instructure
[FR] Bind Keys to Version and Purpose
See https://github.com/paseto-standard/paseto-spec/blob/master/docs/02-Implementation-Guide/03-Algorithm-Lucidity.md
Right now, byte arrays of length 32 are accepted by this API. There's no mechanism to prevent a user from using a v2 public key as a v2 local key.
Thanks for the report! I was already working on this as part of my v3/v4 work since this will require a breaking change. (Unfortunately the only thing with the new specs I've seen so far that will.)
Excellent!
This isn't a vulnerability, necessarily, but we want to make sure misuse resistance is emphasized. :)
Yep, totally understand, and it's worthwhile to do. I'm all for latching foot guns, just need to find time to do it after moving 😅