From 6c8f5e7c7ca5a584c23878bc180b6927191422fb Mon Sep 17 00:00:00 2001
From: Sachin Bahukhandi <SachinBahukhandi@users.noreply.github.com>
Date: Fri, 12 May 2023 23:46:34 +0530
Subject: [PATCH 1/5] chore(docs): add missing imports for example in README
 (#507)

---
 README.md | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/README.md b/README.md
index f0382667..5b07aa7d 100644
--- a/README.md
+++ b/README.md
@@ -70,8 +70,8 @@ Example encode/decode headers
 Decoding the JWT headers without verifying the JWT first is NOT recommended, and is not supported by
 this library. This is because without verifying the JWT, the header values could have been tampered with.
 Any value pulled from an unverified header should be treated as if it could be any string sent in from an
-attacker.  If this is something you still want to do in your application for whatever reason, it's possible to 
-decode the header values manually simply by calling `json_decode` and `base64_decode` on the JWT 
+attacker.  If this is something you still want to do in your application for whatever reason, it's possible to
+decode the header values manually simply by calling `json_decode` and `base64_decode` on the JWT
 header part:
 ```php
 use Firebase\JWT\JWT;
@@ -373,6 +373,8 @@ All exceptions in the `Firebase\JWT` namespace extend `UnexpectedValueException`
 like this:
 
 ```php
+use Firebase\JWT\JWT;
+use UnexpectedValueException;
 try {
     $decoded = JWT::decode($payload, $keys);
 } catch (LogicException $e) {

From 398ccd25ea12fa84b9e4f1085d5ff448c21ec797 Mon Sep 17 00:00:00 2001
From: croensch <christoph.roensch@arcor.de>
Date: Tue, 23 May 2023 15:57:20 +0200
Subject: [PATCH 2/5] fix: only check iat if nbf is not used (#493)

---
 src/JWT.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/JWT.php b/src/JWT.php
index c83ff099..7e190a3e 100644
--- a/src/JWT.php
+++ b/src/JWT.php
@@ -156,7 +156,7 @@ public static function decode(
         // Check that this token has been created before 'now'. This prevents
         // using tokens that have been created for later use (and haven't
         // correctly used the nbf claim).
-        if (isset($payload->iat) && $payload->iat > ($timestamp + static::$leeway)) {
+        if (!isset($payload->nbf) && isset($payload->iat) && $payload->iat > ($timestamp + static::$leeway)) {
             throw new BeforeValidException(
                 'Cannot handle token prior to ' . \date(DateTime::ISO8601, $payload->iat)
             );

From fb85f47cfaeffdd94faf8defdf07164abcdad6c3 Mon Sep 17 00:00:00 2001
From: Pinchon Karim <kpn13@users.noreply.github.com>
Date: Tue, 13 Jun 2023 18:35:01 +0200
Subject: [PATCH 3/5] feat: allow get headers when decoding token (#442)

Co-authored-by: Vishwaraj Anand <vishwaraj.anand00@gmail.com>
Co-authored-by: Brent Shaffer <betterbrent@google.com>
---
 README.md         |  6 ++++++
 src/JWT.php       |  7 ++++++-
 tests/JWTTest.php | 15 +++++++++++++++
 3 files changed, 27 insertions(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 5b07aa7d..f2cc5d03 100644
--- a/README.md
+++ b/README.md
@@ -45,8 +45,14 @@ $payload = [
  */
 $jwt = JWT::encode($payload, $key, 'HS256');
 $decoded = JWT::decode($jwt, new Key($key, 'HS256'));
+print_r($decoded);
+
+// Pass a stdClass in as the third parameter to get the decoded header values
+$decoded = JWT::decode($jwt, new Key($key, 'HS256'), $headers = new stdClass());
+print_r($headers);
 
 print_r($decoded);
+print_r($headers);
 
 /*
  NOTE: This will now be an object instead of an associative array. To get
diff --git a/src/JWT.php b/src/JWT.php
index 7e190a3e..7ffb9852 100644
--- a/src/JWT.php
+++ b/src/JWT.php
@@ -78,6 +78,7 @@ class JWT
      *                                                                      Supported algorithms are 'ES384','ES256',
      *                                                                      'HS256', 'HS384', 'HS512', 'RS256', 'RS384'
      *                                                                      and 'RS512'.
+     * @param stdClass               $headers                               Optional. Populates stdClass with headers.
      *
      * @return stdClass The JWT's payload as a PHP object
      *
@@ -94,7 +95,8 @@ class JWT
      */
     public static function decode(
         string $jwt,
-        $keyOrKeyArray
+        $keyOrKeyArray,
+        stdClass &$headers = null
     ): stdClass {
         // Validate JWT
         $timestamp = \is_null(static::$timestamp) ? \time() : static::$timestamp;
@@ -111,6 +113,9 @@ public static function decode(
         if (null === ($header = static::jsonDecode($headerRaw))) {
             throw new UnexpectedValueException('Invalid header encoding');
         }
+        if ($headers !== null) {
+            $headers = $header;
+        }
         $payloadRaw = static::urlsafeB64Decode($bodyb64);
         if (null === ($payload = static::jsonDecode($payloadRaw))) {
             throw new UnexpectedValueException('Invalid claims encoding');
diff --git a/tests/JWTTest.php b/tests/JWTTest.php
index a5721d98..7d49bf04 100644
--- a/tests/JWTTest.php
+++ b/tests/JWTTest.php
@@ -397,4 +397,19 @@ public function testEncodeDecodeWithResource()
 
         $this->assertSame('bar', $decoded->foo);
     }
+
+    public function testGetHeaders()
+    {
+        $payload = [
+            'message' => 'abc',
+            'exp' => time() + JWT::$leeway + 20, // time in the future
+        ];
+        $headers = new stdClass();
+
+        $encoded = JWT::encode($payload, 'my_key', 'HS256');
+        JWT::decode($encoded, new Key('my_key', 'HS256'), $headers);
+
+        $this->assertEquals($headers->typ, 'JWT');
+        $this->assertEquals($headers->alg, 'HS256');
+    }
 }

From dacbbfcb979ff545ba262eb8c4d9e95ff0ff2d20 Mon Sep 17 00:00:00 2001
From: Brent Shaffer <betterbrent@google.com>
Date: Tue, 13 Jun 2023 11:08:24 -0600
Subject: [PATCH 4/5] chore: update README

---
 README.md | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/README.md b/README.md
index f2cc5d03..701de23a 100644
--- a/README.md
+++ b/README.md
@@ -51,9 +51,6 @@ print_r($decoded);
 $decoded = JWT::decode($jwt, new Key($key, 'HS256'), $headers = new stdClass());
 print_r($headers);
 
-print_r($decoded);
-print_r($headers);
-
 /*
  NOTE: This will now be an object instead of an associative array. To get
  an associative array, you will need to cast it as such:

From 5a9cf79b4a2eb347230384648cc7b0d68cd97faa Mon Sep 17 00:00:00 2001
From: "release-please[bot]"
 <55107282+release-please[bot]@users.noreply.github.com>
Date: Tue, 13 Jun 2023 11:11:06 -0600
Subject: [PATCH 5/5] chore(main): release 6.6.0 (#511)

---
 CHANGELOG.md | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 35e97fe8..c74fd131 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,5 +1,17 @@
 # Changelog
 
+## [6.6.0](https://github.com/firebase/php-jwt/compare/v6.5.0...v6.6.0) (2023-06-13)
+
+
+### Features
+
+* allow get headers when decoding token ([#442](https://github.com/firebase/php-jwt/issues/442)) ([fb85f47](https://github.com/firebase/php-jwt/commit/fb85f47cfaeffdd94faf8defdf07164abcdad6c3))
+
+
+### Bug Fixes
+
+* only check iat if nbf is not used ([#493](https://github.com/firebase/php-jwt/issues/493)) ([398ccd2](https://github.com/firebase/php-jwt/commit/398ccd25ea12fa84b9e4f1085d5ff448c21ec797))
+
 ## [6.5.0](https://github.com/firebase/php-jwt/compare/v6.4.0...v6.5.0) (2023-05-12)