/
doc.go
55 lines (54 loc) · 2.59 KB
/
doc.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
// Copyright 2015-present, Cyrill @ Schumacher.fm and the CoreStore contributors
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
// Package csjwt handles JSON web tokens.
//
// See README.md for more info.
// http://self-issued.info/docs/draft-jones-json-web-token.html
//
// Further reading: https://float-middle.com/json-web-tokens-jwt-vs-sessions/
// and http://cryto.net/~joepie91/blog/2016/06/13/stop-using-jwt-for-sessions/
//
// https://news.ycombinator.com/item?id=11929267 => For people using JWT as a
// substitute for stateful sessions, how do you handle renewal (or revocation)?
//
// https://news.ycombinator.com/item?id=14290114 => Things to Use Instead of JSON Web Tokens (inburke.com)
// TL;DR: Refactor the library and strip out RSA/ECDSA/encoding/decoding into its own sub-packages.
//
// A new discussion: https://news.ycombinator.com/item?id=13865459 JSON Web
// Tokens should be avoided (paragonie.com)
//
// Headless JWT mode: https://dev.to/neilmadden/7-best-practices-for-json-web-tokens
//
// https://insomniasec.com/blog/auth0-jwt-validation-bypass
// maybe use https://github.com/o1egl/paseto JWT
//
// TODO: Investigate security bugs: http://blogs.adobe.com/security/2017/03/critical-vulnerability-uncovered-in-json-encryption.html
// Critical Vulnerability Uncovered in JSON Encryption. Executive Summary: If
// you are using go-jose, node-jose, jose2go, Nimbus JOSE+JWT or jose4 with
// ECDH-ES please update to the latest version. RFC 7516 aka JSON Web Encryption
// (JWE) Invalid Curve Attack. This can allow an attacker to recover the secret
// key of a party using JWE with Key Agreement with Elliptic Curve
// Diffie-Hellman Ephemeral Static (ECDH-ES), where the sender could extract
// receiver’s private key.
//
// https://news.ycombinator.com/item?id=14727252 =>
// https://github.com/shieldfy/API-Security-Checklist
//
// https://dadario.com.br/revoking-json-web-tokens/
//
// TODO(CyS) move RSA and ECDSA into its own subpackage ...
//
// TODO(CyS) Consider PAST (Platform-Agnostic Security Tokens)
// https://news.ycombinator.com/item?id=16070394 https://github.com/paragonie/past
package csjwt