-
Notifications
You must be signed in to change notification settings - Fork 252
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add a method to decode a token without signature validation #49
Conversation
src/lib.rs
Outdated
/// // Claims is a struct that implements Deserialize | ||
/// let token_data = dangerous_unsafe_decode::<Claims>(&token, &Validation::new(Algorithm::HS256)); | ||
/// ``` | ||
pub fn dangerous_unsafe_decode<T: DeserializeOwned>(token: &str, validation: &Validation) -> Result<TokenData<T>> { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
if you just want to decode it, do you even care about other validation? It could just take the token
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@Keats I'll leave it up to you. I left these in to match 1.x/2.x behavior, but I could see all validations going away. I don't have a strong preference for either
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The only usecase for that fn is if you just want to see the data so doing the validation seems overkill. Remove it and I'll merge + release
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Alright, makes sense. Updated now. Thanks!
src/lib.rs
Outdated
/// ```rust,ignore | ||
/// #[macro_use] | ||
/// extern crate serde_derive; | ||
/// use jsonwebtoken::{dangerous_unsave_decode, Validation, Algorithm}; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
unsave -> unsafe
src/lib.rs
Outdated
|
||
if !validation.algorithms.contains(&header.alg) { | ||
return Err(ErrorKind::InvalidAlgorithm.into()); | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As mentioned above, if you're not checking the signature is it worth doing any kind of validation?
- Solves Keats#48 - `dangerous_unsafe_decode` - No docs (aside from cargo) since people probably shouldn't use it
Add a method to decode a token without signature validation
Per #48, a new method should be added to decode a token without validating the signature. This is labelled as unsafe, since it definitely is. It solves my use case for
jwt-cli
, which the secret is generally not known.dangerous_unsafe_decode