Add a method to decode a token without signature validation #49
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Keats
requested changes
Mar 6, 2018
src/lib.rs
Outdated
| /// // Claims is a struct that implements Deserialize | ||
| /// let token_data = dangerous_unsafe_decode::<Claims>(&token, &Validation::new(Algorithm::HS256)); | ||
| /// ``` | ||
| pub fn dangerous_unsafe_decode<T: DeserializeOwned>(token: &str, validation: &Validation) -> Result<TokenData<T>> { |
There was a problem hiding this comment.
if you just want to decode it, do you even care about other validation? It could just take the token
There was a problem hiding this comment.
@Keats I'll leave it up to you. I left these in to match 1.x/2.x behavior, but I could see all validations going away. I don't have a strong preference for either
There was a problem hiding this comment.
The only usecase for that fn is if you just want to see the data so doing the validation seems overkill. Remove it and I'll merge + release
There was a problem hiding this comment.
Alright, makes sense. Updated now. Thanks!
src/lib.rs
Outdated
| /// ```rust,ignore | ||
| /// #[macro_use] | ||
| /// extern crate serde_derive; | ||
| /// use jsonwebtoken::{dangerous_unsave_decode, Validation, Algorithm}; |
src/lib.rs
Outdated
|
|
||
| if !validation.algorithms.contains(&header.alg) { | ||
| return Err(ErrorKind::InvalidAlgorithm.into()); | ||
| } |
There was a problem hiding this comment.
As mentioned above, if you're not checking the signature is it worth doing any kind of validation?
- Solves Keats#48 - `dangerous_unsafe_decode` - No docs (aside from cargo) since people probably shouldn't use it
JadedBlueEyes
referenced
this pull request
in JadedBlueEyes/jsonwebtoken
Apr 13, 2023
Add a method to decode a token without signature validation
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Per #48, a new method should be added to decode a token without validating the signature. This is labelled as unsafe, since it definitely is. It solves my use case for
jwt-cli, which the secret is generally not known.dangerous_unsafe_decode