Why does the existence of a signature algorithm entail a required verification? #24
Comments
|
How about using "NONE" algorithm for such cases ? Setting an algorithm and not using a key does not sound a realistic scenario to me. |
|
The thing is that the token is already there. It's not my choice of what algorithm goes into the token anymore. What I'd like to do is just decode an existing token. You're assuming that the dev who wants to extract contents from a token also has the power to decide the algorithm, which is not generally the case, unless one has to tamper with the token before extracting data from it. Also remember that verification costs computation that may not be necessary depending on the application. What puzzles me in all this is: Why is it OK to ignore the dev's will to verify? Isn't that the point of having the parameter |
|
So the payload of the token anyways cannot be decoded without the key. But the user can still get the decoded header which is the only thing that can be decoded in this case. |
|
I feel what you said is a little ambiguous, but I guess my answer is yes. That's the situation. In the current state, the payload is unreachable through the API if no key was set, and in general, why is someone who wants to read the payload required to enter a key? I don't understand this. Please remember that the payload is not encrypted. So decoding has nothing to do with the key being present. The algorithm is just for the signature. |
|
Payload is also available in decoded form in the object. Sorry I missed that. |
|
I will provide a fix to not do the signature verification. |
|
@TheQuantumPhysicist Sorry I accidentally deleted your comment instead of mine and I dont know how to undo. Can you please add it back ? Really sorry for that. |
|
I was just suggesting that you review my suggestion on how to fix this. It just costs a cut and paste. |
|
Yes thats what needs to be done. I have few tests to fix which depended on that. |
In my code, I have parts where I need to extract the data from a token without verifying it (and without the key being available). Basically because the verification was done before and the token was authorized.
Now check out this part of the code:
cpp-jwt/include/jwt/impl/jwt.ipp
Line 698 in 077e6f3
In line 698, the code gets the message from the user that a verification is not necessary, so that block is skipped. But then in line 709, this block completely ignores whether the user wants to verify, and simply checks the header and whether there's an algorithm associated with the header. This basically means that it's impossible to extract information from a token without a key. For me, I'm getting an error code
DecodeErrc::KeyNotPresent, because there's no key associated with the object, although I'm not willing to verify.The fix I suggest is to put this block inside the other block in line 698. Only if the user is willing to verify, then the algorithm should be checked.
The reason I haven't created a pull-request for this is that I'm not sure why this was done this way, and there's the possibility that there's something I'm misunderstanding here. So kindly explain whether my reasoning is correct.
Best.
The text was updated successfully, but these errors were encountered: