Commit Graph

441 Commits

Author SHA1 Message Date
Geert Vanderkelen cb914dd542 Handle ValidationError returned by keyFunc in jwt.ParseWithClaims
Previously, returning a `jwt.ValidationError` from `jwt.Parse()` or
`jwt.ParseWithClaims()` would result values the error to be
ignored.
For example, when testing the signature while parsing the token, it
was not possible to return `jwt.ValidationErrorSignatureInvalid`.
The documentation shows an example for returning an `errors.Error`,
but this is not enough.

We change the `jwt.ParseWithClaims()`-function and check whether the
returned error from the `KeyFunc` is already a
`jwt.ValidationError`-type and return as-is.

This allows us to do the following:

  token, err := jwt.ParseWithClaims(authToken, claims, func(token
    *jwt.Token) (interface{}, error) {
    if _, ok := token.Method.(*jwt.SigningMethodHMAC); !ok {
        vErr := new(jwt.ValidationError)
        vErr.Errors = jwt.ValidationErrorSignatureInvalid
        vErr.Inner = fmt.Errorf("invalid signature")
        return nil, vErr
    }
    return []byte(MySecret), nil
  })

The idea is to then be able to check the `Errors`-member:

  } else if ve.Errors&jwt.ValidationErrorSignatureInvalid != 0 {
    return fmt.Errorf("Authentication Token has invalid signature")
  }
2017-06-28 09:16:23 +02:00
Dave Grijalva a539ee1a74 Merge pull request #218 from zoofood/patch-1
minor typo
2017-06-07 17:51:49 -07:00
Jeff Rouse b425822dfa minor typo 2017-06-07 17:13:34 -07:00
Dave Grijalva 6c8dedd55f updated note on alg type vulnerability 2017-05-08 09:54:58 -07:00
Yuri c1d75b01d5 A better error msg
Change ErrInvalidKey to ErrInvalidKeyType
2017-04-01 16:04:41 +08:00
Zach Collier fd360ca1aa add godoc icon 2017-03-16 10:55:35 -06:00
Dave Grijalva 2268707a8f Merge pull request #183 from hnakamur/support_rs256_in_jwt_command
Support RS256 algorithm in jwt command
2017-02-01 14:58:49 -08:00
Dave Grijalva e0b2941cad Merge pull request #196 from dgrijalva/dg/cmd_args
Allow claims and headers to be specified at command line
2017-02-01 10:44:39 -08:00
Dave Grijalva aaadee5836 s/head/header/ 2017-02-01 10:44:25 -08:00
Dave Grijalva 53194fccb3 allow claims and headers to be specified at command line 2017-01-31 11:36:56 -08:00
Dave Grijalva a601269ab7 Merge pull request #190 from jamesrwhite/patch-1
Clarify hmacSampleSecret type
2017-01-04 10:22:50 -08:00
James White b08784ba5a Clarify hmacSampleSecret type
From looking at the godoc for this (https://godoc.org/github.com/dgrijalva/jwt-go#example-Parse--Hmac) it isn't clear what the type of hmacSampleSecret should be as you can't see the rest of this file. I ended up having to search through the code to figure out it needed to be a byte array.
2017-01-04 11:40:11 +00:00
Hiroaki Nakamura c5d6625a50 Support RS256 algorithm in jwt command 2016-11-21 18:56:50 +09:00
Joao Aguiar 053ba766a6 Added passoword protect PEM support 2016-11-03 17:50:08 +00:00
Dave Grijalva 9ed569b5d1 Merge pull request #180 from kevinburke/fix-unreachable
Remove unreachable code
2016-11-01 12:39:35 -07:00
Kevin Burke e58d3b7548
Remove unreachable code
`go vet` on Go 1.8 errors because this line of code is unreachable. Adds
a check that new code passes go vet, and adds Go 1.7 to travisci.
2016-11-01 09:59:08 -07:00
zimbatm f46fb7ef12 ParseUnverified: add tests 2016-09-14 15:23:18 +01:00
zimbatm bf316c4813 Introduce (*Parser).ParseUnverified
This is not something users of this library would commonly use but I'm
hitting a case where I still want to transmit the values contained
inside of the token trough the system, after it's been verified by the
frontend.

In that case it would be easier just to transmit the token around and be
able to parse the values within, without having to verify the signature.
The backend services also don't have access to the user secrets to
validate the signature.
2016-09-14 15:23:18 +01:00
Dave Grijalva 24c63f5652 Merge pull request #166 from johnlockwood-wf/issue-165-missing-arg
Add the missing name arg
2016-08-31 11:35:34 -07:00
John.Lockwood 7ff66c6bff Add the missing name arg 2016-08-26 21:32:44 -07:00
Dave Grijalva 63734eae1e Merge pull request #151 from zaichang/FixMigrationGuide
Fixed migration guide request.ParseFromRequest example code
2016-07-29 09:48:51 -07:00
Zai 227c99f1af Fixed migration guide request.ParseFromRequest example code 2016-07-20 18:09:44 +02:00
Dave Grijalva 01aeca54eb Merge pull request #146 from pkieltyka/master
Parser flag to skip claims validation during token parsing
2016-07-05 13:30:06 -07:00
Peter Kieltyka c9eaceb289 Parser flag to skip claims validation during token parsing 2016-06-21 16:11:54 -04:00
Dave Grijalva f077707632 Merge pull request #140 from kazhuravlev/patch-1
Fix links
2016-06-17 10:01:58 -07:00
kazhuravlev 1e9b4c4c60 Fix links 2016-06-17 17:04:01 +03:00
Dave Grijalva d2709f9f1f Merge pull request #77 from dgrijalva/release_3_0_0
Release 3.0.0
2016-06-16 12:15:56 -07:00
Dave Grijalva d8c133f558 Merge branch 'master' into release_3_0_0 2016-06-16 12:16:07 -07:00
Dave Grijalva 268038b363 v2.7.0 2016-06-16 12:14:24 -07:00
Dave Grijalva 4638392845 updated documentation to reflect the supported draft version 2016-06-15 16:56:01 -07:00
Dave Grijalva 5fbf45924d errors only have an exposed Inner property if the error was generated by another library 2016-06-15 16:42:50 -07:00
Dave Grijalva 2ed748cd9c updated documentation. moved migration guide to separate doc 2016-06-15 10:49:54 -07:00
Dave Grijalva 0fbf86c98b documentation update 2016-06-08 11:38:48 -07:00
Dave Grijalva f1a773028f added a simple http example 2016-06-08 11:36:38 -07:00
Dave Grijalva 320d20e631 Merge branch 'release_3_0_0' of github.com:dgrijalva/jwt-go into release_3_0_0 2016-06-07 10:34:42 -07:00
Dave Grijalva 6fd0370e43 Merge branch 'master' of https://github.com/martinlindhe/jwt-go into patch_109 2016-06-07 10:34:06 -07:00
Dave Grijalva b4ac4e4998 Merge pull request #137 from dgrijalva/dg/extractor
Add new interface Extractor for making token extraction pluggable
2016-06-07 10:01:39 -07:00
Dave Grijalva c5c24ad06a updated version history 2016-06-06 18:22:25 -07:00
Dave Grijalva 317b82a681 Merge remote-tracking branch 'origin/master' into release_3_0_0 2016-06-06 18:20:35 -07:00
Dave Grijalva fa2cc68895 version history 2016-06-06 18:08:17 -07:00
Dave Grijalva c04502f106 notice about imminent 3.0.0 2016-06-06 17:56:07 -07:00
Dave Grijalva 5eef21b7ed a few examples and some documentation cleanup 2016-06-06 17:45:30 -07:00
Dave Grijalva f93fcfd3f9 unit tests for extractor 2016-06-06 17:18:24 -07:00
Dave Grijalva de0a819d8d added documentation 2016-06-06 16:55:41 -07:00
Dave Grijalva bb45bfcdec add new interface Extractor for making token extraction pluggable 2016-06-06 15:27:44 -07:00
Dave Grijalva 9b486c879b Merge pull request #136 from bruston/keyfunc-typo
Fix typo in KeyFunc documentation
2016-05-31 11:11:19 -07:00
Benjamin Ruston e1403b0ab2 Fix typo in KeyFunc documentation 2016-05-27 14:22:35 +01:00
Dave Grijalva 40bd0f3b48 fixes #135 copy/paste error in rsa decoding tools 2016-05-04 10:25:48 -07:00
Dave Grijalva 0ef1a002d3 Merge pull request #132 from abourget/master
Implement a "-show" command too.. for debugging purposes..
2016-05-04 10:21:10 -07:00
Dave Grijalva 3cf07b8a28 Merge pull request #133 from johnlockwood-wf/expire-delta
Include expire delta in error message
2016-05-04 10:20:39 -07:00