Page MenuHomePhabricator

Security review for firebase/php-jwt
Closed, ResolvedPublic1 Estimated Story Points

Description

Parent tasks requires a jwt library.

Event Timeline

Amire80 edited a custom field.

We're already using an earlier version of php-jwt in Ex:OAuth. I just reviewed the latest version (fa8a06e96526eb7c0eeaa47e4f39be59d21f16e1 on github), and it looks fine as well, although disappointing it still doesn't support EC signatures.

In production, you shouldn't set JWT::$leeway to more than a few seconds, if at all.

Change 226616 had a related patch set uploaded (by Nikerabbit):
Add firebase/php-jwt for ContentTranslation

https://gerrit.wikimedia.org/r/226616

Change 226616 merged by jenkins-bot:
Add firebase/php-jwt for ContentTranslation

https://gerrit.wikimedia.org/r/226616