Provide a better API for decoding a token without signature validation

tyilo commented 3 weeks ago

Currently you have to use:

// Algorithm can be arbitrarily chosen
let mut validation = jsonwebtoken::Validation::new(jsonwebtoken::Algorithm::RS256);
validation.insecure_disable_signature_validation();

// Key can be arbitrarily chosen
let key = DecodingKey::from_secret(&[]);
let payload = jsonwebtoken::decode::<Claims>(token, &key, &validation).unwrap();

I think the following API would be better:

let mut validation = jsonwebtoken::Validation::insecure_without_signature_validation();
let payload = jsonwebtoken::insecure_decode_without_signature_validation::<Claims>(token, &validation).unwrap();

You avoid having to choose a random algorithm and decoding key that isn't ever used.

Keats commented 3 weeks ago

Honestly, decoding a token without validating the signature is something that you shouldn't do most of the time so I do not particularly care about making it user friendly

tyilo commented 3 weeks ago

Honestly, decoding a token without validating the signature is something that you shouldn't do most of the time so I do not particularly care about making it user friendly

It is useful as a client using the token to be able to see what claims are inside the token. exp can be really useful.

Keats commented 2 weeks ago

Well you can't really trust any of the things you see in the claims unless you validate the signature

tyilo commented 2 weeks ago

Well you can't really trust any of the things you see in the claims unless you validate the signature

Sure, but I'm the client. I don't have access to the server's secret key.

Keats / jsonwebtoken

Provide a better API for decoding a token without signature validation #401