Christian Banse
7a5e5d6efe
Extract encoders/decoders to extra struct
2024-07-04 21:45:03 +02:00
zhouyiheng.go
90d315ce0c
feat: custom json and base64 encoders for Token and Parser
...
Co-Authored-By: Christian Banse <oxisto@aybaze.com>
2024-07-04 21:45:03 +02:00
Mike Fridman
0cb4fa15e3
docs: fix comment in KeyFunc
2023-09-13 09:39:26 -04:00
Michael Fridman
1e76606719
Key rotation with VerificationKeySet ( #344 )
2023-09-12 21:29:27 -04:00
dillonstreator
843e9bfe4d
add documentation to hmac `Verify` & `Sign` to detail why string is not an advisable input for key ( #249 )
...
* add documentation around Verify & Sign to detail why string is not an advisable input for key
* Refer to the usage guide
---------
Co-authored-by: Dillon Streator <dillonstreator@Dillons-2nd-MacBook-Pro.local>
Co-authored-by: Christian Banse <oxisto@aybaze.com>
2023-03-31 13:19:48 +02:00
Christian Banse
b357385d3e
Moving `DecodeSegement` to `Parser` ( #278 )
...
* Moving `DecodeSegement` to `Parser`
This would allow us to remove some global variables and move them to parser options as well as potentially introduce interfaces for json and b64 encoding/decoding to replace the std lib, if someone wanted to do that for performance reasons.
We keep the functions exported because of explicit user demand.
* Sign/Verify does take the decoded form now
2023-03-24 19:13:09 +01:00
Mones Zarrugh
0d2f0d4809
remove string slice and strings.join ( #115 )
2023-02-21 21:28:00 -05:00
Christian Banse
148d710109
`v5` Pre-Release ( #234 )
...
Co-authored-by: Micah Parks <66095735+MicahParks@users.noreply.github.com>
Co-authored-by: Michael Fridman <mf192@icloud.com>
2023-02-21 14:32:25 +01:00
Alexander Yastrebov
9358574a7a
Allow strict base64 decoding ( #259 )
...
By default base64 decoder works in non-strict mode which
allows tweaking signatures having padding without failing validation.
This creates a potential problem if application treats token value as an identifier.
For example ES256 signature has length of 64 bytes and two padding symbols (stripped by default).
Therefore its base64-encoded value can only end with A, Q, g and w.
In non-strict mode last symbol could be tweaked resulting in 16 distinct
token values having the same signature and passing validation.
This change adds backward-compatible global config variable DecodeStrict
(similar to existing DecodePaddingAllowed) that enables strict base64 decoder mode.
See also https://github.com/golang/go/issues/15656 .
Signed-off-by: Alexander Yastrebov <yastrebov.alex@gmail.com>
2022-12-09 18:04:03 +01:00
Christian Banse
2101c1f4bc
No pointer embedding in the example ( #255 )
...
Fixes #223
2022-11-08 15:43:45 +01:00
Michael Fridman
4426925f0c
CI check for Go code formatting ( #206 )
...
Signed-off-by: jay-dee7 <jasdeepsingh.uppal@gmail.com>
Co-authored-by: jay-dee7 <jasdeepsingh.uppal@gmail.com>
2022-05-28 16:03:15 +02:00
hyeonjae
e01ed05a31
remove unnecessary for loop in token signing string for readability ( #34 )
...
* remove unnecessary for loop in token signing string for readability
- add testcase
- add benchmark
- improve performance slightly
* Fix benchtests on token_test.go
* Update token_test.go to v4
Co-authored-by: hyeonjae <hyeonjae@ip-192-168-1-3.ap-northeast-2.compute.internal>
Co-authored-by: Luis Gabriel Gomez <lggomez@users.noreply.github.com>
2022-02-03 08:47:58 -03:00
ajermaky
f4865cddea
Revert Encoding/Decoding changes for better compatibility ( #117 )
2021-11-06 07:21:20 -04:00
Sebastien Rosset
c0ffb890f3
Improve code comments, including security consideration ( #107 )
...
* improve code comments, including security consideration
* Add link to URL with details about security vulnerabilities.
* Update token.go
Co-authored-by: Christian Banse <oxisto@aybaze.com>
* Update token.go
Co-authored-by: Christian Banse <oxisto@aybaze.com>
* update code comments
Co-authored-by: Christian Banse <oxisto@aybaze.com>
2021-10-15 09:48:31 -03:00
Christian Banse
65357b9e5b
Introducing functional-style options for the Parser type ( #108 )
2021-10-13 19:36:33 +02:00
Michael Fridman
2ebb50f957
Adds go module support /v4 ( #41 )
...
Additionally, added `staticcheck` for basic static code analysis (#44 )
Co-authored-by: Christian Banse <oxisto@aybaze.com>
2021-08-03 15:51:01 +02:00
Josh Kline
860640e886
Allocation optimization ( #33 )
...
* Test to ensure ECDSA signature is valid
Add assertions to ensure ECDSA signing methods return valid signatures.
This is probably covered elsewhere as well, but putting it in
ecdsa_test.go makes it more obvious and easier to find.
* Benchmark ECDSA signing methods
Add benchmark coverage of ECDSA signing methods.
Benchmarks are run using the existing helper for comparability with
existing benchmarks.
Sign method is also tested directly, to avoid the overhead of *Token.
Report allocations for all benchmarks.
Allocation count for ES384 and ES512 fluctuate across test runs,
other signing methods consistently report the same number of allocations.
Sample output:
```
$ go test -bench=Bench -run=NONE .
2021/02/26 18:18:30 Listening...
goos: darwin
goarch: amd64
pkg: github.com/dgrijalva/jwt-go
BenchmarkECDSASigning/Basic_ES256-8 190572 6702 ns/op 4249 B/op 65 allocs/op
BenchmarkECDSASigning/Basic_ES256/sign-only-8 47383 24650 ns/op 3329 B/op 43 allocs/op
BenchmarkECDSASigning/Basic_ES384-8 1113 1252975 ns/op 1750744 B/op 14474 allocs/op
BenchmarkECDSASigning/Basic_ES384/sign-only-8 286 3937773 ns/op 1746175 B/op 14423 allocs/op
BenchmarkECDSASigning/Basic_ES512-8 662 1949937 ns/op 3028386 B/op 19608 allocs/op
BenchmarkECDSASigning/Basic_ES512/sign-only-8 170 6856189 ns/op 3025471 B/op 19571 allocs/op
BenchmarkECDSASigning/basic_ES256_invalid:_foo_=>_bar-8 190638 6665 ns/op 4249 B/op 65 allocs/op
BenchmarkHS256Signing-8 1000000 1024 ns/op 1584 B/op 32 allocs/op
BenchmarkHS384Signing-8 917286 1447 ns/op 1969 B/op 32 allocs/op
BenchmarkHS512Signing-8 827744 1470 ns/op 2065 B/op 32 allocs/op
BenchmarkRS256Signing-8 3037 390077 ns/op 32576 B/op 136 allocs/op
BenchmarkRS384Signing-8 2976 379155 ns/op 32684 B/op 136 allocs/op
BenchmarkRS512Signing-8 3205 388628 ns/op 32704 B/op 136 allocs/op
```
* Reduce allocations during ECDSA signing
Reduce the number of byte arrays allocated by using big.Int.FillBytes
when calculating ECDSA signature.
After this change, Benchmarks of ES256 signing method consistently
report 4 fewer allocations.
Before:
```
BenchmarkECDSASigning/Basic_ES256-8 190572 6702 ns/op 4249 B/op 65 allocs/op
BenchmarkECDSASigning/Basic_ES256/sign-only-8 47383 24650 ns/op 3329 B/op 43 allocs/op
```
After:
```
BenchmarkECDSASigning/Basic_ES256-8 187682 6725 ns/op 4121 B/op 61 allocs/op
BenchmarkECDSASigning/Basic_ES256/sign-only-8 48656 24446 ns/op 3201 B/op 39 allocs/op
```
* Use base64.RawURLEncoding to avoid padding
JWT uses a non-padded base64 encoding.
Current code uses base64.URLEncoding to generate a padded string and
then removes the padding.
Likewise, current code adds padding before decoding.
Instead, use base64.RawURLEncoding which does not add or require the
padding in the first place.
In addition to making the code cleaner, this reduces memory allocations
as reported by benchmarks.
Before:
```
BenchmarkECDSASigning/Basic_ES256-8 191396 6917 ns/op 4121 B/op 61 allocs/op
BenchmarkECDSASigning/Basic_ES256/sign-only-8 49347 25039 ns/op 3201 B/op 39 allocs/op
BenchmarkECDSASigning/basic_ES256_invalid:_foo_=>_bar-8 190668 6586 ns/op 4121 B/op 61 allocs/op
BenchmarkHS256Signing-8 1260060 1131 ns/op 1585 B/op 32 allocs/op
BenchmarkHS384Signing-8 861378 1387 ns/op 1969 B/op 32 allocs/op
BenchmarkHS512Signing-8 896745 1463 ns/op 2065 B/op 32 allocs/op
BenchmarkRS256Signing-8 3086 355769 ns/op 32576 B/op 136 allocs/op
BenchmarkRS384Signing-8 3414 353570 ns/op 32694 B/op 136 allocs/op
BenchmarkRS512Signing-8 3235 349394 ns/op 32706 B/op 136 allocs/op
```
After:
```
BenchmarkECDSASigning/Basic_ES256-8 176617 6827 ns/op 4021 B/op 58 allocs/op
BenchmarkECDSASigning/Basic_ES256/sign-only-8 48038 24213 ns/op 3169 B/op 38 allocs/op
BenchmarkECDSASigning/basic_ES256_invalid:_foo_=>_bar-8 194352 6928 ns/op 4021 B/op 58 allocs/op
BenchmarkHS256Signing-8 1000000 1127 ns/op 1488 B/op 29 allocs/op
BenchmarkHS384Signing-8 972552 1369 ns/op 1873 B/op 29 allocs/op
BenchmarkHS512Signing-8 780751 1368 ns/op 1969 B/op 29 allocs/op
BenchmarkRS256Signing-8 3014 387326 ns/op 32475 B/op 133 allocs/op
BenchmarkRS384Signing-8 3044 361411 ns/op 32591 B/op 133 allocs/op
BenchmarkRS512Signing-8 3273 355504 ns/op 32607 B/op 133 allocs/op
```
Benchmarks of signing methods ES384 and ES512 are omitted because their
allocations are not consistent.
2021-07-13 08:31:42 +02:00
Kévin Dunglas
42625203e8
chore: code cleanup ( #10 )
2021-05-27 19:26:21 -04:00
Dave Grijalva
317b82a681
Merge remote-tracking branch 'origin/master' into release_3_0_0
2016-06-06 18:20:35 -07:00
Benjamin Ruston
e1403b0ab2
Fix typo in KeyFunc documentation
2016-05-27 14:22:35 +01:00
Dave Grijalva
5e270fa6cd
changed argument order to put claims type before keyfunc. this is easier to read when keyfunc is an inline closure
2016-04-12 16:25:25 -07:00
Dave Grijalva
bc13ee82c3
Merge branch 'release_3_0_0' into dg/request
2016-04-08 11:57:11 -07:00
Dave Grijalva
4ec621a2d1
Merge branch 'master' into release_3_0_0
2016-03-31 11:19:33 -07:00
Dave Grijalva
e0e3b433f5
WIP on migrating request parsing stuff
2016-01-14 14:09:27 -08:00
Snorre lothar von Gohren Edwin
fea509ebfe
pushed a test change
2015-12-23 09:45:17 +01:00
Snorre lothar von Gohren Edwin
ca46641b15
PR updated, faster string method and more reasonable message feedback
2015-12-23 09:43:00 +01:00
Snorre lothar von Gohren Edwin
57b1269c41
modifications on PR. Added a space in the bearer string check so that we unexpectly dont experience an base64url encoding because bearer is technically part of a valid endcoding, we think. Also moved it into a failed decoding to get a better feedback for the developer, but not do unessecary amount of string checks
2015-12-22 15:30:57 +01:00
Snorre lothar von Gohren Edwin
1f970af1f8
added right amount of return
2015-12-20 09:25:50 +01:00
Snorre lothar von Gohren Edwin
5d11392aac
no breakpoints
2015-12-19 23:58:27 +01:00
Snorre lothar von Gohren Edwin
b863883b96
token.go: did some changes to the checks so that it will give better error feedback for noobs who write the authorization bearer value wrong
2015-12-19 23:49:37 +01:00
Dave Grijalva
56c7810ac4
Merge branch 'master' into release_3_0_0
2015-11-16 11:59:51 -08:00
Dave Grijalva
7ac27fb6ac
renamed files to match their purpose
2015-11-02 11:26:07 -08:00