Closed se77en closed 8 years ago
Excellent!
Thanks for this. Also, thanks for linting the code.
What are your thoughts on checking the signing alg every time there is a "ParseWithClaims"? Or maybe when a new auth token is being generated from the refresh token (and therefore, the refresh token is being parsed)?
According to the Auth0's blog, an attacker can modify request header. If a server is expecting a token signed with RSA, but actually receives a token signed with HMAC, it will think the public key is actually an HMAC secret key.
And also the refresh token must be verify everytime if auth token is expired.
Great, thanks for this!
Sorry, I hadn't seen that you were checking the alg when issuing a new auth token. Thanks for that.
Merged. Thanks again!
My pleasure and this repo are easy to use and awesome~
Ref: Critical vulnerabilities in JSON Web Token libraries
The main changes: https://github.com/adam-hanna/jwt-auth/pull/4/files#diff-6f8ed8d198ab9102a6690c6b49d249c6R330
Plus
go fmt
code.