Page MenuHomePhabricator

Security review for firebase/php-jwt
Closed, ResolvedPublic1 Story Points

Description

Parent tasks requires a jwt library.

Event Timeline

Nikerabbit updated the task description. (Show Details)
Nikerabbit raised the priority of this task from to High.
Nikerabbit claimed this task.
Nikerabbit added subscribers: gerritbot, csteipp, Arrbee and 4 others.
Amire80 set Security to None.Jul 27 2015, 4:21 PM
Amire80 edited a custom field.
Amire80 moved this task from Needs Triage to CX6 on the ContentTranslation board.Jul 28 2015, 6:19 PM
csteipp closed this task as Resolved.Jul 28 2015, 8:52 PM

We're already using an earlier version of php-jwt in Ex:OAuth. I just reviewed the latest version (fa8a06e96526eb7c0eeaa47e4f39be59d21f16e1 on github), and it looks fine as well, although disappointing it still doesn't support EC signatures.

In production, you shouldn't set JWT::$leeway to more than a few seconds, if at all.

Arrbee moved this task from Backlog to Done on the LE-CX6-Sprint 1 board.Jul 29 2015, 7:03 AM

Change 226616 had a related patch set uploaded (by Nikerabbit):
Add firebase/php-jwt for ContentTranslation

https://gerrit.wikimedia.org/r/226616

Change 226616 merged by jenkins-bot:
Add firebase/php-jwt for ContentTranslation

https://gerrit.wikimedia.org/r/226616

csteipp moved this task from Ready to Done on the Security-Team board.Oct 13 2015, 11:56 PM