jsonwebtoken icon indicating copy to clipboard operation
jsonwebtoken copied to clipboard

Published 20 hours ago verified publisher icon Keats

Provide a better API for decoding a token without signature validation

Open tyilo opened this issue 1 year ago • 9 comments

Currently you have to use:

// Algorithm can be arbitrarily chosen
let mut validation = jsonwebtoken::Validation::new(jsonwebtoken::Algorithm::RS256);
validation.insecure_disable_signature_validation();

// Key can be arbitrarily chosen
let key = DecodingKey::from_secret(&[]);
let payload = jsonwebtoken::decode::<Claims>(token, &key, &validation).unwrap();

I think the following API would be better:

let mut validation = jsonwebtoken::Validation::insecure_without_signature_validation();
let payload = jsonwebtoken::insecure_decode_without_signature_validation::<Claims>(token, &validation).unwrap();

You avoid having to choose a random algorithm and decoding key that isn't ever used.

tyilo avatar Aug 26 '24 09:08 tyilo