Closed btielen closed 2 years ago
I think dangerous_insecure_decode_with_validation
and dangerous_insecure_decode
can be folded into a single function. We can add a Validation::none()
function that disables all validation and we have
// Equivalent to current `dangerous_insecure_decode`
dangerous_insecure_decode(token, &Validation::none());
// Equivalent to current `dangerous_insecure_decode_with_validation`
dangerous_insecure_decode(token, &Validation::default());
As for verify_signature
, it's now the same as calling decode
except the payload is decoded in decode
. I think we can mark this private.
@btielen can you have a look at https://github.com/Keats/jsonwebtoken/pull/199 ?
@Keats for what it's worth, the new API to replace dangerous_insecure_decode_with_validation
feels a little awkward to use as it involves explicit mutation of the Validation
(perhaps a fluent-interface style builder pattern would be better here?) and also passing a dummy DecodingKey
to decode
(perhaps this can be wrapped in an Option
?).
let algorithm = jsonwebtoken::decode_header(token)?.alg;
let mut validation = Validation::new(algorithm);
validation.insecure_disable_signature_validation();
Ok(jsonwebtoken::decode::<Self>(
token,
&DecodingKey::from_secret(&[]),
&validation,
)?
.claims)
In any case, thank you for your work on this useful library.
Yeah it's kind of a downside but I didn't feel like it was worth improving since it's not really something that should be done often.
perhaps a fluent-interface style builder pattern would be better here?
I'm not a fan of builders, would a ValidationBuilder
really be more elegant?
In any case, thank you for your work on this useful library.
Thanks!
The issue Thanks for all the work in this repository! When I first used the library it wasn't clear for me if the
decode
function would just decode or also check the signature and/or the expiration date. So I made an overview:This feels inconsistent to me.
Possible solution A solution could be to refactor the code and split the decoding/verification process. Something like
Consequences
I could help!