fix: prevent scientific notation in timestamp on low-precision PHP en…#419
Open
mehmet-yoti wants to merge 3 commits into
Open
fix: prevent scientific notation in timestamp on low-precision PHP en…#419mehmet-yoti wants to merge 3 commits into
mehmet-yoti wants to merge 3 commits into
Conversation
…vironments (#418) On PHP FPM environments with non-default precision ini settings (≤12), casting a large float to string could produce scientific notation (e.g. 1.78E+12) instead of a plain integer, causing Yoti signature verification to fail with 401 MESSAGE_SIGNING. Replace (string)(round(microtime(true) * 1000)) with sprintf('%.0F', microtime(true) * 1000) which forces a plain decimal string regardless of the precision ini setting, and drops the redundant round() since %.0F already rounds to zero decimal places. Tests added to verify plain integer output under precision=12 and precision=8 (via @dataProvider), and to assert the timestamp falls within the correct Unix-millisecond range under low precision without masking scientific notation via an early (int) cast. Fixes #417
There was a problem hiding this comment.
Pull request overview
This PR addresses a timestamp formatting bug in SignedRequestStrategy::createQueryParams() where low precision ini settings can cause float-to-string conversion to emit scientific notation, breaking request signature verification.
Changes:
- Format the millisecond timestamp using
sprintf('%.0F', microtime(true) * 1000)to force a plain integer string under low precision settings. - Add PHPUnit coverage to assert the timestamp remains a digit-only integer string for low
precisionvalues and remains within the expected Unix-millisecond range.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 4 comments.
| File | Description |
|---|---|
| src/Http/AuthStrategy/SignedRequestStrategy.php | Changes timestamp generation to avoid scientific notation under low precision settings. |
| tests/Http/AuthStrategy/SignedRequestStrategyTest.php | Adds regression tests for low-precision timestamp formatting and validates Unix-millisecond range behavior. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Add ini_set()/ini_get() failure checks with markTestSkipped() so tests are skipped rather than silently passing as false-positives when the runtime disallows changing the precision ini setting. Cast restored precision to string defensively. Remove : void return types from new test methods for consistency with the rest of the test file.
…idation Newer Guzzle 7.x patch versions reject relative URIs (e.g. '/') when no base_uri is configured, throwing InvalidArgumentException before the MockHandler is reached. Replace with an absolute URI so the mock handler intercepts correctly on all Guzzle 7.x versions.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
…vironments (#418)
On PHP FPM environments with non-default precision ini settings (≤12), casting a large float to string could produce scientific notation (e.g. 1.78E+12) instead of a plain integer, causing Yoti signature verification to fail with 401 MESSAGE_SIGNING.
Replace (string)(round(microtime(true) * 1000)) with sprintf('%.0F', microtime(true) * 1000) which forces a plain decimal string regardless of the precision ini setting, and drops the redundant round() since %.0F already rounds to zero decimal places.
Tests added to verify plain integer output under precision=12 and precision=8 (via @dataProvider), and to assert the timestamp falls within the correct Unix-millisecond range under low precision without masking scientific notation via an early (int) cast.
Fixes #417