From 1b853a393edb43226afe9860990079294c9ace46 Mon Sep 17 00:00:00 2001 From: Andrew MacRobert Date: Tue, 15 Dec 2020 11:17:05 -0500 Subject: [PATCH 1/2] [952] doc - Specify lcobucci/jwt version, fix deprecation Update "integrating with app" example to use lcobucci/jwt 3.4 Fix whitespace formatting update example for compatibility with both 3.4.x and 4.x --- doc/security.md | 28 +++++++++++++--------------- 1 file changed, 13 insertions(+), 15 deletions(-) diff --git a/doc/security.md b/doc/security.md index 10608a7eb51..253e8ef7fea 100644 --- a/doc/security.md +++ b/doc/security.md @@ -55,30 +55,28 @@ and installation access token which is then usable with `Github\Client::AUTH_ACC authentication docs](https://developer.github.com/apps/building-github-apps/authentication-options-for-github-apps/#authenticating-as-a-github-app) describe the flow in detail. It´s important for integration requests to use the custom Accept header `application/vnd.github.machine-man-preview`. -The following sample code authenticates as an installation using [lcobucci/jwt](https://github.com/lcobucci/jwt/tree/3.3.2) +The following sample code authenticates as an installation using [lcobucci/jwt 3.4](https://github.com/lcobucci/jwt/tree/3.4) to generate a JSON Web Token (JWT). ```php -use Http\Adapter\Guzzle6\Client as GuzzleClient; -use Lcobucci\JWT\Builder; -use Lcobucci\JWT\Signer\Key; +use Lcobucci\JWT\Configuration; +use Lcobucci\JWT\Signer\Key\LocalFileReference; use Lcobucci\JWT\Signer\Rsa\Sha256; -$builder = new Github\HttpClient\Builder(new GuzzleClient()); $github = new Github\Client($builder, 'machine-man-preview'); -$jwt = (new Builder) - ->setIssuer($integrationId) - ->setIssuedAt(time()) - ->setExpiration(time() + 60) - // `file://` prefix for file path or file contents itself - ->sign(new Sha256(), new Key('file:///path/to/integration.private-key.pem')) - ->getToken(); +$config = Configuration::forSymmetricSigner( + new Sha256(), + LocalFileReference::file('path/to/integration.private-key.pem') +); -$github->authenticate($jwt, null, Github\Client::AUTH_JWT); +$jwt = $config->builder() + ->issuedBy($integrationId) + ->issuedAt(time()) + ->expiresAt(time() + 60) + ->getToken($config->signer(), $config->signingKey())); -$token = $github->api('apps')->createInstallationToken($installationId); -$github->authenticate($token['token'], null, Github\Client::AUTH_ACCESS_TOKEN); +$github->authenticate($jwt, null, Github\Client::AUTH_JWT) ``` The `$integrationId` you can find in the about section of your github app. From 25ba522926da869cf6d1564c2d6515804d082bdd Mon Sep 17 00:00:00 2001 From: Jeroen Thora Date: Sun, 28 Mar 2021 11:26:42 +0200 Subject: [PATCH 2/2] Apply latest changes --- doc/security.md | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/doc/security.md b/doc/security.md index 253e8ef7fea..6f0d4cf5533 100644 --- a/doc/security.md +++ b/doc/security.md @@ -70,11 +70,13 @@ $config = Configuration::forSymmetricSigner( LocalFileReference::file('path/to/integration.private-key.pem') ); +$now = new \DateTimeImmutable(); $jwt = $config->builder() ->issuedBy($integrationId) - ->issuedAt(time()) - ->expiresAt(time() + 60) - ->getToken($config->signer(), $config->signingKey())); + ->issuedAt($now) + ->expiresAt($now->modify('+1 minute')) + ->getToken($config->signer(), $config->signingKey()) +; $github->authenticate($jwt, null, Github\Client::AUTH_JWT) ```