-
Notifications
You must be signed in to change notification settings - Fork 376
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Why doesn't the decode function use a default algorithm? #227
Comments
@excpt The default algorithm was not dropped in #184. #184 changed the behavior to check the header's algorithm against the one supplied in options. Why not allow people to easily make the decision to use the default algorithm for decode? I don't think requiring someone to type in a string really improves security. The security improvement came from checking the header's algorithm against the one in options. Whether or not that is coming from a default value or a a passed in string it still applies the same level of security. |
Got the same issue, if you wan't to provide that behaviour without changing all your codebase you can use this monkeypatch: module JwtAlgorithmChooser
# Default algorithm for decoding
DEFAULT_ALGORITHM = 'HS256'
# Automatically choose decoding algorithm when not given
# @see https://github.com/jwt/ruby-jwt/issues/227
def decode(jwt, key = nil, verify = true, custom_options = {}, &keyfinder)
super(jwt, key, verify, custom_options.merge(algorithm: DEFAULT_ALGORITHM), &keyfinder)
end
end
# Monkey patch the class until #227 is solved
# @see https://stackoverflow.com/a/32334444/518204
JWT.singleton_class.prepend(JwtAlgorithmChooser) |
First of all: Sorry for the delay. I'm back from vacation. @madkin10 I merged your PR. I think I will get the 2.1.0 release ready until Friday. Thanks for all the feedback and contribution. |
@excpt No problem. Sounds good. |
Upgraded to 2.0.0 and started seeing this error everywhere I was calling
JWT.decode
JWT.encode
defaults to theHS256
algorithm, why not do the same forJWT.decode
? It would be a simple change to theDEFAULT_OPTIONS
.The text was updated successfully, but these errors were encountered: