Closed mistermoe closed 6 months ago
I'm curious, what are the cases where you needs access to claims before verifying? There's some higher precedence validation to do?
Actually I'm not sure we have run into that situation, @mistermoe am I forgetting something? I think this is a combination of things:
jws.Verify()
and jwt.Verify()
function return values were semantically equivalent
Overview
Collaborative effort with @KendallWeihe to split
Verify
into two distinct functionsDecode
andVerify
Rationale
we've run into multiple scenarios where we need to:
In order to access claims within a JWT the caller currently has to do this:
The above code ends up making it such that callers have to know more details than they have to about jwt details. further, if they've already verified the jwt, the claims are now being decoded twice.
Changes
In order to remedy the above, this PR splits decoding and verifying into two distinct steps while still providing a single function call if desired
JWT
Approach 1
This approach requires the caller to first decode the JWT, perform whatever business logic is needed and then optionally call verify when desired
Approach 2
This allows to caller to call verify and then decide to perform additional logic using the claims within a JWT depending on the result of verification
JWS
the
jws
API surface is identical tojwt
Approach 1
Approach 2