From 35c2b39e79e6f3520ccdae8694b5f8f968e36844 Mon Sep 17 00:00:00 2001
From: Martin Schanzenbach <schanzen@gnunet.org>
Date: Tue, 5 Jan 2021 15:58:39 +0900
Subject: fix

---
 snippets/oidc-woocommerce.php | 22 +++++++++++++---------
 1 file changed, 13 insertions(+), 9 deletions(-)

(limited to 'snippets/oidc-woocommerce.php')

diff --git a/snippets/oidc-woocommerce.php b/snippets/oidc-woocommerce.php
index 0ce5ddb..64bc5fc 100644
--- a/snippets/oidc-woocommerce.php
+++ b/snippets/oidc-woocommerce.php
@@ -93,11 +93,12 @@ function get_claim( $claimname, $userinfo, &$claimvalue ) {
   if ( ! array_key_exists( $claimname, $claim_src_ptr ) ) {
     return False;
   }
-  $src = $claim_src_ptr[$claimname];
+  $src_name = $claim_src_ptr[$claimname];
   //Reference found, but no corresponding JWT. This is a malformed userinfo
-  if ( ! array_key_exists( $src, $userinfo['_claim_sources']) ) {
+  if ( ! array_key_exists( $src_name, $userinfo['_claim_sources']) ) {
     return False;
   }
+  $src = $userinfo['_claim_sources'][$src_name];
   //Source claim is not a JWT. Abort.
   if ( ! array_key_exists( 'JWT',  $src ) ) {
     return False;
@@ -107,14 +108,17 @@ function get_claim( $claimname, $userinfo, &$claimvalue ) {
    * FIXME: We probably want to verify the JWT signature/issuer here!
    */
   $jwt = $src['JWT'];
-  list ($header, $body, $rest) = split('.', $jwt, 3);
-  $body_decoded = base64_decode ( $body, false );
-  if ( ( isset ( $body_decoded ) ) &&
-    ( array_key_exists( $claimname, $body_decoded ) ) ) {
-    $claimvalue = $body_decoded[$claimname];
-    return True;
+  list ($header, $body, $rest) = explode('.', $jwt, 3);
+  $body_str = base64_decode ( $body, false );
+  $body_json = json_decode ($body_str, True);
+  if ( !isset ( $body_json ) ) {
+    return False;
+  }
+  if ( !array_key_exists( $claimname, $body_json ) ) {
+    return False;
   }
-  return False;
+  $claimvalue = $body_json[$claimname];
+  return True;
 }
 
 /**
-- 
cgit v1.2.3