firebase · bshaffer · Oct 4, 2023 · Apr 20, 2020 · Apr 20, 2020 · Apr 20, 2020
diff --git a/src/BeforeValidException.php b/src/BeforeValidException.php
@@ -2,6 +2,17 @@
 
 namespace Firebase\JWT;
 
-class BeforeValidException extends \UnexpectedValueException
+class BeforeValidException extends \UnexpectedValueException implements JWTExceptionInterface
 {
+    private object $payload;
+
+    public function setPayload(object $payload): void
+    {
+        $this->payload = $payload;
+    }
+
+    public function getPayload(): object
+    {
+        return $this->payload;
+    }
 }
diff --git a/src/ExpiredException.php b/src/ExpiredException.php
@@ -2,6 +2,17 @@
 
 namespace Firebase\JWT;
 
-class ExpiredException extends \UnexpectedValueException
+class ExpiredException extends \UnexpectedValueException implements JWTExceptionInterface
 {
+    private object $payload;
+
+    public function setPayload(object $payload): void
+    {
+        $this->payload = $payload;
+    }
+
+    public function getPayload(): object
+    {
+        return $this->payload;
+    }
 }
diff --git a/src/JWT.php b/src/JWT.php
@@ -147,29 +147,37 @@ public static function decode(
             $sig = self::signatureToDER($sig);
         }
         if (!self::verify("{$headb64}.{$bodyb64}", $sig, $key->getKeyMaterial(), $header->alg)) {
-            throw new SignatureInvalidException('Signature verification failed');
+            $ex = new SignatureInvalidException('Signature verification failed');
+            $ex->setPayload($payload);
+            throw $ex;
         }
 
         // Check the nbf if it is defined. This is the time that the
         // token can actually be used. If it's not yet that time, abort.
         if (isset($payload->nbf) && $payload->nbf > ($timestamp + static::$leeway)) {
-            throw new BeforeValidException(
+            $ex = new BeforeValidException(
                 'Cannot handle token prior to ' . \date(DateTime::ISO8601, $payload->nbf)
             );
+            $ex->setPayload($payload);
+            throw $ex;
         }
 
         // Check that this token has been created before 'now'. This prevents
         // using tokens that have been created for later use (and haven't
         // correctly used the nbf claim).
         if (!isset($payload->nbf) && isset($payload->iat) && $payload->iat > ($timestamp + static::$leeway)) {
-            throw new BeforeValidException(
+            $ex = new BeforeValidException(
                 'Cannot handle token prior to ' . \date(DateTime::ISO8601, $payload->iat)
             );
+            $ex->setPayload($payload);
+            throw $ex;
         }
 
         // Check if this token has expired.
         if (isset($payload->exp) && ($timestamp - static::$leeway) >= $payload->exp) {
-            throw new ExpiredException('Expired token');
+            $ex = new ExpiredException('Expired token');
+            $ex->setPayload($payload);
+            throw $ex;
         }
 
         return $payload;

diff --git a/src/JWTExceptionInterface.php b/src/JWTExceptionInterface.php
@@ -0,0 +1,20 @@
+<?php
+namespace Firebase\JWT;
+
+interface JWTExceptionInterface
+{
+    /**
+     * Get the payload that caused this exception.
+     *
+     * @return object
+     */
+    public function getPayload(): object;
+
+    /**
+     * Get the payload that caused this exception.
+     *
+     * @param object $payload
+     * @return void
+     */
+    public function setPayload(object $payload): void;
+}
diff --git a/src/SignatureInvalidException.php b/src/SignatureInvalidException.php
@@ -2,6 +2,17 @@
 
 namespace Firebase\JWT;
 
-class SignatureInvalidException extends \UnexpectedValueException
+class SignatureInvalidException extends \UnexpectedValueException implements JWTExceptionInterface
 {
+    private object $payload;
+
+    public function setPayload(object $payload): void
+    {
+        $this->payload = $payload;
+    }
+
+    public function getPayload(): object
+    {
+        return $this->payload;
+    }
 }
diff --git a/tests/JWTTest.php b/tests/JWTTest.php
@@ -103,6 +103,57 @@ public function testExpiredTokenWithLeeway()
         JWT::$leeway = 0;
     }
 
+    public function testExpiredExceptionPayload()
+    {
+        $this->expectException(ExpiredException::class);
+        $payload = [
+            'message' => 'abc',
+            'exp' => time() - 100, // time in the past
+        ];
+        $encoded = JWT::encode($payload, 'my_key', 'HS256');
+        try {
+            JWT::decode($encoded, new Key('my_key', 'HS256'));
+        } catch (ExpiredException $e) {
+            $exceptionPayload = (array) $e->getPayload();
+            $this->assertEquals($exceptionPayload, $payload);
+            throw $e;
+        }
+    }
+
+    public function testBeforeValidExceptionPayload()
+    {
+        $this->expectException(BeforeValidException::class);
+        $payload = [
+            'message' => 'abc',
+            'iat' => time() + 100, // time in the future
+        ];
+        $encoded = JWT::encode($payload, 'my_key', 'HS256');
+        try {
+            JWT::decode($encoded, new Key('my_key', 'HS256'));
+        } catch (BeforeValidException $e) {
+            $exceptionPayload = (array) $e->getPayload();
+            $this->assertEquals($exceptionPayload, $payload);
+            throw $e;
+        }
+    }
+
+    public function testSignatureInvalidExceptionPayload()
+    {
+        $payload = [
+            'message' => 'abc',
+            'exp' => time() + 20, // time in the future
+        ];
+        $encoded = JWT::encode($payload, 'my_key', 'HS256');
+        $this->expectException(SignatureInvalidException::class);
+        try {
+            JWT::decode($encoded, new Key('my_key2', 'HS256'));
+        } catch (SignatureInvalidException $e) {
+            $exceptionPayload = (array) $e->getPayload();
+            $this->assertEquals($exceptionPayload, $payload);
+            throw $e;
+        }
+    }
+
     public function testValidTokenWithNbf()
     {
         $payload = [