Skip to content

feat: Add insecure_decode_without_signature_validation #418

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

feat: Add insecure_decode_without_signature_validation #418

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
40 changes: 40 additions & 0 deletions src/decoding.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -286,3 +286,43 @@ pub fn decode_header(token: &str) -> Result<Header> {
let (_, header) = expect_two!(message.rsplitn(2, '.'));
Header::from_encoded(header)
}

/// Decode a JWT without any signature verification and return its claims.
/// This means that the token is not verified so use with caution.
/// This is useful when you want to extract the claims without verifying the signature.
///
/// # Arguments
///
/// * `token` - A string slice that holds the JWT token
/// * `validation` - A [Validation](struct.Validation.html) object that holds the validation options
///
/// # Example
///
/// ```rust
/// use jsonwebtoken::{insecure_decode_without_signature_validation, Validation, Algorithm};
/// use serde::{Deserialize, Serialize};
///
/// #[derive(Debug, Serialize, Deserialize)]
/// struct Claims {
/// sub: u32,
/// name: String,
/// iat: u64,
/// exp: u64
/// }
///
/// // Example token from jwt.io
/// let token = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOjEyMzQ1Njc4OTAsIm5hbWUiOiJKb2huIERvZSIsImlhdCI6MTUxNjIzOTAyMiwiZXhwIjoyNTE2MjM5MDYwfQ.Yf3kCk-BdkW3DZNao3lwMoU41ujnt86OgewBA-Q2uBw".to_string();
/// let validation = Validation::new(Algorithm::HS256);
/// let claims = insecure_decode_without_signature_validation::<Claims>(&token, &validation).unwrap();
/// ```
pub fn insecure_decode_without_signature_validation<T: DeserializeOwned>(
token: &str,
validation: &Validation,
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm missing something here. Please ignore if I'm wrong.
The function says it does not do validation and the algorithm can be arbitrary chose, yet, there is a validation param and the validation step. So it's kind of partial validation.

I find it confusing and is not what #401 calls for.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah i was not completely sure that was the case as the creator of the issue wanted essentially this API:
``rs
let mut validation = jsonwebtoken::Validation::insecure_without_signature_validation();
let payload = jsonwebtoken::insecure_decode_without_signature_validation::(token, &validation).unwrap();

And IMO then a Validation::insecure_none or similar should exist to make this function more general.
Nonetheless the Doc comment is wrong so thanks for pointing that out!

) -> Result<T> {
let (_, rest) = expect_two!(token.rsplitn(2, '.'));
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

JWT has 3 parts: Header, Payload, Signature.

The existing code refers to them by those names:

    let (signature, message) = expect_two!(token.rsplitn(2, '.'));
    let (payload, header) = expect_two!(message.rsplitn(2, '.'));

It would be good to keep them consistent throughout the file.

let (claims, _) = expect_two!(rest.rsplitn(2, '.'));
let decoded_claims = DecodedJwtPartClaims::from_jwt_part_claims(claims)?;
let claims = decoded_claims.deserialize()?;
validate(decoded_claims.deserialize()?, validation)?;
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The function description says "the claims are not validated", but they are.

Ok(claims)
}
2 changes: 1 addition & 1 deletion src/jwk.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
#![allow(missing_docs)]
//! This crate contains types only for working JWK and JWK Sets
//! This is only meant to be used to deal with public JWK, not generate ones.
//! Most of the code in this file is taken from https://github.com/lawliet89/biscuit but
//! Most of the code in this file is taken from <https://github.com/lawliet89/biscuit> but
//! tweaked to remove the private bits as it's not the goal for this crate currently.

use crate::{
Expand Down
4 changes: 3 additions & 1 deletion src/lib.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,9 @@ mod serialization;
mod validation;

pub use algorithms::Algorithm;
pub use decoding::{decode, decode_header, DecodingKey, TokenData};
pub use decoding::{
decode, decode_header, insecure_decode_without_signature_validation, DecodingKey, TokenData,
};
pub use encoding::{encode, EncodingKey};
pub use header::Header;
pub use validation::{get_current_timestamp, Validation};