Merge pull request #50 from pdsinterop/fix/htu-comparison

ylebre · web-flow · commit 1d1160ee0f7c · 2025-05-28T16:53:41.000+02:00
fix HTU comparison to skip fragments
diff --git a/src/Utils/DPop.php b/src/Utils/DPop.php
@@ -321,14 +321,16 @@ public function validateDpop($dpop, $request) {
 		// 7.  the "htu" claims matches the HTTP URI value for the HTTP request
 		//     in which the JWT was received, ignoring any query and fragment
 		// 	   parts,
-		$requestedPath = (string)$request->getUri();
-		$requestedPath = preg_replace("/[?#].*$/", "", $requestedPath);
 
-		//error_log("REQUESTED HTU $htu");
-		//error_log("REQUESTED PATH $requestedPath");
-		if ($htu != $requestedPath) { 
-			throw new InvalidTokenException("htu does not match requested path");
-		}
+                $requestedPath = (string)$request->getUri();
+                $requestedPath = preg_replace("/[?#].*$/", "", $requestedPath);
+                $htuClean = preg_replace("/[?#].*$/", "", $htu);
+                // error_log("REQUESTED HTU $htu");
+                // error_log("REQUESTED HTU cleaned $htuClean");
+                // error_log("REQUESTED PATH $requestedPath");
+                if ($htuClean != $requestedPath) { 
+                        throw new InvalidTokenException("htu does not match requested path");
+                }
 
 		// 8.  the token was issued within an acceptable timeframe (see Section 9.1), and
 
