* Exported `NewValidator`
Previously, we had `newValidator` as a private function. This PR exports this function so that validation can be done independently of parsing the claim.
Fixes a security vulnerability where a jwt token could potentially be validated having invalid string characters.
(cherry picked from commit a211650c6ae1cff6d7347d3e24070d65dcfb1122)
https://github.com/form3tech-oss/jwt-go/pull/14
Co-Authored-By: Giorgos Lampadakis <82932062+giorgos-f3@users.noreply.github.com>
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
* Fix issue with MapClaims VerifyAudience []string
There was an issue in MapClaims's VerifyAudiance where a []string (which
is valid in the spec) would return true (claim is found, or nil) when required
was not set.
It now checks interface types correctly and has tests written
Signed-off-by: Alistair Hey <alistair@heyal.co.uk>
* Keep aud validation constant time compare
Keep aud validation using constant time compare by not instantly
returning on a true comparison, keep comparing all options and store
result in a variable
Signed-off-by: Alistair Hey <alistair@heyal.co.uk>
Co-authored-by: Banse, Christian <christian.banse@aisec.fraunhofer.de>
Christian Banse