Keats
commented
4 years ago No, you can just use dangerous_unsafe_decode which is the same thing but it won't support alg: none
Closed pnehrer closed 4 years ago
Keats
commented
4 years ago No, you can just use dangerous_unsafe_decode which is the same thing but it won't support alg: none
alfalcon90
commented
1 month ago This is the workaround I used to decode Firebase Emulator tokens.
const DEBUG_JWT_HEADER: &str = "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9";
pub fn verify<T: DeserializeOwned>(&self, token: &str) -> Result<T, VerificationError> {
let mut v: Vec<&str> = token.splitn(3, '.').collect();
v[0] = DEBUG_JWT_HEADER;
let token = v.join(".");
let mut validation = Validation::new(Algorithm::RS256);
validation.insecure_disable_signature_validation();
validation.validate_aud = false;
validation.validate_exp = false;
let key = DecodingKey::from_secret(&[]);
let claims = decode::<T>(&token, &key, &validation)
.map_err(|_| VerificationError::InvalidToken)?
.claims;
Ok(claims)
}
Would it be possible to support Unsecured JWT, with "alg":"none" as per spec?
I could submit a PR if you're open to that. Thanks!