validate_public_token requires PasetoPublicKey(->Ed25519KeyPair)

[dkull]

Describe the bug validate_public_token requires PasetoPublicKey. Which in turn wraps Ed25519KeyPair. It is not possible to create Ed25519KeyPair when only in possession of an &[u8] public key. For comparison paseto::v2::public::verify_paseto takes the public key as an &[u8], which is what I would expect from validate_public_token also.

Expected behavior I would expect validate_public_token to take argument public_key: &[u8], instead of the current public_key: PasetoPublicKey (which actually requires a private key to be present). Maybe split the method into separate implementations for V1 and V2?

[Mythra]

Hey @dkull ,

The "nicer" token interface was definitely with the idea of a backend that had an idea of all the secrets. That being said I do agree, we should change the token interface to accept a public key. I'll get working on this.

In the meantime if this is a big issue for you, you can use the "raw" interfaces with do accept &[u8]:

V2: https://github.com/instructure/paseto/blob/master/src/v2/public.rs#L46 V1: https://github.com/instructure/paseto/blob/master/src/v1/public.rs#L57

However please note these will not do any validation of exp/iat, etc. It only validates the payload was signed. So if you need to do those validations you'll want to make sure to do those.

[dkull]

Hi, Yes I am currently using the payload validation method, and implemented my own exp/aud validation. But It would be awesome I could do all of the validation out of the box. Thanks for taking this on!

[Mythra]

Hey @dkull so sorry for the delay here. We got ownership figured out. I’ll be cutting a release tonight that will include the fix.

Thank you so much for your contribution!

[Mythra]

And released as 1.0.6!