Middleware never validates claims despite claiming to about jwtauth HOT 10 CLOSED

Sounds good.

We use our own Verifier middleware, so that's where the confusion came from. Good catch!

from jwtauth.

Any update? 😁 Seems like a semi-serious security flaw.

from jwtauth.

@ernsheong which default validations are missing besides checking validity of the signature, the algo matches and the token isn't expired? as in https://github.com/go-chi/jwtauth/blob/master/jwtauth.go#L109-L130

from jwtauth.

Something I can think of is the "aud" claim. Tricky but ideal is how can we let the caller handle this on their own without letting this library do all the heavy lifting.

from jwtauth.

@ernsheong in this case, as the docs suggest, you should write your own Verifier where the defaults aren't sufficient. But I don't see any security issues with the default, but as security issues are serious, it's nice to have a second set of eyes

from jwtauth.

Apologies, I might have overstated. Seems more acceptable now that I've studied it further.

Another separate concern is I'm not sure where this is coming from. Couldn't trace it from jwt-go:
https://github.com/go-chi/jwtauth/blob/master/jwtauth.go#L112

Also, the docs said to "write your own" Authenticator, so I assumed Verifier was supposed to not be customizable.

from jwtauth.

@ernsheong yea, good catch on that line. It's likely to do nothing at all, and was made to offer a more explicit error, but wouldn't be a security flaw. We should improve that for sure

from jwtauth.

@pkieltyka Thanks for the quick replies, created #29 to track that. Loving chi! Sorry for spamming this thread 😅

from jwtauth.

@ernsheong naw dude, thank you for giving it a look and submitting the concern, we can definitely improve it given the noop code :)

from jwtauth.

I'll close this so we can continue in #29

from jwtauth.