Skip to content

feat: Add insecure_decode_without_signature_validation #418

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

feat: Add insecure_decode_without_signature_validation #418

wants to merge 1 commit into from

Conversation

Nereuxofficial
Copy link

As discussed here adds support for insecure_decode_without_serialization as well as a doc test for it. I also fixed some doc warnings while at it.

rimutaka
rimutaka reviewed Feb 17, 2025
View reviewed changes
src/decoding.rs
/// ```
pub fn insecure_decode_without_signature_validation<T: DeserializeOwned>(
token: &str,
validation: &Validation,
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm missing something here. Please ignore if I'm wrong.
The function says it does not do validation and the algorithm can be arbitrary chose, yet, there is a validation param and the validation step. So it's kind of partial validation.

I find it confusing and is not what #401 calls for.

Copy link
Author

@Nereuxofficial Nereuxofficial Feb 17, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah i was not completely sure that was the case as the creator of the issue wanted essentially this API:

let mut validation = jsonwebtoken::Validation::insecure_without_signature_validation();
let payload = jsonwebtoken::insecure_decode_without_signature_validation::<Claims>(token, &validation).unwrap();

And IMO then a Validation::insecure_none or similar should exist to make this function more general.
Nonetheless the Doc comment is wrong so thanks for pointing that out!

rimutaka
rimutaka reviewed Feb 17, 2025
View reviewed changes
src/decoding.rs
let (claims, _) = expect_two!(rest.rsplitn(2, '.'));
let decoded_claims = DecodedJwtPartClaims::from_jwt_part_claims(claims)?;
let claims = decoded_claims.deserialize()?;
validate(decoded_claims.deserialize()?, validation)?;
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The function description says "the claims are not validated", but they are.

rimutaka
rimutaka reviewed Feb 17, 2025
View reviewed changes
Copy link

@rimutaka rimutaka left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is it a good idea to add tests?

  • valid signature
  • invalid signature
  • invalid token

I'm not a maintainer, so feel free to ignore.

src/decoding.rs
token: &str,
validation: &Validation,
) -> Result<T> {
let (_, rest) = expect_two!(token.rsplitn(2, '.'));
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

JWT has 3 parts: Header, Payload, Signature.

The existing code refers to them by those names:

    let (signature, message) = expect_two!(token.rsplitn(2, '.'));
    let (payload, header) = expect_two!(message.rsplitn(2, '.'));

It would be good to keep them consistent throughout the file.

@Nereuxofficial Nereuxofficial force-pushed the feat/insecure-decode-without-signature-validation branch from 84d5492 to a083324 Compare February 17, 2025 21:07
@atezet
Copy link

atezet commented Aug 6, 2025

Can I help out to move this forward?

@Nereuxofficial
Copy link
Author

Can I help out to move this forward?

Feel free to do so as i no longer have a use-case for this feature and the envisioned API is a bit unclear.

@atezet
Copy link

atezet commented Aug 9, 2025

While looking into this, I found that Validation::insecure_disable_signature_validation already exists, basically doing the same thing as thing as the newly added insecure_decode_without_signature_validation. The only annoying thing about the old API is the fact that a DecodingKey is required, even if validate_signature is false. Code-wise, it would be nicer to bundle these and do signature validation based on whether or not a key is passed. But I can see why the maintainer wouldn't want such unsafe default behaviour in the library. Therefore, I think this PR is complete as is, is it not? If there's still comments or variable names to fix I'd happily help out, but I'd prefer to hear that from a maintainer.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
1 more reviewer

@rimutaka rimutaka rimutaka left review comments

Reviewers whose approvals may not affect merge requirements
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@Nereuxofficial @atezet @rimutaka