Merge pull request #307 from bigcommerce/PHPMNT-347-fix-firebase-php-jwt

fix: PHPMNT-347 allow firebase/php-jwt ^7.0 to fix CVE-2025-45769

Author: TomA-R

composer.json

@@ -19,7 +19,7 @@
     ],
     "require": {
         "php": ">=8.1",
-        "firebase/php-jwt": "~5.0 || ~6.0",
+        "firebase/php-jwt": "~5.0 || ~6.0 || ^7.0",
         "ext-curl": "*"
     },
     "require-dev": {

test/Unit/Api/ClientTest.php

@@ -103,10 +103,11 @@ public function testGetLastErrorGetsErrorFromConnection()
 
     public function testGetCustomerLoginTokenReturnsValidLoginToken()
     {
-        Client::configureOAuth(['client_id' => '123', 'auth_token' => 'def', 'store_hash' => 'abc', 'client_secret' => 'zyx']);
+        $clientSecret = 'zyx-test-secret-key-that-is-long-enough-for-hs256';
+        Client::configureOAuth(['client_id' => '123', 'auth_token' => 'def', 'store_hash' => 'abc', 'client_secret' => $clientSecret]);
         $expectedPayload = ['iss' => '123', 'operation' => 'customer_login', 'store_hash' => 'abc', 'customer_id' => 1];
         $token = Client::getCustomerLoginToken(1);
-        $key = new \Firebase\JWT\Key('zyx', 'HS256');
+        $key = new \Firebase\JWT\Key($clientSecret, 'HS256');
         $actualPayload = (array)\Firebase\JWT\JWT::decode($token, $key);
         foreach ($expectedPayload as $value) {
             $this->assertContains($value, $actualPayload);