This PR removes the old legacy standard claims, which have been deprecated since the beginning of the `v4` module in favor of the newer `RegisteredClaims`. Removing them before any further changes to the validation API is quite useful, as less code needs to be adapated.
This commit serves as the basis for further `v5` developments. It will introduce some API-breaking changes, especially to the way tokens are validated. This will allow us to provide some long-wanted features with regards to the validation API. We are aiming to do this as smoothly as possible, however, with any major version. please expect that you might need to adapt your code.
The actual development will be done in the course of the next week, if time permits. It will be done in seperate PRs that will use this PR as a base. Afterwards, we will probably merge this and release an initial 5.0.0-alpha1 or similar.
By default base64 decoder works in non-strict mode which
allows tweaking signatures having padding without failing validation.
This creates a potential problem if application treats token value as an identifier.
For example ES256 signature has length of 64 bytes and two padding symbols (stripped by default).
Therefore its base64-encoded value can only end with A, Q, g and w.
In non-strict mode last symbol could be tweaked resulting in 16 distinct
token values having the same signature and passing validation.
This change adds backward-compatible global config variable DecodeStrict
(similar to existing DecodePaddingAllowed) that enables strict base64 decoder mode.
See also https://github.com/golang/go/issues/15656.
Signed-off-by: Alexander Yastrebov <yastrebov.alex@gmail.com>
This PR aims at implementing compliance to RFC7519, as documented in #11 without breaking the public API. It creates a new struct `RegisteredClaims` and deprecates (but not removes) the `StandardClaims`. It introduces a new type `NumericDate`, which represents a JSON numeric date value as specified in the RFC. This allows us to handle float as well as int-based time fields in `aud`, `exp` and `nbf`. Additionally, it introduces the type `StringArray`, which is basically a wrapper around `[]string` to deal with the oddities of the JWT `aud` field.
* initial go module file
Signed-off-by: sadmansakib <ssadman8@gmail.com>
* fix linting issues
Signed-off-by: sadmansakib <ssadman8@gmail.com>
* rename module to golang-jwt/jwt
Signed-off-by: sadmansakib <ssadman8@gmail.com>
* Renamed imports to match with go module name.
Signed-off-by: sadmansakib <ssadman8@gmail.com>
* update travis for latest go versions
Signed-off-by: sadmansakib <ssadman8@gmail.com>
* Set go version to 1.14
lowered the go version to make it consistent with matrix build
* revert accidental changes while renaming
Signed-off-by: sadmansakib <ssadman8@gmail.com>
* remove travis CI
no longer needed since github actions workflow was created for the
project
Signed-off-by: sadmansakib <ssadman8@gmail.com>
* Revert "remove travis CI"
This reverts commit b3ae57f710.
* update travis for older go versions