jti detection on stripped uri without query params

ylebre · ylebre · commit f5fa8941c417 · 2025-06-06T11:08:14.000+02:00
diff --git a/src/Utils/DPop.php b/src/Utils/DPop.php
@@ -323,7 +323,7 @@ public function validateDpop($dpop, $request) {
 		// 	   parts,
 
                 $requestedPath = (string)$request->getUri();
-                $requestedPath = preg_replace("/[?#].*$/", "", $requestedPath);
+                $requestedPath = preg_replace("/[?#].*$/", "", $requestedPath); // Used in htu and jti check;
                 $htuClean = preg_replace("/[?#].*$/", "", $htu);
                 // error_log("REQUESTED HTU $htu");
                 // error_log("REQUESTED HTU cleaned $htuClean");
@@ -346,7 +346,7 @@ public function validateDpop($dpop, $request) {
 		if ($jti === null) {
 			throw new InvalidTokenException("jti is missing");
 		}
-		$isJtiValid = $this->jtiValidator->validate($jti, (string) $request->getUri());
+		$isJtiValid = $this->jtiValidator->validate($jti, $requestedPath);
 		if (! $isJtiValid) {
 			throw new InvalidTokenException("jti is invalid");
 		}
