Closed malud closed 7 years ago
Thanks for the contribution. I haven't had a chance to look at it in detail but I can see already where the possible panic occurs. What about removing the check on token.Valid
? Does an expired but otherwise cryptographically valid token also return an error? I haven't looked at the jwt-go source yet, but I'll take a look before merging this.
You are welcome. If the token is invalid the error field is not nil and contains an ValidationError with the related error flag ValidationErrorSignatureInvalid. See https://github.com/dgrijalva/jwt-go/blob/master/parser.go#L122. There you can see that the error field is only nil if the token passed the validation.
any news on this?
A panic occurs due to the Valid() method call on a non initialized token object if the token signature is malformed.