forked from liquidz/clj-jwt
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Validating an unsigned token with a key should be false.
If the token supplied to the `verify` function is has a signature which is an empty-string, the key is ignored, presuming that the token is unsigned and that the calling code is not interested in ensuring the token has been signed. If the calling code is trying to verify that the token was signed with their secret key, it is possible for a completely unsigned token to be accepted as valid. This patch adds a check to ensure that if the token is unsigned, but a non-empty key was supplied to `validate`, then the token is considered to not be valid.
- Loading branch information
Shane Kilkelly
committed
Sep 13, 2014
1 parent
a17fe62
commit d07210c
Showing
2 changed files
with
6 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters