body(char *body, zval *return_value)
 {
+    zend_class_entry *ce;
     char *err_msg = NULL;
     time_t curr_time = time((time_t*)NULL);
     zend_string *vs = jwt_b64_url_decode(body);
@@ -317,8 +329,10 @@ int jwt_verify_body(char *body, zval *return_value)
     zend_string_free(vs);
 
     /* Expiration */
-    if (JWT_G(expiration) && (curr_time - JWT_G(leeway)) >= JWT_G(expiration))
+    if (JWT_G(expiration) && (curr_time - JWT_G(leeway)) >= JWT_G(expiration)) {
+        ce = jwt_expired_signature_cex;
         err_msg = "Expired token";
+    }
 
     /* not before */
     if (JWT_G(not_before) && JWT_G(not_before) > (curr_time + JWT_G(leeway))) {
@@ -327,12 +341,15 @@ int jwt_verify_body(char *body, zval *return_value)
 
         timeinfo = localtime(&JWT_G(not_before));
         strftime(buf, sizeof(buf), "Cannot handle token prior to %Y-%m-%d %H:%M:%S", timeinfo);
+        ce = jwt_before_valid_cex;
         err_msg = buf;
     }
 
     /* iss */
-    if (jwt_verify_claims(return_value, "iss", JWT_G(iss)))
-        err_msg = "Iss verify fail";
+    if (jwt_verify_claims(return_value, "iss", JWT_G(iss))) {
+        ce = jwt_invalid_issuer_cex;
+        err_msg = "Invalid Issuer";
+    }
 
     /* iat */
     if (JWT_G(iat) && JWT_G(iat) > (curr_time + JWT_G(leeway))) {
@@ -341,23 +358,30 @@ int jwt_verify_body(char *body, zval *return_value)
 
         timeinfo = localtime(&JWT_G(iat));
         strftime(buf, sizeof(buf), "Cannot handle token prior to %Y-%m-%d %H:%M:%S", timeinfo);
+        ce = jwt_invalid_iat_cex;
         err_msg = buf;
     }
 
     /* jti */
-    if (jwt_verify_claims(return_value, "jti", JWT_G(jti)))
-        err_msg = "Tti verify fail";
+    if (jwt_verify_claims(return_value, "jti", JWT_G(jti))) {
+        ce = jwt_invalid_jti_cex;
+        err_msg = "Invalid Jti";
+    }
 
     /* aud */
-    if (jwt_array_equals(JWT_G(aud), jwt_hash_str_find_ht(return_value, "aud")))
-        err_msg = "Aud verify fail";
+    if (jwt_array_equals(JWT_G(aud), jwt_hash_str_find_ht(return_value, "aud"))) {
+        ce = jwt_invalid_aud_cex;
+        err_msg = "Invalid Aud";
+    }
 
     /* sub */
-    if (jwt_verify_claims(return_value, "sub", JWT_G(sub)))
-        err_msg = "Sub verify fail";
+    if (jwt_verify_claims(return_value, "sub", JWT_G(sub))) {
+        ce = jwt_invalid_sub_cex;
+        err_msg = "Invalid Sub";
+    }
 
     if (err_msg) {
-        zend_throw_exception(zend_ce_exception, err_msg, 0);
+        zend_throw_exception(ce, err_msg, 0);
         return FAILURE;
     }
 
@@ -419,7 +443,7 @@ PHP_FUNCTION(jwt_encode)
     jwt->alg = jwt_str_alg(alg);
 
     if (jwt->alg == JWT_ALG_INVAL) {
-        zend_throw_exception(zend_ce_exception, "Algorithm not supported", 0);
+        zend_throw_exception(spl_ce_UnexpectedValueException, "Algorithm not supported", 0);
         goto encode_done;
     }
 
@@ -451,16 +475,16 @@ PHP_FUNCTION(jwt_encode)
 
     /* sign */
     if (jwt->alg == JWT_ALG_NONE) {
-        // alg none.
-		smart_str_appendl(&segments, ".", 1);
+        /* alg none */
+        smart_str_appendl(&segments, ".", 1);
     } else {
         /* set jwt struct */
         jwt->key = key;
         jwt->str = segments.s;
 
         /* sign */
         if (jwt_sign(jwt, &sig, &sig_len)) {
-            zend_throw_exception(zend_ce_exception, "Signature error", 0);
+            zend_throw_exception(spl_ce_DomainException, "OpenSSL unable to sign data", 0);
             goto encode_done;
         }
 
@@ -506,15 +530,15 @@ PHP_FUNCTION(jwt_decode)
 
     /* Parse options */
     if (jwt_parse_options(options) == FAILURE) {
-        zend_throw_exception(zend_ce_exception, "Options parse error", 0);
+        zend_throw_exception(spl_ce_UnexpectedValueException, "Options parse error", 0);
         goto decode_done;
     }
 
     /* Algorithm */
     jwt->alg = jwt_str_alg(JWT_G(algorithm));
 
     if (jwt->alg == JWT_ALG_INVAL) {
-        zend_throw_exception(zend_ce_exception, "Algorithm not supported", 0);
+        zend_throw_exception(spl_ce_UnexpectedValueException, "Algorithm not supported", 0);
         goto decode_done;
     }
 
@@ -542,7 +566,7 @@ PHP_FUNCTION(jwt_decode)
     zend_string *json_h = jwt_b64_url_decode(head);
 
     if (!json_h) {
-        zend_throw_exception(zend_ce_exception, "Base64 decode error", 0);
+        zend_throw_exception(spl_ce_UnexpectedValueException, "Base64 decode error", 0);
         goto decode_done;
     }
 
@@ -555,11 +579,11 @@ PHP_FUNCTION(jwt_decode)
         zval_ptr_dtor(&zv);
 
         if (strcmp(Z_STRVAL_P(zalg), JWT_G(algorithm))) {
-            zend_throw_exception(zend_ce_exception, "Algorithm not allowed", 0);
+            zend_throw_exception(spl_ce_UnexpectedValueException, "Algorithm not allowed", 0);
             goto decode_done;
         }
     } else {
-        zend_throw_exception(zend_ce_exception, "Json decode error", 0);
+        zend_throw_exception(spl_ce_UnexpectedValueException, "Json decode error", 0);
         goto decode_done;
     }
 
@@ -582,7 +606,7 @@ PHP_FUNCTION(jwt_decode)
         jwt->str = segments.s;
 
         if (jwt_verify(jwt, sig)) {
-            zend_throw_exception(zend_ce_exception, "Signature verification failed", 0);
+            zend_throw_exception(jwt_signature_invalid_cex, "Signature verification failed", 0);
         }
     }
 
@@ -614,6 +638,40 @@ PHP_GINIT_FUNCTION(jwt) {
 
 PHP_MINIT_FUNCTION(jwt)
 {
+    zend_class_entry ce;
+
+    /* SignatureInvalidException */
+    INIT_CLASS_ENTRY(ce, "SignatureInvalidException", NULL);
+    jwt_signature_invalid_cex = zend_register_internal_class_ex(&ce, zend_ce_exception);
+
+    /* BeforeValidException */
+    INIT_CLASS_ENTRY(ce, "BeforeValidException", NULL);
+    jwt_before_valid_cex = zend_register_internal_class_ex(&ce, zend_ce_exception);
+
+    /* ExpiredSignatureException */
+    INIT_CLASS_ENTRY(ce, "ExpiredSignatureException", NULL);
+    jwt_expired_signature_cex = zend_register_internal_class_ex(&ce, zend_ce_exception);
+
+    /* InvalidIssuerException */
+    INIT_CLASS_ENTRY(ce, "InvalidIssuerException", NULL);
+    jwt_invalid_issuer_cex = zend_register_internal_class_ex(&ce, zend_ce_exception);
+
+    /* InvalidAudException */
+    INIT_CLASS_ENTRY(ce, "InvalidAudException", NULL);
+    jwt_invalid_aud_cex = zend_register_internal_class_ex(&ce, zend_ce_exception);
+
+    /* InvalidJtiException */
+    INIT_CLASS_ENTRY(ce, "InvalidJtiException", NULL);
+    jwt_invalid_jti_cex = zend_register_internal_class_ex(&ce, zend_ce_exception);
+
+    /* InvalidIatException */
+    INIT_CLASS_ENTRY(ce, "InvalidIatException", NULL);
+    jwt_invalid_iat_cex = zend_register_internal_class_ex(&ce, zend_ce_exception);
+
+    /* InvalidSubException */
+    INIT_CLASS_ENTRY(ce, "InvalidSubException", NULL);
+    jwt_invalid_sub_cex = zend_register_internal_class_ex(&ce, zend_ce_exception);
+
     return SUCCESS;
 }
 

php_jwt.h

@@ -26,6 +26,14 @@ extern zend_module_entry jwt_module_entry;
 
 #define PHP_JWT_VERSION "0.2.1" /* Replace with version number for your extension */
 
+#ifdef PHP_WIN32
+#	define PHP_JWT_API __declspec(dllexport)
+#elif defined(__GNUC__) && __GNUC__ >= 4
+#	define PHP_JWT_API __attribute__ ((visibility("default")))
+#else
+#	define PHP_JWT_API
+#endif
+
 #ifdef ZTS
 #include "TSRM.h"
 #endif

tests/006.phpt

@@ -10,17 +10,16 @@ $token = jwt_encode($payload, $hmackey, 'HS256');
 
 try {
     $decoded_token = jwt_decode($token, $hmackey, ['algorithm' => 'HS256']);
-} catch (Exception $e) {
+} catch (ExpiredSignatureException $e) {
     // Expired token
     echo $e->getMessage() . "\n";
 }
 
 try {
     $decoded_token = jwt_decode($token, $hmackey, ['leeway' => 30, 'algorithm' => 'HS256']);
     echo "Success\n";
-} catch (Exception $e) {
+} catch (ExpiredSignatureException $e) {
     // Expired token
-    echo $e->getMessage() . "\n";
 }
 ?>
 --EXPECT--

tests/007.phpt

@@ -10,15 +10,15 @@ $token = jwt_encode($payload, $hmackey, 'HS256');
 
 try {
     $decoded_token = jwt_decode($token, $hmackey, ['algorithm' => 'HS256']);
-} catch (Exception $e) {
+} catch (BeforeValidException $e) {
     // Expired token
     echo "FAIL\n";
 }
 
 try {
     $decoded_token = jwt_decode($token, $hmackey, ['leeway' => 30, 'algorithm' => 'HS256']);
     echo "SUCCESS\n";
-} catch (Exception $e) {
+} catch (BeforeValidException $e) {
     // Expired token
 }
 ?>

tests/008.phpt

@@ -11,7 +11,7 @@ $token = jwt_encode($payload, $hmackey, 'HS256');
 try {
     $decoded_token = jwt_decode($token, $hmackey, ['algorithm' => 'HS256']);
     echo "SUCCESS\n";
-} catch (Exception $e) {
+} catch (InvalidIatException $e) {
      // Handle invalid token
 }
 ?>

tests/009.phpt

@@ -12,13 +12,13 @@ $token = jwt_encode($payload, $hmackey, 'HS256');
 try {
     $decoded_token = jwt_decode($token, $hmackey, ['iss' => 'http://example.org', 'algorithm' => 'HS256']);
     echo "SUCCESS\n";
-} catch (Exception $e) {
+} catch (InvalidIssuerException $e) {
      // Handle invalid token
 }
 
 try {
     $decoded_token = jwt_decode($token, $hmackey, ['iss' => 'test', 'algorithm' => 'HS256']);
-} catch (Exception $e) {
+} catch (InvalidIssuerException $e) {
      // Handle invalid token
      echo "FAIL\n";
 }