Closed MB175 closed 1 year ago
MB175
commented
1 year ago ReadMe, on the other hand, is talking about the setup the code is currently in https://github.com/go-chi/jwtauth/blob/c5c2c95d0a014f2bfdce5e0048bf6ea955c34525/README.md?plain=1#L24
1. 'Authorization: BEARER T' request header
2. 'jwt' Cookie valueAs far as my testing goes adding TokenFromQuery performs fine to me, the big question is why it has been left out in the first place it might come with performance decrease encountering bigger queries.
Maybe there should be a toggle.
pkieltyka
commented
1 year ago the docs may need to be updated. Jwt token via query param should never be used as its a security vulnerability, and only useful for rare debugging.
pkieltyka
commented
1 year ago MB175
commented
1 year ago the docs may need to be updated. Jwt token via query param should never be used as its a security vulnerability, and only useful for rare debugging.
Okay, got it, :D what exactly violates the security at this point? In my use case it is helpful because I'm using a CustomChromeTab / SafariViewer on mobile devices and I can't really set a cookie or header in safari.
Technically, the uri is encrypted by https, so I'm curious why it could be insecure
I can imagine it could be considered insecure because of browser history and stuff right ?
https://github.com/go-chi/jwtauth/blob/c5c2c95d0a014f2bfdce5e0048bf6ea955c34525/jwtauth.go#L64
According to the doc of the function, the verifier should search through URI query parameters.
However, the
TokenFromQueryfunction is not called in the verifier