New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: allow size >= 2 for jwt payload #4515
Conversation
Thanks for your PR. The current implementation deliberately only supports a minimal set of JSON Web Token as we wanted to keep it small. I now understand that this is too restrictive and re-reading section 4 of RFC 7519 seems to prove your point:
I'm OK with merging this PR as-is. However, I would want to at least also enforce the Would you be interested in implementing that inluding cunit tests? If not, I'll merge this PR and revisit implementing |
thanks for your answer @rsto . Agreed with I can try (it's a long time since I did C) but with some help eventually it could work :) |
Here is the steps I would take:
Does that help for a start? |
yes definitely, I'll do this at the end of this week. |
One more thing: I don't want to hold you back using Cyrus for your use cases. So I could equally merge this PR and you submit a new PR with the updated code. As long as it's only on the development branch it doesn't matter too much to me if the claims are supported. Just let me know what you prefer. |
as we are using cyrus version 3.6.1, it is also equal, we still have the forked code running on the server. So if it can avoid "administrative" tasks with PR management, it's OK. |
👍 I'll just wait for the changes on this PR then, thanks. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You have a merge commit in this PR. Please don't merge into your PR branch, it turns the history into spaghetti when the PR in turn gets merged. If you need to bring your branch up to date with the current upstream master, you should rebase on top of it and then force push.
Please rebase and force push your branch to get the merge commit out. I assume you know how to do this, but I'm happy to help if you need it. Thanks :)
ooops I've just seen your comment, and it was too late. Sorry about the noise. Some notes about implementation :
time_t nowPlusOneHour = time(NULL) + 3600;
int length = snprintf( NULL, 0, "%ld", nowPlusOneHour );
char p[] = "{\"sub\": \"test\", \"exp\":%ld}";
char payload[strlen(p) + length];
sprintf(payload, p, nowPlusOneHour); To update the |
Thanks for the PR and the extensive testing! I think the following points should be handled differently
I think
That's not necessary IMO. We should just validate any known claims and ignore any other, just as the spec says.
Cyrus codebase mostly uses snake case or some variations of it. I'm sorry that we do not have any style guide which would make this clear. I have ideas how to make the test code nicer to read, but I need to do some experimentation with it as well. If you are OK, I could take your PR and do my changes on top of it. If you prefer to keep working on it on your own, please let me know. |
Ok with all you said (following the spec, do not break existing servers, and code style). For code style I found this but I haven't found a naming convention. I'm doing the changes now. And yes I'd be curious about your improvements, to learn about modern C coding. So don't hesitate to do your changes on top of it. |
I kept the rejection of the token if there is |
This now landed on the main branch: #4526 ! |
I tagged this also to include in the 3.8 branch. |
Could we change the check for the number of fields of the JWT payload to greater or equal to 2 instead of 2. I can't see any drawbacks of doing this, but maybe I'm missing something. There should be
iat
andsub
fields, but why couldn't we use more?In our app we use
exp
for expiration timestamp for example and arole
field as well.The tests are green with the change and I didn't add any test .
Thanks for your answer.