Closed jasonvmiller closed 2 years ago
@jasonvmiller Thank you for your comment. Based on paseto spec neither token fields nor validators are required https://github.com/paragonie/paseto/blob/master/docs/03-Implementation-Guide/02-Validators.md. You can use validators https://godoc.org/github.com/o1egl/paseto#Validator to add custom checks. By default IssuedAt, NotBefore and Expiration
fields validation is running if validators list is empty and corresponding fields are not empty. To force this validator to run, you need to explicitly specify it in the parameters https://godoc.org/github.com/o1egl/paseto#JSONToken.Validate
I'm open to any contribution to this project. Feel free to make PRs :wink:
Given that PASETO is designed for "Resistance to Implementation Error / Misuse", I'm surprised the examples don't cover calling
JSONToken.Validate
, nor doesJSONToken.UnmarshalJSON
do this on it's own.The documentation does indicate that the standard claims are optional, which would mean that calling the default set of validation functions during
JSONToken.Unmarshal
might break the current usage patterns for some people. That said, the documented usage goes through the trouble of setting anExpiration
that is never verified.This isn't too hard to fix, but I was curious if the maintainers are open to something more intrusive (breaking use of
JSONToken
without anExpiration
, andNotBefore
date, and ensuringUnmarshalJSON
checks this) to prevent mistakes, or if just updating the documentation would be preferable.Wanted to open this issue for discussion.