Closed aidantwoods closed 2 years ago
Looking at the history of this file, I'm a little confused. https://github.com/paragonie/paseto/pull/118 seems to have been opened and merged, where the only change was to introduce this bug?
IdentifiedBy
should be checking the jti
claim (the comment even says so!). Whereas IssuedBy
is for checking the iss
claim.
Currently the
IdentifiedBy
validator is checkingiss
and not thejti
claim.Security implications, but very unlikely to lead to an issue in practice. Only if an implementation somehow deploys code not noticing this check fails for valid tokens (i.e.
iss
andjti
are the same or some other strange logic that causesjti
to only be sometimes checked).