-
Notifications
You must be signed in to change notification settings - Fork 28
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Illegal token detection before jose.Decode() #4
Comments
Hi @pandex ,
|
In what I am doing, all operations happen in microseconds or low double-digit milliseconds, except token decoding, which can take up to triple-digit milliseconds. So the idea is to avoid it by doing a near cost-free token length, presence of space, etc. check prior to decode. No point decoding a malformed token string, which I assume is in constant time. I am in fact using exactly the same two-phase validation code you pointed out. However, I have to assume the token received in the Authorization Bearer is from a bad actor and headers may have been bogus. Hence the current effort to see if there's anything I'm neglecting. |
So, help me understand. You want to check something before base64 decoding happened, but after token have been spliced into parts? |
It happens in this order:
And encryption is via:
where s is the JWT Claims json. |
can you post |
Sure. it's a simple thing right now:
} |
I'm not sure what is base64 decode failing because:
So, what feature are you asking for? :) I really can't see anything new right now. You can perfectly do len constraints and illegal chars test outside of library. And Base64 check will be performed by library itself anyway. |
Sorry, minTokenLen/maxTokenLen are my own constants, defined elsewhere. I'm OK with base64 checking not working, it'd have been a quick check of multiple things in one swoop, but I'll do it outside the package. My assumption that any change of the string would invalidate it was wrong. Live and learn. So no new request, today. :) |
I just have to figure out where the missing 5th part of the token is (in code that had been working fine for weeks) tomorrow. Thanks. |
Hi @pandex , safe to close issue? |
Sorry, please close it, all's good. |
Could I get a quick confirmation that in
token is string and NOT base64?
I'm trying to see if there's a quick way to pre-disqualify a potentially malformed token BEFORE having to pay the price of doing
like you can with a base64 coded string:
for space/illegal chars/length=multiple of 4/etc.
Any ideas?
The text was updated successfully, but these errors were encountered: