search

golang-jwt / jwt

Go implementation of JSON Web Tokens (JWT).
https://golang-jwt.github.io/jwt/
MIT License
7.2k stars 347 forks source link

ParseUnverified godoc update #340

Closed duhaesbaert closed 1 year ago

duhaesbaert commented 1 year ago

This is sort of a nitpick or my side, but the godoc for the ParseUnverified is the following:

// ParseUnverified parses the token but doesn't validate the signature.
//
// WARNING: Don't use this method unless you know what you're doing.
//
// It's only ever useful in cases where you know the signature is valid (because it has
// been checked previously in the stack) and you want to extract values from it.

The part that I would suggest changing is because it has been checked previously in the stack, that does not necessarily must be true, for example, when receiving a JWT that will be validated after the parse has happened, we should be exposed to any risks as well.

So the godoc could be something like:

// ParseUnverified parses the token but doesn't validate the signature.
//
// WARNING: Don't use this method unless you know what you're doing.
//
// It's only ever useful in cases where you know the signature is valid (since it has already 
// been or will be checked elsewhere in the stack) and you want to extract values from it.

Opening an issue to understand if that makes sense, and if so I can open this really short PR to fix as well.

oxisto commented 1 year ago

Looks fine to be, feel free to open a PR for this :)