Commit Graph

37 Commits

Author SHA1 Message Date
Christian Banse 8089d9eb78 Slightly better way to handle useNumber 2024-07-04 21:45:03 +02:00
zhouyiheng.go 90d315ce0c feat: custom json and base64 encoders for Token and Parser
Co-Authored-By: Christian Banse <oxisto@aybaze.com>
2024-07-04 21:45:03 +02:00
Christian Banse a49fa5d91d
Exported `NewValidator` (#349)
* Exported `NewValidator`

Previously, we had `newValidator` as a private function. This PR exports this function so that validation can be done independently of parsing the claim.
2023-11-08 14:21:44 +01:00
Michael Fridman 1e76606719
Key rotation with VerificationKeySet (#344) 2023-09-12 21:29:27 -04:00
Eduardo Haesbaert 6879d2cf1f
Update ParseUnverified godoc (#341) 2023-08-22 14:26:47 -04:00
Craig Pastro 78e25d6b09
Avoid use of json.NewDecoder (#313)
* Avoid use of json.NewDecoder

Avoid use of json.NewDecoder if not needed.

Resolves #303
2023-08-15 17:06:50 +02:00
Dcalsky 8b7470d561
perf: quick way to validate token string (#302) 2023-07-20 21:35:04 +02:00
Christian Banse b357385d3e
Moving `DecodeSegement` to `Parser` (#278)
* Moving `DecodeSegement` to `Parser`

This would allow us to remove some global variables and move them to parser options as well as potentially introduce interfaces for json and b64 encoding/decoding to replace the std lib, if someone wanted to do that for performance reasons.

We keep the functions exported because of explicit user demand.

* Sign/Verify does take the decoded form now
2023-03-24 19:13:09 +01:00
Christian Banse 148d710109
`v5` Pre-Release (#234)
Co-authored-by: Micah Parks <66095735+MicahParks@users.noreply.github.com>
Co-authored-by: Michael Fridman <mf192@icloud.com>
2023-02-21 14:32:25 +01:00
Christian Banse 2101c1f4bc
No pointer embedding in the example (#255)
Fixes #223
2022-11-08 15:43:45 +01:00
Jacob Kopczynski 0c4e387985
Add doc comment to ParseWithClaims (#232) 2022-09-26 10:01:52 -04:00
Michael Fridman 0972257eba
Revert "feat: port clockskew support (#139)" (#184)
This reverts commit d489c99d3e.
2022-03-26 10:13:03 -04:00
ksegun d489c99d3e
feat: port clockskew support (#139)
Co-authored-by: Kolawole Segun <Kolawole.Segun@kyndryl.com>
Co-authored-by: Christian Banse <oxisto@aybaze.com>
2022-03-08 08:43:46 +01:00
Sebastien Rosset c0ffb890f3
Improve code comments, including security consideration (#107)
* improve code comments, including security consideration

* Add link to URL with details about security vulnerabilities.

* Update token.go

Co-authored-by: Christian Banse <oxisto@aybaze.com>

* Update token.go

Co-authored-by: Christian Banse <oxisto@aybaze.com>

* update code comments

Co-authored-by: Christian Banse <oxisto@aybaze.com>
2021-10-15 09:48:31 -03:00
Christian Banse 65357b9e5b
Introducing functional-style options for the Parser type (#108) 2021-10-13 19:36:33 +02:00
Michael Fridman 2ebb50f957
Adds go module support /v4 (#41)
Additionally, added `staticcheck` for basic static code analysis (#44)

Co-authored-by: Christian Banse <oxisto@aybaze.com>
2021-08-03 15:51:01 +02:00
Dave Grijalva 3265a9bebd
Merge pull request #152 from pusher/parse-unverified
Introduce (*Parser).ParseUnverified
2018-03-08 11:01:10 -08:00
Geert Vanderkelen cb914dd542 Handle ValidationError returned by keyFunc in jwt.ParseWithClaims
Previously, returning a `jwt.ValidationError` from `jwt.Parse()` or
`jwt.ParseWithClaims()` would result values the error to be
ignored.
For example, when testing the signature while parsing the token, it
was not possible to return `jwt.ValidationErrorSignatureInvalid`.
The documentation shows an example for returning an `errors.Error`,
but this is not enough.

We change the `jwt.ParseWithClaims()`-function and check whether the
returned error from the `KeyFunc` is already a
`jwt.ValidationError`-type and return as-is.

This allows us to do the following:

  token, err := jwt.ParseWithClaims(authToken, claims, func(token
    *jwt.Token) (interface{}, error) {
    if _, ok := token.Method.(*jwt.SigningMethodHMAC); !ok {
        vErr := new(jwt.ValidationError)
        vErr.Errors = jwt.ValidationErrorSignatureInvalid
        vErr.Inner = fmt.Errorf("invalid signature")
        return nil, vErr
    }
    return []byte(MySecret), nil
  })

The idea is to then be able to check the `Errors`-member:

  } else if ve.Errors&jwt.ValidationErrorSignatureInvalid != 0 {
    return fmt.Errorf("Authentication Token has invalid signature")
  }
2017-06-28 09:16:23 +02:00
zimbatm bf316c4813 Introduce (*Parser).ParseUnverified
This is not something users of this library would commonly use but I'm
hitting a case where I still want to transmit the values contained
inside of the token trough the system, after it's been verified by the
frontend.

In that case it would be easier just to transmit the token around and be
able to parse the values within, without having to verify the signature.
The backend services also don't have access to the user secrets to
validate the signature.
2016-09-14 15:23:18 +01:00
Peter Kieltyka c9eaceb289 Parser flag to skip claims validation during token parsing 2016-06-21 16:11:54 -04:00
Dave Grijalva 317b82a681 Merge remote-tracking branch 'origin/master' into release_3_0_0 2016-06-06 18:20:35 -07:00
John.Lockwood 96fef82497 Include expire delta in error message 2016-04-25 11:34:10 -07:00
Dave Grijalva 9249eabf87 expose inner error within ValidationError 2016-04-12 17:31:30 -07:00
Dave Grijalva 36d317022e Merge branch 'master' of https://github.com/emanoelxavier/jwt-go-contr into dg/merge_112 2016-04-12 17:22:28 -07:00
Dave Grijalva 5e270fa6cd changed argument order to put claims type before keyfunc. this is easier to read when keyfunc is an inline closure 2016-04-12 16:25:25 -07:00
Dave Grijalva fb4ca74c9f added special case behavior for MapClaims so they aren't all weird 2016-04-12 14:32:24 -07:00
Dave Grijalva 572c9130e8 cleaned up style and added tests 2016-04-04 14:42:10 -07:00
Dave Grijalva 4ec621a2d1 Merge branch 'master' into release_3_0_0 2016-03-31 11:19:33 -07:00
David Komer 0ebbeab74c conversion error fixed 2016-03-17 15:12:22 +02:00
David Komer 52e4189627 use json.Number for claims check
if parser.UseJSONNumber is true then the Claims[“exp”] and
Claims[“nbf”] can be full int64 range, not limited to float64

vnbf and vexp are just flags for whether or not the values were
obtained through either method and should be checked
2016-03-17 15:00:13 +02:00
Emanoel Xavier 517905c5bd Adding inner error in the ValidationError type 2015-12-31 07:48:39 -08:00
Snorre lothar von Gohren Edwin ca46641b15 PR updated, faster string method and more reasonable message feedback 2015-12-23 09:43:00 +01:00
Snorre lothar von Gohren Edwin 57b1269c41 modifications on PR. Added a space in the bearer string check so that we unexpectly dont experience an base64url encoding because bearer is technically part of a valid endcoding, we think. Also moved it into a failed decoding to get a better feedback for the developer, but not do unessecary amount of string checks 2015-12-22 15:30:57 +01:00
Dave Grijalva b728399c73 signature should be populated after parsing a valid token 2015-11-16 12:42:37 -08:00
Dave Grijalva 56c7810ac4 Merge branch 'master' into release_3_0_0 2015-11-16 11:59:51 -08:00
Dave Grijalva 774f319043 added tests for parser. fixed parser when using restricted method list 2015-11-02 15:22:08 -08:00
Dave Grijalva bdfe8ca0b6 created a Parser type to allow for non-global parser configuration 2015-10-29 11:45:16 -07:00