paragonie / paseto

There is an 'optimization' to skip validation if no rules are defined in parse():

Lines 467 to 470 in 46d19c1

    
           if (!$skipValidation && !empty($this->rules)) { 
        
               // Validate all of the rules that were specified: 
        
               $this->validate($token, true); 
        
           }

but validate() adds NotExpired rule implicitly:

paseto/src/Parser.php

Lines 662 to 665 in 46d19c1

    
           if (!$this->nonExpiring) { 
        
               // By default, we disallow expired tokens 
        
               $rules[] = new NotExpired(); 
        
           }

so the check gets skipped if no other rules are defined

Proposal: remove optimization, check only for the boolean

Yep, good catch!

	if (!$skipValidation && !empty($this->rules)) {
	// Validate all of the rules that were specified:
	$this->validate($token, true);
	}

	if (!$this->nonExpiring) {
	// By default, we disallow expired tokens
	$rules[] = new NotExpired();
	}

Parser::parse(): Expiration check skipped if no other rules are defined