From 211a613a089c812d45288d66c0de5906404dcaef Mon Sep 17 00:00:00 2001
From: Yvo Brevoort <yvo@muze.nl>
Date: Mon, 26 May 2025 14:19:35 +0200
Subject: [PATCH] fix HTU comparison to skip fragments

---
 src/Utils/DPop.php | 16 +++++++++-------
 1 file changed, 9 insertions(+), 7 deletions(-)

diff --git a/src/Utils/DPop.php b/src/Utils/DPop.php
index 2e40ec0..fc4e846 100644
--- a/src/Utils/DPop.php
+++ b/src/Utils/DPop.php
@@ -321,14 +321,16 @@ public function validateDpop($dpop, $request) {
 		// 7.  the "htu" claims matches the HTTP URI value for the HTTP request
 		//     in which the JWT was received, ignoring any query and fragment
 		// 	   parts,
-		$requestedPath = (string)$request->getUri();
-		$requestedPath = preg_replace("/[?#].*$/", "", $requestedPath);
 
-		//error_log("REQUESTED HTU $htu");
-		//error_log("REQUESTED PATH $requestedPath");
-		if ($htu != $requestedPath) { 
-			throw new InvalidTokenException("htu does not match requested path");
-		}
+                $requestedPath = (string)$request->getUri();
+                $requestedPath = preg_replace("/[?#].*$/", "", $requestedPath);
+                $htuClean = preg_replace("/[?#].*$/", "", $htu);
+                // error_log("REQUESTED HTU $htu");
+                // error_log("REQUESTED HTU cleaned $htuClean");
+                // error_log("REQUESTED PATH $requestedPath");
+                if ($htuClean != $requestedPath) { 
+                        throw new InvalidTokenException("htu does not match requested path");
+                }
 
 		// 8.  the token was issued within an acceptable timeframe (see Section 9.1), and