From 038ec716cd48142d36336718a6eaeed43359dd56 Mon Sep 17 00:00:00 2001
From: Matthew Owen-Jones <matthew.owen-jones@foundu.com.au>
Date: Fri, 15 Aug 2025 23:28:27 +1000
Subject: [PATCH] Securely decode tokens - Changed the way the cryptographic
 keys are retrieved to improve the security of consumers by no longer
 requiring access to remote files, so the setting can be disabled to prevent
 remote file inclusion, server-side request forgery, information disclosure
 and access control bypass

---
 lib/JWTClaims.php | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/lib/JWTClaims.php b/lib/JWTClaims.php
index 8eb3429c..ceca4275 100644
--- a/lib/JWTClaims.php
+++ b/lib/JWTClaims.php
@@ -3,6 +3,7 @@
 
 use \Firebase\JWT\JWT;
 use \Firebase\JWT\JWK;
+use \GuzzleHttp\Client;
 
 class JWTClaims
 {
@@ -34,8 +35,9 @@ class JWTClaims
     * @return object $verifiedJWT
     */
     private function verify($token) {
-        $json = file_get_contents('https://identity.xero.com/.well-known/openid-configuration/jwks');
-        $jwks =  json_decode($json, true);
+        $client = new Client();
+        $response = $client->get('https://identity.xero.com/.well-known/openid-configuration/jwks');
+        $jwks = json_decode($response->getBody()->getContents(), true);
         $supportedAlgorithm = (object) ['alg'=>['RS256','ES256']];
         $verifiedJWT = JWT::decode($token, JWK::parseKeySet($jwks), $supportedAlgorithm);