Tags: golang-jwt/jwt
Tags
`v5` Pre-Release (#234) Co-authored-by: Micah Parks <[email protected]> Co-authored-by: Michael Fridman <[email protected]>
Allow strict base64 decoding (#259) By default base64 decoder works in non-strict mode which allows tweaking signatures having padding without failing validation. This creates a potential problem if application treats token value as an identifier. For example ES256 signature has length of 64 bytes and two padding symbols (stripped by default). Therefore its base64-encoded value can only end with A, Q, g and w. In non-strict mode last symbol could be tweaked resulting in 16 distinct token values having the same signature and passing validation. This change adds backward-compatible global config variable DecodeStrict (similar to existing DecodePaddingAllowed) that enables strict base64 decoder mode. See also golang/go#15656. Signed-off-by: Alexander Yastrebov <[email protected]>
PreviousNext