fixed possible panic if token is malformed

BTBurke / caddy-jwt

JWT middleware for the Caddy server

MIT License

113 stars 40 forks source link

fixed possible panic if token is malformed #12

Closed malud closed 7 years ago

malud commented 7 years ago

A panic occurs due to the Valid() method call on a non initialized token object if the token signature is malformed.

BTBurke commented 7 years ago

Thanks for the contribution. I haven't had a chance to look at it in detail but I can see already where the possible panic occurs. What about removing the check on token.Valid? Does an expired but otherwise cryptographically valid token also return an error? I haven't looked at the jwt-go source yet, but I'll take a look before merging this.

malud commented 7 years ago

You are welcome. If the token is invalid the error field is not nil and contains an ValidationError with the related error flag ValidationErrorSignatureInvalid. See https://github.com/dgrijalva/jwt-go/blob/master/parser.go#L122. There you can see that the error field is only nil if the token passed the validation.

malud commented 7 years ago

any news on this?