test(session): stabilise tampered-JWT-signature test

gjtorikian · gjtorikian · commit 4b84f49a611d · 2026-05-07T14:39:14.000-07:00
Flipping the last base64url char of the JWT signature could canonicalise
to the original bytes; flip a middle byte instead so the decoded
signature is deterministically different.
diff --git a/tests/SessionManagerTest.php b/tests/SessionManagerTest.php
@@ -210,10 +210,13 @@ public function testAuthenticateRejectsTamperedSignature(): void
             'exp' => time() + 3600,
         ]);
 
-        // Flip the last byte of the signature segment.
+        // Flip a byte in the middle of the signature segment so the base64
+        // decoder produces a clearly different signature. Avoids the trailing
+        // padding bits that base64url can canonicalise away.
         $parts = explode('.', $jwt);
         $sig = $parts[2];
-        $parts[2] = substr($sig, 0, -1) . ($sig[-1] === 'A' ? 'B' : 'A');
+        $mid = intdiv(strlen($sig), 2);
+        $parts[2] = substr($sig, 0, $mid) . ($sig[$mid] === 'A' ? 'B' : 'A') . substr($sig, $mid + 1);
         $tampered = implode('.', $parts);
 
         $sealed = SessionManager::sealSessionFromAuthResponse(
