rego-style-guide
rego-style-guide copied to clipboard
Consider recommending verification and decoding of JWTs in two separate steps
Although documented, even experienced users get confused by the default constraints (aud
in particular) provided by io.jwt.decode_verify
. I think we might want to consider recommending verifying and decoding as a two-step process, i.e.
Avoid
claims := payload {
[valid, _, payload] := io.jwt.decode_verify("my_jwt_token", {"cert": "my certificate"})
valid
}
Prefer
claims := payload {
io.jwt.verify_rs256("my_jwt_token", "my certificate")
[_, payload, _] := io.jwt.decode("my_jwt_token")
}
I generally agree, but we should also give examples of checking the nbf/exp, aud etc criteria from rego, then, maybe? Or at least call out the difference, and that you can't replace snippet 1 with snippet 2 and expect everything to be the same.
Yes, or even better, provide a library for that purpose :)