jsonwebtoken icon indicating copy to clipboard operation
jsonwebtoken copied to clipboard
verified publisher icon Keats

Header doesn't implement `Hash` anymore

Open coltfred opened this issue 2 months ago • 4 comments

Hey, thanks for all your work maintaining jsonwebtoken.

It seems that in the change to allow swapping crypto backends that hash was removed from header. This is kind of repeat of the issue that Craig reported in #237.

Was this an oversight?

Thanks!

coltfred avatar Oct 03 '25 17:10 coltfred

Was this an oversight?

Yes, we should add it back + a test

Keats avatar Oct 07 '25 09:10 Keats

This was introduced in https://github.com/Keats/jsonwebtoken/commit/5cd1887848f7d30f11adb4ebcec6a01baffd5252 (#420). HashMap is unhashable since it's unordered. If we want to derive Hash we'd have to change Header.extras to a BTreeMap, which would be a breaking change.

We could roll our own hash impl that sorts the hash map keys/values in order to hash them consistently, but depending on how folks are using Hash that potentially opens the door to DoS attacks in the event an attacker sends very large extras payloads, potentially optimized for worst-case sorting.

dsykes16 avatar Oct 08 '25 17:10 dsykes16

I guess let's keep it that way for now and we will switch to a btreemap for v11

Keats avatar Oct 09 '25 08:10 Keats

There's an alternative way using traits that I threw together. I'm still polishing it up, but it keeps backwards compatibility and adds proper custom header support.

dsykes16 avatar Oct 09 '25 08:10 dsykes16