Open quantumsheep opened 2 months ago
Maybe a trivial question, but can't you do this logic inside the keyfunc? You have access to the *Token
which has been parsed (but not validated) up to this point. You can then fetch the secret and then return it. This is basically what libraries such as https://github.com/MicahParks/keyfunc do.
I sometimes only parse the JWT to speedup the process when it comes from a fully trusted source (from internal code). I could duplicate some code to make it work but separating the functions costs nothing and fits my use-case.
I sometimes only parse the JWT to speedup the process when it comes from a fully trusted source (from internal code). I could duplicate some code to make it work but separating the functions costs nothing and fits my use-case.
We are extremely careful about introducing new public functions because we need to maintain them in a way that we cannot break their function signature for quite a long time (since we tend to stick with major versions for quite a while). So yes, separating these functions actually does costs something: the time of a maintainer ;)
We intentionally did not expose any of these functions to not confuse people who might not be as experienced as you and might be confused, whether a simple Parse
is enough or if VerifyToken
is also needed; probably further complicated through the fact that we also have now a "validator".
As a bare minimum this function needs a godoc string and we probably would need to have an additional though about its function signature, because as I said before we need to stick with it for quite a while.
any though on this @mfridman ?
Yeah I'm okay with this. Needs a godoc comment though.
Hello!
I have this use-case where I want to parse the JWT, fetch the secret elsewhere and then verify the JWT.
The current available functions forces me to parse the JWT another time. I want to validate the token, not parse it again.
Thanks,