Merge pull request #548 from lcobucci/final-preparations-for-3.4

Final preparations for 3.4

Author: lcobucci

README.md

@@ -7,8 +7,7 @@
 [![Build Status]](https://github.com/lcobucci/jwt/actions?query=workflow%3A%22PHPUnit%20Tests%22+branch%3A3.4)
 [![Code Coverage]](https://codecov.io/gh/lcobucci/jwt)
 
-A simple library to work with JSON Web Token and JSON Web Signature (requires PHP 5.6+).
-The implementation is based on the [RFC 7519](https://tools.ietf.org/html/rfc7519).
+A simple library to work with JSON Web Token and JSON Web Signature based on the [RFC 7519](https://tools.ietf.org/html/rfc7519).
 
 ## Installation
 
@@ -19,180 +18,9 @@ you can install it using [Composer](http://getcomposer.org).
 composer require lcobucci/jwt
 ```
 
-### Dependencies
+## Documentation
 
-- PHP 5.6+
-- OpenSSL Extension
-
-## Basic usage
-
-### Creating
-
-Just use the builder to create a new JWT/JWS tokens:
-
-```php
-use Lcobucci\JWT\Builder;
-
-$time = time();
-$token = (new Builder())->issuedBy('http://example.com') // Configures the issuer (iss claim)
-                        ->permittedFor('http://example.org') // Configures the audience (aud claim)
-                        ->identifiedBy('4f1g23a12aa', true) // Configures the id (jti claim), replicating as a header item
-                        ->issuedAt($time) // Configures the time that the token was issue (iat claim)
-                        ->canOnlyBeUsedAfter($time + 60) // Configures the time that the token can be used (nbf claim)
-                        ->expiresAt($time + 3600) // Configures the expiration time of the token (exp claim)
-                        ->withClaim('uid', 1) // Configures a new claim, called "uid"
-                        ->getToken(); // Retrieves the generated token
-
-
-$token->getHeaders(); // Retrieves the token headers
-$token->getClaims(); // Retrieves the token claims
-
-echo $token->getHeader('jti'); // will print "4f1g23a12aa"
-echo $token->getClaim('iss'); // will print "http://example.com"
-echo $token->getClaim('uid'); // will print "1"
-echo $token; // The string representation of the object is a JWT string (pretty easy, right?)
-```
-
-### Parsing from strings
-
-Use the parser to create a new token from a JWT string (using the previous token as example):
-
-```php
-use Lcobucci\JWT\Parser;
-
-$token = (new Parser())->parse((string) $token); // Parses from a string
-$token->getHeaders(); // Retrieves the token header
-$token->getClaims(); // Retrieves the token claims
-
-echo $token->getHeader('jti'); // will print "4f1g23a12aa"
-echo $token->getClaim('iss'); // will print "http://example.com"
-echo $token->getClaim('uid'); // will print "1"
-```
-
-### Validating
-
-We can easily validate if the token is valid (using the previous token and time as example):
-
-```php
-use Lcobucci\JWT\ValidationData;
-
-$data = new ValidationData(); // It will use the current time to validate (iat, nbf and exp)
-$data->setIssuer('http://example.com');
-$data->setAudience('http://example.org');
-$data->setId('4f1g23a12aa');
-
-var_dump($token->validate($data)); // false, because token cannot be used before now() + 60
-
-$data->setCurrentTime($time + 61); // changing the validation time to future
-
-var_dump($token->validate($data)); // true, because current time is between "nbf" and "exp" claims
-
-$data->setCurrentTime($time + 4000); // changing the validation time to future
-
-var_dump($token->validate($data)); // false, because token is expired since current time is greater than exp
-
-// We can also use the $leeway parameter to deal with clock skew (see notes below)
-// If token's claimed time is invalid but the difference between that and the validation time is less than $leeway, 
-// then token is still considered valid
-$dataWithLeeway = new ValidationData($time, 20); 
-$dataWithLeeway->setIssuer('http://example.com');
-$dataWithLeeway->setAudience('http://example.org');
-$dataWithLeeway->setId('4f1g23a12aa');
-
-var_dump($token->validate($dataWithLeeway)); // false, because token can't be used before now() + 60, not within leeway
-
-$dataWithLeeway->setCurrentTime($time + 51); // changing the validation time to future
-
-var_dump($token->validate($dataWithLeeway)); // true, because current time plus leeway is between "nbf" and "exp" claims
-
-$dataWithLeeway->setCurrentTime($time + 3610); // changing the validation time to future but within leeway
-
-var_dump($token->validate($dataWithLeeway)); // true, because current time - 20 seconds leeway is less than exp
-
-$dataWithLeeway->setCurrentTime($time + 4000); // changing the validation time to future outside of leeway
-
-var_dump($token->validate($dataWithLeeway)); // false, because token is expired since current time is greater than exp
-```
-
-#### Important
-
-- You have to configure ```ValidationData``` informing all claims you want to validate the token.
-- If ```ValidationData``` contains claims that are not being used in token or token has claims that are not
-configured in ```ValidationData``` they will be ignored by ```Token::validate()```.
-- ```exp```, ```nbf``` and ```iat``` claims are configured by default in ```ValidationData::__construct()```
-with the current UNIX time (```time()```).
-- The optional ```$leeway``` parameter of ```ValidationData``` will cause us to use that number of seconds of leeway 
-when validating the time-based claims, pretending we are further in the future for the "Issued At" (```iat```) and "Not 
-Before" (```nbf```) claims and pretending we are further in the past for the "Expiration Time" (```exp```) claim. This
-allows for situations where the clock of the issuing server has a different time than the clock of the verifying server, 
-as mentioned in [section 4.1 of RFC 7519](https://tools.ietf.org/html/rfc7519#section-4.1).
-
-## Token signature
-
-We can use signatures to be able to verify if the token was not modified after its generation. This library implements Hmac, RSA and ECDSA signatures (using 256, 384 and 512).
-
-### Important
-
-Do not allow the string sent to the Parser to dictate which signature algorithm
-to use, or else your application will be vulnerable to a [critical JWT security vulnerability](https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries).
-
-The examples below are safe because the choice in `Signer` is hard-coded and
-cannot be influenced by malicious users.
-
-### Hmac
-
-Hmac signatures are really simple to be used:
-
-```php
-use Lcobucci\JWT\Builder;
-use Lcobucci\JWT\Signer\Key;
-use Lcobucci\JWT\Signer\Hmac\Sha256;
-
-$signer = new Sha256();
-$time = time();
-
-$token = (new Builder())->issuedBy('http://example.com') // Configures the issuer (iss claim)
-                        ->permittedFor('http://example.org') // Configures the audience (aud claim)
-                        ->identifiedBy('4f1g23a12aa', true) // Configures the id (jti claim), replicating as a header item
-                        ->issuedAt($time) // Configures the time that the token was issue (iat claim)
-                        ->canOnlyBeUsedAfter($time + 60) // Configures the time that the token can be used (nbf claim)
-                        ->expiresAt($time + 3600) // Configures the expiration time of the token (exp claim)
-                        ->withClaim('uid', 1) // Configures a new claim, called "uid"
-                        ->getToken($signer, new Key('testing')); // Retrieves the generated token
-
-
-var_dump($token->verify($signer, 'testing 1')); // false, because the key is different
-var_dump($token->verify($signer, 'testing')); // true, because the key is the same
-```
-
-### RSA and ECDSA
-
-RSA and ECDSA signatures are based on public and private keys so you have to generate using the private key and verify using the public key:
-
-```php
-use Lcobucci\JWT\Builder;
-use Lcobucci\JWT\Signer\Key;
-use Lcobucci\JWT\Signer\Rsa\Sha256; // you can use Lcobucci\JWT\Signer\Ecdsa\Sha256 if you're using ECDSA keys
-
-$signer = new Sha256();
-$privateKey = new Key('file://{path to your private key}');
-$time = time();
-
-$token = (new Builder())->issuedBy('http://example.com') // Configures the issuer (iss claim)
-                        ->permittedFor('http://example.org') // Configures the audience (aud claim)
-                        ->identifiedBy('4f1g23a12aa', true) // Configures the id (jti claim), replicating as a header item
-                        ->issuedAt($time) // Configures the time that the token was issue (iat claim)
-                        ->canOnlyBeUsedAfter($time + 60) // Configures the time that the token can be used (nbf claim)
-                        ->expiresAt($time + 3600) // Configures the expiration time of the token (exp claim)
-                        ->withClaim('uid', 1) // Configures a new claim, called "uid"
-                        ->getToken($signer,  $privateKey); // Retrieves the generated token
-
-$publicKey = new Key('file://{path to your public key}');
-
-var_dump($token->verify($signer, $publicKey)); // true when the public key was generated by the private one =)
-```
-
-**It's important to say that if you're using RSA keys you shouldn't invoke ECDSA signers (and vice-versa), otherwise ```sign()``` and ```verify()``` will raise an exception!**
+The documentation is available at <https://lcobucci-jwt.readthedocs.io/en/3.4.0/>.
 
 [Gitter]: https://img.shields.io/badge/GITTER-JOIN%20CHAT%20%E2%86%92-brightgreen.svg?style=flat-square
 [Total Downloads]: https://img.shields.io/packagist/dt/lcobucci/jwt.svg?style=flat-square

docs/configuration.md

@@ -0,0 +1,134 @@
+# Configuration
+
+In order to simplify the setup of the library, we provide the class `Lcobucci\JWT\Configuration`.
+
+It's meant for:
+
+* Configuring the default algorithm (signer) and key(s) to be used
+* Configuring the default set of validation constraints
+* Providing custom implementation for the [extension points](extending-the-library.md)
+* Retrieving components (encoder, decoder, parser, validator, and builder)
+
+## Usage
+
+In order to use it, you must:
+
+1. Initialise the configuration object
+1. Customise the configuration object
+1. Retrieve components
+
+### Configuration initialisation
+
+The `Lcobucci\JWT\Signer\Key` object is used for symmetric/asymmetric signature.
+
+To initialise it, you can pass the key content as a plain text:
+
+```php
+use Lcobucci\JWT\Signer\Key\InMemory;
+
+$key = InMemory::plainText('my-key-as-plaintext');
+```
+
+Provide a base64 encoded string:
+
+```php
+use Lcobucci\JWT\Signer\Key\InMemory;
+
+$key = InMemory::base64Encoded('YSB2ZXJ5IGxvbmcgYSB2ZXJ5IHVsdHJhIHNlY3VyZSBrZXkgZm9yIG15IGFtYXppbmcgdG9rZW5z');
+```
+
+Or provide a file path:
+
+```php
+use Lcobucci\JWT\Signer\Key\InMemory;
+use Lcobucci\JWT\Signer\Key\LocalFileReference;
+
+$key = InMemory::file(__DIR__ . '/path-to-my-key-stored-in-a-file.pem'); // this reads the file and keeps its contents in memory
+$key = LocalFileReference::file(__DIR__ . '/path-to-my-key-stored-in-a-file.pem'); // this just keeps a reference to file
+```
+
+#### For symmetric algorithms
+
+Symmetric algorithms use the same key for both signature creation and verification.
+This means that it's really important that your key **remains secret**.
+
+!!! Tip
+    It is recommended that you use a key with lots of entropy, preferably generated using a cryptographically secure pseudo-random number generator (CSPRNG).
+    You can use the [CryptoKey](https://github.com/AndrewCarterUK/CryptoKey) tool to do this for you.
+
+```php
+use Lcobucci\JWT\Configuration;
+use Lcobucci\JWT\Signer\Hmac\Sha256;
+use Lcobucci\JWT\Signer\Key\InMemory;
+
+$configuration = Configuration::forSymmetricSigner(
+    // You may use any HMAC variations (256, 384, and 512)
+    new Sha256(),
+    // replace the value below with a key of your own!
+    InMemory::base64Encoded('mBC5v1sOKVvbdEitdSBenu59nfNfhwkedkJVNabosTw=')
+    // You may also override the JOSE encoder/decoder if needed by providing extra arguments here
+);
+```
+
+#### For asymmetric algorithms
+
+Asymmetric algorithms use a **private key** for signature creation and a **public key** for verification.
+This means that it's fine to distribute your **public key**. However, the **private key** should **remain secret**.
+
+```php
+use Lcobucci\JWT\Configuration;
+use Lcobucci\JWT\Signer;
+use Lcobucci\JWT\Signer\Key\LocalFileReference;
+use Lcobucci\JWT\Signer\Key\InMemory;
+
+$configuration = Configuration::forAsymmetricSigner(
+    // You may use RSA or ECDSA and all their variations (256, 384, and 512)
+    new Signer\RSA\Sha256(),
+    LocalFileReference::file(__DIR__ . '/my-private-key.pem'),
+    InMemory::base64Encoded('mBC5v1sOKVvbdEitdSBenu59nfNfhwkedkJVNabosTw=')
+    // You may also override the JOSE encoder/decoder if needed by providing extra arguments here
+);
+```
+
+#### For no algorithm
+
+!!! Warning
+    This configuration type is **NOT** recommended for production environments.
+    It's only provided to allow people to have a simpler and faster setup for tests, avoiding any kind of signature creation/verification.
+
+```php
+use Lcobucci\JWT\Configuration;
+
+$configuration = Configuration::forUnsecuredSigner(
+    // You may also override the JOSE encoder/decoder if needed by providing extra arguments here
+);
+```
+
+### Customisation
+
+By using the setters of the `Lcobucci\JWT\Configuration` you may customise the setup of this library.
+
+!!! Important
+    If you want to use a customised configuration, please make sure you call the setters before of invoking any getter.
+    Otherwise, the default implementations will be used.
+
+These are the available setters:
+
+* `Lcobucci\JWT\Configuration#setBuilderFactory()`: configures how the token builder should be created
+* `Lcobucci\JWT\Configuration#setParser()`: configures a custom token parser
+* `Lcobucci\JWT\Configuration#setValidator()`: configures a custom validator
+* `Lcobucci\JWT\Configuration#setValidationConstraints()`: configures the default set of validation constraints
+
+### Retrieve components
+
+Once you've made all the necessary configuration you can pass the configuration object around your code and use the getters to retrieve the components:
+
+These are the available getters:
+
+* `Lcobucci\JWT\Configuration#builder()`: retrieves the token builder (always creating a new instance)
+* `Lcobucci\JWT\Configuration#parser()`: retrieves the token parser
+* `Lcobucci\JWT\Configuration#signer()`: retrieves the signer
+* `Lcobucci\JWT\Configuration#signingKey()`: retrieves the key for signature creation
+* `Lcobucci\JWT\Configuration#verificationKey()`: retrieves the key for signature verification
+* `Lcobucci\JWT\Configuration#validator()`: retrieves the token validator
+* `Lcobucci\JWT\Configuration#validationConstraints()`: retrieves the default set of validation constraints

docs/index.md

@@ -0,0 +1,17 @@
+# Overview
+
+`lcobucci/jwt` is a framework-agnostic PHP library that allows you to issue, parse, and validate JSON Web Tokens based on the [RFC 7519].
+
+## Support
+
+If you're having any issue to use the library, please [create a GH issue].
+You can also reach us and other users of this library via our [Gitter channel].
+
+## License
+
+The project is licensed under the MIT license, see [LICENSE file].
+
+[RFC 7519]: https://tools.ietf.org/html/rfc7519
+[create a GH issue]: https://github.com/lcobucci/jwt/issues/new
+[Gitter channel]: https://gitter.im/lcobucci/jwt
+[LICENSE file]: https://github.com/lcobucci/jwt/blob/master/LICENSE

docs/installation.md

@@ -0,0 +1,27 @@
+# Installation
+
+This package is available on [Packagist] and you can install it using [Composer].
+
+By running the following command you'll add `lcobucci/jwt` as a dependency to your project:
+
+```sh
+composer require lcobucci/jwt
+```
+
+## Autoloading
+
+!!! Note
+    We'll be omitting the autoloader from the code samples to simplify the documentation.
+
+In order to be able to use the classes provided by this library you're also required to include [Composer]'s autoloader in your application:
+
+```php
+require 'vendor/bin/autoload.php';
+```
+
+!!! Tip
+    If you're not familiar with how [composer] works, we highly recommend you to take some time to read it's documentation - especially the [autoloading section].
+
+[Packagist]: https://packagist.org/packages/lcobucci/jwt
+[Composer]: https://getcomposer.org
+[autoloading section]: https://getcomposer.org/doc/01-basic-usage.md#autoloading