Validation defaults for iat and nbf conflicts with documentation about jsonwebtoken HOT 7 CLOSED

Looks like I forgot to update the docs :(

from jsonwebtoken.

Although it is interesting in terms of UX what should be done there. We want good, secure defaults for the decoding so it should probably validate those by default if possible, meaning the api of v4 was better despite the buggy implementation (#51).

I'll think about it over the next couple of days but it looks like this needs to be re-done and it is a breaking change :(
I'll welcome any input on it, here are the things I would also like to change:

• add a default small leeway instead of 0, around 3-5s maybe? Some libraries event default it to 1min (https://github.com/square/go-jose/blob/v2/jwt/validation.go#L22)
• iat check: it seems that the spec (https://tools.ietf.org/html/rfc7519#section-4.1.6) does not mention that it should be validated (jpadilla/pyjwt#190 for some discussions) so we can probably remove it completely for validation. So a token with an iat of 2042-10-10 is supposed to be legit if there is no nbf somehow.

Probably a few other things but it's already a good start.

from jsonwebtoken.

Ah I also don't remember why Validation:algorithm is a vec sadly...

from jsonwebtoken.

There may be cases where there are multiple validation algorithms are used, but it's only secure if they are paired with their keys.

from jsonwebtoken.

Yes that's in the spec but I thought I changed that before, weird. Will be fixed in the next version

from jsonwebtoken.

iat validation removed for now, will open another issue to discuss the rest

from jsonwebtoken.

I think the validation issues are fixed in v6 so closing it

from jsonwebtoken.