jwt icon indicating copy to clipboard operation
jwt copied to clipboard

Published 20 hours ago verified publisher icon kataras

Unnecessary custom base64 implementation

Open joonas-fi opened this issue 3 years ago • 2 comments

Go has RawStdEncoding which makes this unnecessary:

https://github.com/kataras/jwt/blob/1639fcff96f82f7ff118fcff6e1fbd0e01754f2c/token.go#L247

Not trying to nitpick here, rather I think security-wise it's dangerous as a concept to mutate untrusted input data before it's fed to a signature validation algorithm

joonas-fi avatar Mar 03 '21 13:03 joonas-fi

If you're open to more suggestions:

https://github.com/kataras/jwt/blob/1639fcff96f82f7ff118fcff6e1fbd0e01754f2c/util.go#L6

I think Go has recently done some optimizations where the compiler automatically optimizes these. I feel a bit unsafe with unsafe and doing special tricks in a security-critical library

joonas-fi avatar Mar 03 '21 13:03 joonas-fi

Hello @joonas-fi,

BytesToString and Base64Encode are mostly helpers for users of this package. BytesToString is used just on a single return statement, inside the blockfile.go file, of course we can remove it from there if that's a "security" issue for you, I can live without it too. Base64Encode is used one "encodeToken" just to encode server-side data, the custom claims you/your program provides and NOT the user/client's one - I don't see any security-wise issue here but I am open for further discussion.

kataras avatar Apr 09 '22 22:04 kataras