Closed dkull closed 4 years ago
Hey @dkull ,
The "nicer" token interface was definitely with the idea of a backend that had an idea of all the secrets. That being said I do agree, we should change the token interface to accept a public key. I'll get working on this.
In the meantime if this is a big issue for you, you can use the "raw" interfaces with do accept &[u8]:
V2: https://github.com/instructure/paseto/blob/master/src/v2/public.rs#L46 V1: https://github.com/instructure/paseto/blob/master/src/v1/public.rs#L57
However please note these will not do any validation of exp
/iat
, etc. It only validates the payload was signed. So if you need to do those validations you'll want to make sure to do those.
Hi, Yes I am currently using the payload validation method, and implemented my own exp/aud validation. But It would be awesome I could do all of the validation out of the box. Thanks for taking this on!
Hey @dkull so sorry for the delay here. We got ownership figured out. I’ll be cutting a release tonight that will include the fix.
Thank you so much for your contribution!
And released as 1.0.6!
Describe the bug
validate_public_token
requiresPasetoPublicKey
. Which in turn wrapsEd25519KeyPair
. It is not possible to createEd25519KeyPair
when only in possession of an&[u8]
public key. For comparisonpaseto::v2::public::verify_paseto
takes the public key as an&[u8]
, which is what I would expect fromvalidate_public_token
also.Expected behavior I would expect
validate_public_token
to take argumentpublic_key: &[u8]
, instead of the currentpublic_key: PasetoPublicKey
(which actually requires a private key to be present). Maybe split the method into separate implementations for V1 and V2?