Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add an option to verify the signature on decode #71

Merged
merged 1 commit into from
Apr 2, 2015
Merged

Add an option to verify the signature on decode #71

merged 1 commit into from
Apr 2, 2015

Conversation

javawizard
Copy link
Contributor

No description provided.

@danleyden
Copy link
Contributor

Looks like a good idea. I wonder if it would be a good idea for the 'allowed algorithm' to be an array? In many cases, I would expect multiple algorithms to be acceptable rather than requiring a single exact match.

@excpt
Copy link
Member

excpt commented Apr 2, 2015

@javawizard Thanks for the PR. I will check and merge it tonight.

@danleyden IMO checking only one algo is the better solution. Checking against different algorithms is a feature that depends on each individual project. We should simply focus on the stability of the lib and keep things simple. It may be a feature for version 2.x to handle multiple allowed algos that the ruby-jwt will check against.

@excpt excpt added this to the Version 1.4.2 milestone Apr 2, 2015
@excpt excpt self-assigned this Apr 2, 2015
@excpt excpt merged commit 973edb0 into jwt:master Apr 2, 2015
excpt added a commit that referenced this pull request Apr 10, 2015
@excpt
Fix syntax issues introduced by #71
078ac1b 
Make syntax 1.8.7 and 1.9.x compatible again
@AlexParamonov
Copy link

Hello, when it will be pushed to Rubygems? We need to specify the algorithm to avoid vulnerabilities (#76)

aarongray added a commit to aarongray/ruby-jwt that referenced this pull request Oct 6, 2015
@aarongray
Update docs to include instructions for the algorithm parameter.
b0cb86d 
This parameter is necessary to prevent attackers from bypassing the
algorithm verification step.

See:
https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/
jwt#76
jwt#71
jwt#107
@aarongray aarongray mentioned this pull request Oct 6, 2015
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@excpt excpt

Labels
enhancement
Projects
None yet
Milestone
Version 1.4.2
Development

Successfully merging this pull request may close these issues.
4 participants
@javawizard @danleyden @excpt @AlexParamonov