http4s-jwt-auth icon indicating copy to clipboard operation
http4s-jwt-auth copied to clipboard

Published 20 hours ago verified publisher icon profunktor

JwtSecretKey takes a String

Open hunterpayne opened this issue 8 months ago • 6 comments

Strings in the JVM can be internalized. For this reason, it has long been the case that storing cryptographic material in a Java String is verboten (forbidden). Please change the signature of JwtSecretKey from taking a String to something more appropriate for cryptographic material.

java.security.PrivateKey would probably be the best choice but others like Array[Byte] or Array[Char] are probably good choices too.

hunterpayne avatar Jun 15 '24 23:06 hunterpayne