Comments (7)
Looks like I forgot to update the docs :(
from jsonwebtoken.
Although it is interesting in terms of UX what should be done there. We want good, secure defaults for the decoding so it should probably validate those by default if possible, meaning the api of v4 was better despite the buggy implementation (#51).
I'll think about it over the next couple of days but it looks like this needs to be re-done and it is a breaking change :(
I'll welcome any input on it, here are the things I would also like to change:
- add a default small leeway instead of 0, around 3-5s maybe? Some libraries event default it to 1min (https://github.com/square/go-jose/blob/v2/jwt/validation.go#L22)
- iat check: it seems that the spec (https://tools.ietf.org/html/rfc7519#section-4.1.6) does not mention that it should be validated (jpadilla/pyjwt#190 for some discussions) so we can probably remove it completely for validation. So a token with an
iat
of 2042-10-10 is supposed to be legit if there is nonbf
somehow.
Probably a few other things but it's already a good start.
from jsonwebtoken.
Ah I also don't remember why Validation:algorithm is a vec
sadly...
from jsonwebtoken.
There may be cases where there are multiple validation algorithms are used, but it's only secure if they are paired with their keys.
from jsonwebtoken.
Yes that's in the spec but I thought I changed that before, weird. Will be fixed in the next version
from jsonwebtoken.
iat
validation removed for now, will open another issue to discuss the rest
from jsonwebtoken.
I think the validation issues are fixed in v6 so closing it
from jsonwebtoken.
Related Issues (20)
- `validate_exp` should also reject tokens that contain a `exp` field but that can not be parsed
- src/pem as a separate crate? HOT 1
- Invalid signature HOT 1
- InvalidKeyFomat when using private.pem file
- Create Dummy Instances of Error HOT 2
- 大佬看下,生成的token,我定了30秒有效期,超过了30秒怎么还能解码呢, HOT 6
- Question: expected audience in validation but not encoded in the JWT seems a valid option HOT 6
- Feature Request: encryption of jsonwebtoken HOT 1
- Support algorithm: `none` HOT 1
- Validation: `required_spec_claims` HashSet should use a non-allocating value type. HOT 1
- Validation: Allow validation of custom claims HOT 1
- validation.rs panics due to improper exp while calculating less_then window/leeway HOT 5
- Feature request : optionnaly use aws-lc-rs instead of ring HOT 7
- Add `ES256K` algorithm HOT 1
- exp field reported as missing when present but of wrong type
- Help regarding decoding key and validating. HOT 3
- Decode JWT without signature verification? HOT 3
- Is there a way to derive the public key from the private key for ECDSA keys? HOT 1
- Failure to Verify EdDSA Signature from DER Public Key, Succeeds in PEM HOT 2
- Help for maintenance
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from jsonwebtoken.