Closed mfilej closed 2 years ago
I'm also worried that Paseto.Util might be considered private?
Yes, you're definitely digging a bit into the internals´, but using v2 local makes it a bit weird like that. Since it's symmetric encryption, you can't peek into the contents.
With that said, what you're doing seems fine, it's just not the happy-path. The only caveat I would say (and sorry, this is going to sound like your dad telling you not to play with matches), is don't use anything other than that keyid in that token before you decrypt just to verify no client tampering--again, you probably know that, but I'm almost thirty and I suddenly feel compelled to say things like this.
Feel free to reopen if you have any further questions
@Ianleeclark Thanks for answering! All good.
Let's say I generate a token with a footer:
I'm using the footer to carry the id of the key used to sign the message, so I need to be able to read the footer before I attempt to use
parse_token/2
.At the moment I'm using this code:
And it works fine, but I'm wondering if I'm doing the right thing since I have to base64-decode the foote rmyself? I'm also worried that
Paseto.Util
might be considered private?