From 3363a79a018acf305392c296ac86eda7890164df Mon Sep 17 00:00:00 2001
From: Martin Walsh <martin.walsh@gmail.com>
Date: Mon, 22 May 2017 10:03:34 +0100
Subject: [PATCH] Improve redirect_login error logging, catch JWT exceptions
 Added leeway to JWT decoding

---
 lib/WP_Auth0_LoginManager.php      |  9 +++++++--
 lib/php-jwt/Authentication/JWT.php | 16 ++++++++--------
 2 files changed, 15 insertions(+), 10 deletions(-)

diff --git a/lib/WP_Auth0_LoginManager.php b/lib/WP_Auth0_LoginManager.php
index f626e97d..9c7c7f46 100644
--- a/lib/WP_Auth0_LoginManager.php
+++ b/lib/WP_Auth0_LoginManager.php
@@ -237,8 +237,13 @@ public function redirect_login() {
 				$data->id_token = null;
 				$response = WP_Auth0_Api_Client::get_user_info( $domain, $data->access_token );
 			} else {
-				// grab the user ID from the id_token to call get_user
-				$decodedToken = JWT::decode( $data->id_token, $this->a0_options->get_client_secret_as_key(), array( 'HS256' ) );
+				try {
+					// grab the user ID from the id_token to call get_user
+					$decodedToken = JWT::decode( $data->id_token, $this->a0_options->get_client_secret_as_key(), array( 'HS256' ) );
+				} catch (Exception $e) {
+					WP_Auth0_ErrorManager::insert_auth0_error('redirect_login/decode', $e->getMessage());
+					throw new WP_Auth0_LoginFlowValidationException(__('Error: There was an issue decoding the token', WPA0_LANG));
+				}
 
 				// validate that this JWT was made for us
 				if ( $this->a0_options->get( 'client_id' ) !== $decodedToken->aud ) {
diff --git a/lib/php-jwt/Authentication/JWT.php b/lib/php-jwt/Authentication/JWT.php
index 905920a7..1b7b2298 100644
--- a/lib/php-jwt/Authentication/JWT.php
+++ b/lib/php-jwt/Authentication/JWT.php
@@ -79,24 +79,24 @@ public static function decode($jwt, $key = null, $allowed_algs = array())
             }
 
             // Check if the nbf if it is defined. This is the time that the
-            // token can actually be used. If it's not yet that time, abort.
-            if (isset($payload->nbf) && $payload->nbf > time()) {
+            // token can actually be used. If it's not yet that time, abort. Small leeway for clock skew.
+            if (isset($payload->nbf) && $payload->nbf > time() + 2) {
                 throw new BeforeValidException(
-                    'Cannot handle token prior to ' . date(DateTime::ISO8601, $payload->nbf)
+                    'Cannot handle token prior to (nbf) ' . date(DateTime::ISO8601, $payload->nbf)
                 );
             }
 
             // Check that this token has been created before 'now'. This prevents
             // using tokens that have been created for later use (and haven't
-            // correctly used the nbf claim).
-            if (isset($payload->iat) && $payload->iat > time()) {
+            // correctly used the nbf claim). Small leeway for clock skew.
+            if (isset($payload->iat) && $payload->iat > time() + 2) {
                 throw new BeforeValidException(
-                    'Cannot handle token prior to ' . date(DateTime::ISO8601, $payload->iat)
+                    'Cannot handle token prior to (iat) ' . date(DateTime::ISO8601, $payload->iat)
                 );
             }
 
-            // Check if this token has expired.
-            if (isset($payload->exp) && time() >= $payload->exp) {
+            // Check if this token has expired. Small leeway for clock skew.
+            if (isset($payload->exp) && time() >= $payload->exp + 2) {
                 throw new ExpiredException('Expired token');
             }
         }