jwt
Verify tokens without throwing exceptions
It would be very nice to be able to verify a token without having to rescue exceptions..
Hi @kwando,
do you mean something like this?
Pseudocode:
exp = Time.now.to_i + 4 * 3600
exp_payload = { :data => 'data', :exp => exp }
token = JWT.encode exp_payload, hmac_secret, 'HS256'
decoded_token = JWT.decode token, hmac_secret, true, { :algorithm => 'HS256' }
if JWT.has_error?
puts JWT.get_errors # returns array of errors ['Exp is invalid', 'Algo does not match.']
end
Not with global state like that.
exp = Time.now.to_i + 4 * 3600
exp_payload = { :data => 'data', :exp => exp }
token = JWT.encode(exp_payload, hmac_secret, 'HS256')
result = JWT.decode(token, hmac_secret, true, { :algorithm => 'HS256' })
if result.errors?
puts result.errors # returns array of errors ['Exp is invalid', 'Algo does not match.']
end
result.value # returns the decoded claims
@kwando @excpt agreed. It is never nice to use exception for flow control: http://programmers.stackexchange.com/a/189225
The main problem of doing this would be backwards compatibility.
@fabioxgn If we're planning this one correct we introduce simply an API change / break with version 2.0. This shouldn't be a problem.
I'm willing to invest some time into this endeavor. I think the verification API needs an overhaul too and it would be a good to look into that if we are doing a 2.0.
@kwando Looking forward seeing your ideas.
You may have a look at #110 for a more advanced discussion into the 2.0 verification API.
what ever happened to this. It seems like flow control is still managed through exceptions. Am I missing something?
@excpt @JoeWoodward i think it would make sense to introduce a new class like DecodedToken with the interface #errors and #value. We can initialize the class at the beginning of JWT#decode method and return at the end.
How can these exceptions be rescued? It just throws a 500 server error when they occur.
