Closed arokettu closed 2 years ago
There is an 'optimization' to skip validation if no rules are defined in parse():
https://github.com/paragonie/paseto/blob/46d19c106305c7cf30af029e48786bf269f2e754/src/Parser.php#L467-L470
but validate() adds NotExpired rule implicitly:
https://github.com/paragonie/paseto/blob/46d19c106305c7cf30af029e48786bf269f2e754/src/Parser.php#L662-L665
so the check gets skipped if no other rules are defined
Proposal: remove optimization, check only for the boolean
Yep, good catch!
paragonie-security
commented
2 years ago paragonie-security
commented
2 years ago
There is an 'optimization' to skip validation if no rules are defined in parse():
https://github.com/paragonie/paseto/blob/46d19c106305c7cf30af029e48786bf269f2e754/src/Parser.php#L467-L470
but validate() adds NotExpired rule implicitly:
https://github.com/paragonie/paseto/blob/46d19c106305c7cf30af029e48786bf269f2e754/src/Parser.php#L662-L665
so the check gets skipped if no other rules are defined
Proposal: remove optimization, check only for the boolean