Validation defaults for iat and nbf conflicts with documentation #66
Comments
|
Looks like I forgot to update the docs :( |
|
Although it is interesting in terms of UX what should be done there. We want good, secure defaults for the decoding so it should probably validate those by default if possible, meaning the api of v4 was better despite the buggy implementation (#51). I'll think about it over the next couple of days but it looks like this needs to be re-done and it is a breaking change :(
Probably a few other things but it's already a good start. |
|
Ah I also don't remember why Validation:algorithm is a |
|
There may be cases where there are multiple validation algorithms are used, but it's only secure if they are paired with their keys. |
|
Yes that's in the spec but I thought I changed that before, weird. Will be fixed in the next version |
|
|
|
I think the validation issues are fixed in v6 so closing it |
In the documentation (https://docs.rs/jsonwebtoken/5.0.1/jsonwebtoken/struct.Validation.html#structfield.validate_iat) it's mentioned that the
validate_iatandvalidate_nbffields aretrueby default, but in the source (https://docs.rs/jsonwebtoken/5.0.1/src/jsonwebtoken/validation.rs.html#98-99) the default value isfalse. This is also the behavior of the current release (5.0.1).The text was updated successfully, but these errors were encountered: