Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Repo info
Activity
  • May 15 2019 12:53

    zhevron on master

    Remove unused tools from CI bui… (compare)

  • May 15 2019 12:49

    zhevron on master

    Use correct version of golangci… (compare)

  • May 15 2019 12:47

    zhevron on master

    Update .gitattributes and .giti… Update Travis CI configuration. (compare)

  • May 15 2019 12:31
    Travis zhevron/jwt (master) errored (49)
  • May 15 2019 12:25

    zhevron on master

    Update licensing. (compare)

  • May 15 2019 12:21

    zhevron on v1.0.0

    (compare)

  • May 15 2019 12:00
    Travis zhevron/jwt (v1) errored (48)
  • May 15 2019 11:55

    zhevron on v1

    (compare)

  • Apr 15 2015 06:38
    Travis zhevron/jwt (v1.0.0) passed (47)
  • Apr 15 2015 06:35

    zhevron on v1.0.0

    (compare)

  • Apr 15 2015 06:30
    Travis zhevron/jwt (master) errored (46)
  • Apr 15 2015 06:28

    zhevron on master

    Ignore the "alg" token header c… Clean up test DecodeToken calls Updated package documentation and 2 more (compare)

  • Apr 15 2015 06:01

    zhevron on master

    Removed unnecessary line from H… (compare)

  • Apr 14 2015 13:03

    zhevron on master

    Refactor KeyLookupCallback into… Add examples to README (compare)

  • Apr 14 2015 10:54

    zhevron on variable-key-type

    (compare)

  • Apr 14 2015 10:54

    zhevron on master

    Add support for variable key ty… Updated documentation strings t… Run tests only once and 2 more (compare)

  • Apr 14 2015 10:53
    zhevron closed #4
  • Apr 14 2015 09:09
    Travis zhevron/jwt (feature/variable-key-type) fixed (41)
  • Apr 14 2015 09:04

    zhevron on variable-key-type

    Run tests only once Reject any key but nil when Non… (compare)

  • Apr 14 2015 09:04
    zhevron synchronize #4
Aaron L
@aarondl
This library is quite nice, but I think it's suffering from the security vulnerabilities here. 2 of them. https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/
Thomas Lokshall
@zhevron
That is a pretty nasty vulnerability. I can easily patch in a new parameter for DecodeToken that allows and/or forces you to specify the algorithm to use. I’m assuming the second one is the pass alg:”none” tokens when a secret key is provided? Regardless, I’ll patch that in ASAP.
Thomas Lokshall
@zhevron
I’ve committed fixes for both issues as well as unit tests to make sure they actually work. The algorithm parameter to DecodeToken can be set to nothing (””) if the user really doesn’t want the check. This may be removed before I release it as v1.
Feel free to double check that the security vulnerabilities are gone.
Aaron L
@aarondl
Thanks for the quick turnaround. I've already committed to the other Go jwt library. But keep up the good work :) This API feels much easier to use. Although there is merit in the callbacks the other library uses for "kid" header lookups, you may want to support that workflow later down the road. But your current simple approach is great and had me initially looking here first until the security vulnerabilities caught my eye.
Thomas Lokshall
@zhevron
No reason I can’t support both workflows. The other one is just slightly more than 5 minutes of work. I’m short on free time these days, but I want to finish at least the RSA and ECDSA implementations as well as the Key ID workflow before I hit v1. I do notice that other libraries put tasks like verifying the signature into the Verify function instead of Decode like I did. Let me know if you see some suitable API changes that would make sense.
Aaron L
@aarondl
Oh definitely. I was suggesting that you support both when there's time. Anyways, I looked over the changes and they seem good to me. Should solve both security issues, the none + key as well as the algorithm verification. Nice.
Thomas Lokshall
@zhevron
And there we go. Key lookups are now available through jwt.KeyLookupCallback. Still not quite sure if I should refactor that into a function or not. Looks better in the documentation as a function. Should also be ready for RSA and ECDSA implementations now. I guess I should enable the wiki and write some proper usage documentation too… Or just rely on developers being able to figure it out from the godoc.org docs and the examples there.