Commit Graph

27 Commits

Author SHA1 Message Date
Christian Banse 03ffd83e84 Introducing new ValidWithOptions interface 2022-05-28 22:33:08 +02:00
Michael Fridman 0972257eba
Revert "feat: port clockskew support (#139)" (#184)
This reverts commit d489c99d3e.
2022-03-26 10:13:03 -04:00
ksegun d489c99d3e
feat: port clockskew support (#139)
Co-authored-by: Kolawole Segun <Kolawole.Segun@kyndryl.com>
Co-authored-by: Christian Banse <oxisto@aybaze.com>
2022-03-08 08:43:46 +01:00
Sebastien Rosset c0ffb890f3
Improve code comments, including security consideration (#107)
* improve code comments, including security consideration

* Add link to URL with details about security vulnerabilities.

* Update token.go

Co-authored-by: Christian Banse <oxisto@aybaze.com>

* Update token.go

Co-authored-by: Christian Banse <oxisto@aybaze.com>

* update code comments

Co-authored-by: Christian Banse <oxisto@aybaze.com>
2021-10-15 09:48:31 -03:00
Christian Banse 65357b9e5b
Introducing functional-style options for the Parser type (#108) 2021-10-13 19:36:33 +02:00
Michael Fridman 2ebb50f957
Adds go module support /v4 (#41)
Additionally, added `staticcheck` for basic static code analysis (#44)

Co-authored-by: Christian Banse <oxisto@aybaze.com>
2021-08-03 15:51:01 +02:00
Dave Grijalva 3265a9bebd
Merge pull request #152 from pusher/parse-unverified
Introduce (*Parser).ParseUnverified
2018-03-08 11:01:10 -08:00
Geert Vanderkelen cb914dd542 Handle ValidationError returned by keyFunc in jwt.ParseWithClaims
Previously, returning a `jwt.ValidationError` from `jwt.Parse()` or
`jwt.ParseWithClaims()` would result values the error to be
ignored.
For example, when testing the signature while parsing the token, it
was not possible to return `jwt.ValidationErrorSignatureInvalid`.
The documentation shows an example for returning an `errors.Error`,
but this is not enough.

We change the `jwt.ParseWithClaims()`-function and check whether the
returned error from the `KeyFunc` is already a
`jwt.ValidationError`-type and return as-is.

This allows us to do the following:

  token, err := jwt.ParseWithClaims(authToken, claims, func(token
    *jwt.Token) (interface{}, error) {
    if _, ok := token.Method.(*jwt.SigningMethodHMAC); !ok {
        vErr := new(jwt.ValidationError)
        vErr.Errors = jwt.ValidationErrorSignatureInvalid
        vErr.Inner = fmt.Errorf("invalid signature")
        return nil, vErr
    }
    return []byte(MySecret), nil
  })

The idea is to then be able to check the `Errors`-member:

  } else if ve.Errors&jwt.ValidationErrorSignatureInvalid != 0 {
    return fmt.Errorf("Authentication Token has invalid signature")
  }
2017-06-28 09:16:23 +02:00
zimbatm bf316c4813 Introduce (*Parser).ParseUnverified
This is not something users of this library would commonly use but I'm
hitting a case where I still want to transmit the values contained
inside of the token trough the system, after it's been verified by the
frontend.

In that case it would be easier just to transmit the token around and be
able to parse the values within, without having to verify the signature.
The backend services also don't have access to the user secrets to
validate the signature.
2016-09-14 15:23:18 +01:00
Peter Kieltyka c9eaceb289 Parser flag to skip claims validation during token parsing 2016-06-21 16:11:54 -04:00
Dave Grijalva 317b82a681 Merge remote-tracking branch 'origin/master' into release_3_0_0 2016-06-06 18:20:35 -07:00
John.Lockwood 96fef82497 Include expire delta in error message 2016-04-25 11:34:10 -07:00
Dave Grijalva 9249eabf87 expose inner error within ValidationError 2016-04-12 17:31:30 -07:00
Dave Grijalva 36d317022e Merge branch 'master' of https://github.com/emanoelxavier/jwt-go-contr into dg/merge_112 2016-04-12 17:22:28 -07:00
Dave Grijalva 5e270fa6cd changed argument order to put claims type before keyfunc. this is easier to read when keyfunc is an inline closure 2016-04-12 16:25:25 -07:00
Dave Grijalva fb4ca74c9f added special case behavior for MapClaims so they aren't all weird 2016-04-12 14:32:24 -07:00
Dave Grijalva 572c9130e8 cleaned up style and added tests 2016-04-04 14:42:10 -07:00
Dave Grijalva 4ec621a2d1 Merge branch 'master' into release_3_0_0 2016-03-31 11:19:33 -07:00
David Komer 0ebbeab74c conversion error fixed 2016-03-17 15:12:22 +02:00
David Komer 52e4189627 use json.Number for claims check
if parser.UseJSONNumber is true then the Claims[“exp”] and
Claims[“nbf”] can be full int64 range, not limited to float64

vnbf and vexp are just flags for whether or not the values were
obtained through either method and should be checked
2016-03-17 15:00:13 +02:00
Emanoel Xavier 517905c5bd Adding inner error in the ValidationError type 2015-12-31 07:48:39 -08:00
Snorre lothar von Gohren Edwin ca46641b15 PR updated, faster string method and more reasonable message feedback 2015-12-23 09:43:00 +01:00
Snorre lothar von Gohren Edwin 57b1269c41 modifications on PR. Added a space in the bearer string check so that we unexpectly dont experience an base64url encoding because bearer is technically part of a valid endcoding, we think. Also moved it into a failed decoding to get a better feedback for the developer, but not do unessecary amount of string checks 2015-12-22 15:30:57 +01:00
Dave Grijalva b728399c73 signature should be populated after parsing a valid token 2015-11-16 12:42:37 -08:00
Dave Grijalva 56c7810ac4 Merge branch 'master' into release_3_0_0 2015-11-16 11:59:51 -08:00
Dave Grijalva 774f319043 added tests for parser. fixed parser when using restricted method list 2015-11-02 15:22:08 -08:00
Dave Grijalva bdfe8ca0b6 created a Parser type to allow for non-global parser configuration 2015-10-29 11:45:16 -07:00