SECURITY: Examples, default usage, `JSONToken` fail to check `Expiration`, `NotBefore` by default.

[jasonvmiller]

Given that PASETO is designed for "Resistance to Implementation Error / Misuse", I'm surprised the examples don't cover calling JSONToken.Validate, nor does JSONToken.UnmarshalJSON do this on it's own.

The documentation does indicate that the standard claims are optional, which would mean that calling the default set of validation functions during JSONToken.Unmarshal might break the current usage patterns for some people. That said, the documented usage goes through the trouble of setting an Expiration that is never verified.

This isn't too hard to fix, but I was curious if the maintainers are open to something more intrusive (breaking use of JSONToken without an Expiration, and NotBefore date, and ensuring UnmarshalJSON checks this) to prevent mistakes, or if just updating the documentation would be preferable.

Wanted to open this issue for discussion.

[o1egl]

@jasonvmiller Thank you for your comment. Based on paseto spec neither token fields nor validators are required https://github.com/paragonie/paseto/blob/master/docs/03-Implementation-Guide/02-Validators.md. You can use validators https://godoc.org/github.com/o1egl/paseto#Validator to add custom checks. By default IssuedAt, NotBefore and Expiration fields validation is running if validators list is empty and corresponding fields are not empty. To force this validator to run, you need to explicitly specify it in the parameters https://godoc.org/github.com/o1egl/paseto#JSONToken.Validate

I'm open to any contribution to this project. Feel free to make PRs :wink: