Closed MB175 closed 1 year ago
ReadMe, on the other hand, is talking about the setup the code is currently in https://github.com/go-chi/jwtauth/blob/c5c2c95d0a014f2bfdce5e0048bf6ea955c34525/README.md?plain=1#L24
1. 'Authorization: BEARER T' request header
2. 'jwt' Cookie value
As far as my testing goes adding TokenFromQuery performs fine to me, the big question is why it has been left out in the first place it might come with performance decrease encountering bigger queries.
Maybe there should be a toggle.
the docs may need to be updated. Jwt token via query param should never be used as its a security vulnerability, and only useful for rare debugging.
the docs may need to be updated. Jwt token via query param should never be used as its a security vulnerability, and only useful for rare debugging.
Okay, got it, :D what exactly violates the security at this point? In my use case it is helpful because I'm using a CustomChromeTab / SafariViewer on mobile devices and I can't really set a cookie or header in safari.
Technically, the uri is encrypted by https, so I'm curious why it could be insecure
I can imagine it could be considered insecure because of browser history and stuff right ?
https://github.com/go-chi/jwtauth/blob/c5c2c95d0a014f2bfdce5e0048bf6ea955c34525/jwtauth.go#L64
According to the doc of the function, the verifier should search through URI query parameters.
However, the
TokenFromQuery
function is not called in the verifier