-
Notifications
You must be signed in to change notification settings - Fork 995
First attempt at making parsing more flexible in types #66
Conversation
if exp, ok := m["exp"].(float64); ok { | ||
return int64(exp), nil | ||
} | ||
return 0, errors.New("expiration not found") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is this the right behavior? These fields are not required. Missing != invalid
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good point, but the way that the validation is done currently error here means "do not check the expiration". Maybe if it returned (int64, bool)
it would be more clear.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If exp
exists and is not a number, it shouldn't be skipped. Validation should fail with "invalid value for exp". Is return 0, nil
a better option? 0 isn't a valid value for either exp
or nbf
.
if exp, ok := m["exp"].(float64); ok { | ||
return int64(exp), true | ||
} | ||
return 0, false |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think my other comment got swallowed up. This doesn't allow us to abort on invalid data. If exp
== "pants"
, we probably want to shut it down, vs ignoring it. Tricky.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ah I understand your previous concern better now. hmm tricky indeed. This is related to your comment below re validation. I'll respond there.
I think this is the best solution I've seen for this issue. I have a couple concerns:
Neither of these are insurmountable, but they deserve consideration. |
Actually, this is not backward compatible as the type of |
One way to address the I think there are two levels of validation going on here: Token level validation (e.g. hash alg checks, I don't really have a good suggestion for maintaining backwards compatibility. This seems to be a active question within the go community right now. I think that the validation questions raised here will fundamentally break the api no matter the solution. :( |
I agree, you're definitely going to be breaking backwards compatibility with this change. However, that's what major version bumps are for! I ran with @crxpandion suggestion of using a more generic interface, if you look at the PR #73 it isn't as complete, in that the tests haven't been updated, but it shows the other method of accomplishing this. Perhaps in a way that will be easier to be backwards compatible in the future. |
Getting close to landing #73, which is based on this. |
Makes the claims an interface.
#64