Fatal Error in Firebase\JWT\JWT.sign() - Key Must Be a String When Using HMAC

alpha_9ight · June 14

Hello Amazing Community,

I'm encountering a critical issue on my self-hosted Vanilla Forum when trying to send private messages to users. The following fatal error is raised:

Fatal Error in Firebase\JWT\JWT.sign();

key must be a string when using hmac

Details:

Environment:
- Vanilla Forum version: 2024.007
- PHP version: 8

Error Trace:

The error occurred on or near: /var/www/html/vendor/firebase/php-jwt/src/JWT.php

229:         list($function, $algorithm) = static::$supported_algs[$alg];

230:         switch ($function) {

231:             case 'hash_hmac':

232:                 if (!\is_string($key)) {

233:                     throw new InvalidArgumentException('key must be a string when using hmac');

234:                 }

235:                 return \hash_hmac($algorithm, $msg, $key, true);

236:             case 'openssl':

237:                 $signature = '';

Backtrace:

[/var/www/html/vendor/firebase/php-jwt/src/JWT.php:203] Firebase\JWT\JWT::sign();

[/var/www/html/applications/dashboard/models/class.activitymodel.php:1401] Firebase\JWT\JWT::encode();

[/var/www/html/applications/dashboard/models/class.activitymodel.php:1261] ActivityModel->getUnsubscribeLink();

[/var/www/html/applications/dashboard/models/class.activitymodel.php:2113] ActivityModel->email();

[/var/www/html/applications/dashboard/models/class.activitymodel.php:2510] ActivityModel->save();

[/var/www/html/applications/conversations/models/class.conversationsmodel.php:196] ActivityModel->saveQueue();

[/var/www/html/applications/conversations/models/class.conversationmodel.php:787] ConversationsModel->notifyUsers();

[/var/www/html/library/core/class.form.php:3122] ConversationModel->save();

[/var/www/html/applications/conversations/controllers/class.messagescontroller.php:116] Gdn_Form->save();

[/var/www/html/library/core/class.dispatcher.php:1036] MessagesController->add();

[/var/www/html/library/core/class.dispatcher.php:397] Gdn_Dispatcher->dispatchController();

[/var/www/html/index.php:36] Gdn_Dispatcher->dispatch();

It seems that the key being used for HMAC signing is not a string. I have traced the issue to line 232 in JWT.php, where the sign method expects the key to be a string.

Can anyone provide guidance on ensuring the key is always a string in the appropriate parts of the Vanilla Forum codebase? Is there a more permanent fix that can be applied to the source?

Thank you for your assistance!