Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: Add insecure_decode_without_signature_validation #418

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

feat: Add insecure_decode_without_signature_validation #418

wants to merge 1 commit into from

Conversation

Nereuxofficial
Copy link

As discussed here adds support for insecure_decode_without_serialization as well as a doc test for it. I also fixed some doc warnings while at it.

rimutaka
rimutaka reviewed Feb 17, 2025
View reviewed changes
src/decoding.rs
/// ```
pub fn insecure_decode_without_signature_validation<T: DeserializeOwned>(
token: &str,
validation: &Validation,
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm missing something here. Please ignore if I'm wrong.
The function says it does not do validation and the algorithm can be arbitrary chose, yet, there is a validation param and the validation step. So it's kind of partial validation.

I find it confusing and is not what #401 calls for.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah i was not completely sure that was the case as the creator of the issue wanted essentially this API:
``rs
let mut validation = jsonwebtoken::Validation::insecure_without_signature_validation();
let payload = jsonwebtoken::insecure_decode_without_signature_validation::(token, &validation).unwrap();

And IMO then a Validation::insecure_none or similar should exist to make this function more general.
Nonetheless the Doc comment is wrong so thanks for pointing that out!

rimutaka
rimutaka reviewed Feb 17, 2025
View reviewed changes
src/decoding.rs
let (claims, _) = expect_two!(rest.rsplitn(2, '.'));
let decoded_claims = DecodedJwtPartClaims::from_jwt_part_claims(claims)?;
let claims = decoded_claims.deserialize()?;
validate(decoded_claims.deserialize()?, validation)?;
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The function description says "the claims are not validated", but they are.

rimutaka
rimutaka reviewed Feb 17, 2025
View reviewed changes
Copy link

@rimutaka rimutaka left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is it a good idea to add tests?

  • valid signature
  • invalid signature
  • invalid token

I'm not a maintainer, so feel free to ignore.

src/decoding.rs
token: &str,
validation: &Validation,
) -> Result<T> {
let (_, rest) = expect_two!(token.rsplitn(2, '.'));
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

JWT has 3 parts: Header, Payload, Signature.

The existing code refers to them by those names:

    let (signature, message) = expect_two!(token.rsplitn(2, '.'));
    let (payload, header) = expect_two!(message.rsplitn(2, '.'));

It would be good to keep them consistent throughout the file.

@Nereuxofficial Nereuxofficial force-pushed the feat/insecure-decode-without-signature-validation branch from 84d5492 to a083324 Compare February 17, 2025 21:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rimutaka rimutaka rimutaka left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@Nereuxofficial @rimutaka