Fix IdentifiedBy to check jti claim

paragonie / paseto

Platform-Agnostic Security Tokens

https://paseto.io

Other

3.23k stars 108 forks source link

Fix IdentifiedBy to check jti claim #151

Closed aidantwoods closed 2 years ago

aidantwoods commented 2 years ago

Currently the IdentifiedBy validator is checking iss and not the jti claim.

Security implications, but very unlikely to lead to an issue in practice. Only if an implementation somehow deploys code not noticing this check fails for valid tokens (i.e. iss and jti are the same or some other strange logic that causes jti to only be sometimes checked).

aidantwoods commented 2 years ago

Looking at the history of this file, I'm a little confused. https://github.com/paragonie/paseto/pull/118 seems to have been opened and merged, where the only change was to introduce this bug?

IdentifiedBy should be checking the jti claim (the comment even says so!). Whereas IssuedBy is for checking the issclaim.