Open carwyn opened 3 years ago
Should there even be a call to jwt.Validate(...)
in jwtauth.VerifyToken(...)
? (thinking out loud here)
Without setting parse or verify options or at least setting one of iat, exp or nbf or a claim passed in via jwtauth.Encode(...)
it doesn't look like the call to jwt.Validate(...)
in jwtauth.VerifyToken(...)
will do anything?
If the user has to set something outside the jwtauth
API via jwtauth.Encode(...)
does it make more sense for them to also take responsibility for dealing with the jwt.Validate(...)
?
The new underlying JWT library supports options for validation via
jwt.Validate(t Token, options ...ValidateOption)
, unfortunately this isn't exposed injwtauth
.jwtauth.Verifier(ja *JWTAuth)
calls down the verification stack untiljwtauth.VerifyToken(ja *JWTAuth, tokenString string)
where in the body there is a call tojwt.Validate(t Token, options ...ValidateOption)
, unfortunately I can't see a way to alter these options from the jwtauth API though?Meanwhile the
jwtauth.Authenticator(next http.Handler)
example also callsjwt.Validate(...)
(i.e. a second call to this function in the request sequence) where obviously it's possible to add the validation options using a custom Authenticator.Is the expectation that a second call to
jwt.Validate(...)
with or without options parameters will be needed in any custom Authenticator? It looks like if I could pass the options in I could avoid calling the function again.