From 67a15bf7f62891be39a4593e31439c34ae4741e8 Mon Sep 17 00:00:00 2001 From: Christian Banse Date: Sun, 26 Sep 2021 09:51:51 +0200 Subject: [PATCH 1/5] Introducing functional-style options for the Parser type --- parser.go | 18 +++++++++++++++--- parser_option.go | 22 ++++++++++++++++++++++ token.go | 2 ++ 3 files changed, 39 insertions(+), 3 deletions(-) create mode 100644 parser_option.go diff --git a/parser.go b/parser.go index 0c811f31..db4c7b64 100644 --- a/parser.go +++ b/parser.go @@ -8,9 +8,21 @@ import ( ) type Parser struct { - ValidMethods []string // If populated, only these methods will be considered valid - UseJSONNumber bool // Use JSON Number format in JSON decoder - SkipClaimsValidation bool // Skip claims validation during token parsing + ValidMethods []string // If populated, only these methods will be considered valid. In future releases, this field will not be exported anymore + UseJSONNumber bool // Use JSON Number format in JSON decoder. In future releases, this field will not be exported anymore + SkipClaimsValidation bool // Skip claims validation during token parsing. In future releases, this field will not be exported anymore +} + +// NewParser creates a new Parser with the specified options +func NewParser(options ...ParserOption) *Parser { + p := &Parser{} + + // loop through our parsing options and apply them + for _, option := range options { + option(p) + } + + return p } // Parse parses, validates, and returns a token. diff --git a/parser_option.go b/parser_option.go new file mode 100644 index 00000000..a58224ac --- /dev/null +++ b/parser_option.go @@ -0,0 +1,22 @@ +package jwt + +// ParserOption is used to implement functional options that modify the behaviour of the parser +type ParserOption func(*Parser) + +func WithValidMethods(methods []string) ParserOption { + return func(p *Parser) { + p.ValidMethods = methods + } +} + +func WithJSONNumber() ParserOption { + return func(p *Parser) { + p.UseJSONNumber = true + } +} + +func WithoutClaimsValidation() ParserOption { + return func(p *Parser) { + p.SkipClaimsValidation = true + } +} diff --git a/token.go b/token.go index b896acb0..c3606a46 100644 --- a/token.go +++ b/token.go @@ -85,6 +85,8 @@ func (t *Token) SigningString() (string, error) { // Parse parses, validates, and returns a token. // keyFunc will receive the parsed token and should return the key for validating. // If everything is kosher, err will be nil +// +// Deprecated: Use NewParser to create and configure a Parser instead func Parse(tokenString string, keyFunc Keyfunc) (*Token, error) { return new(Parser).Parse(tokenString, keyFunc) } From f62b8264a991c53149685124c489460625a5791d Mon Sep 17 00:00:00 2001 From: Christian Banse Date: Sun, 26 Sep 2021 09:54:39 +0200 Subject: [PATCH 2/5] Adding options to the Parse and ParseWithClaims functions --- token.go | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/token.go b/token.go index c3606a46..e4d090b0 100644 --- a/token.go +++ b/token.go @@ -85,14 +85,12 @@ func (t *Token) SigningString() (string, error) { // Parse parses, validates, and returns a token. // keyFunc will receive the parsed token and should return the key for validating. // If everything is kosher, err will be nil -// -// Deprecated: Use NewParser to create and configure a Parser instead -func Parse(tokenString string, keyFunc Keyfunc) (*Token, error) { - return new(Parser).Parse(tokenString, keyFunc) +func Parse(tokenString string, keyFunc Keyfunc, options ...ParserOption) (*Token, error) { + return NewParser(options...).Parse(tokenString, keyFunc) } -func ParseWithClaims(tokenString string, claims Claims, keyFunc Keyfunc) (*Token, error) { - return new(Parser).ParseWithClaims(tokenString, claims, keyFunc) +func ParseWithClaims(tokenString string, claims Claims, keyFunc Keyfunc, options ...ParserOption) (*Token, error) { + return NewParser(options...).ParseWithClaims(tokenString, claims, keyFunc) } // EncodeSegment encodes a JWT specific base64url encoding with padding stripped From 48e949d03db1bb0e7f6d0bc0a3e8480357a78539 Mon Sep 17 00:00:00 2001 From: Christian Banse Date: Sun, 26 Sep 2021 10:05:40 +0200 Subject: [PATCH 3/5] Added more documentation --- parser_option.go | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/parser_option.go b/parser_option.go index a58224ac..0fede4f1 100644 --- a/parser_option.go +++ b/parser_option.go @@ -1,20 +1,27 @@ package jwt -// ParserOption is used to implement functional options that modify the behaviour of the parser +// ParserOption is used to implement functional-style options that modify the behaviour of the parser. To add +// new options, just create a function (ideally beginning with With or Without) that returns an anonymous function that +// takes a *Parser type as input and manipulates its configuration accordingly. type ParserOption func(*Parser) +// WithValidMethods is an option to supply algorithm methods that the parser will check. Only those methods will be considered valid. +// It is heavily encouraged to use this option in order to prevent attacks such as https://auth0.com/blog/critical-vulnerabilities-in-json-web-token-libraries/. func WithValidMethods(methods []string) ParserOption { return func(p *Parser) { p.ValidMethods = methods } } +// WithJSONNumber is an option to configure the underyling JSON parser with UseNumber func WithJSONNumber() ParserOption { return func(p *Parser) { p.UseJSONNumber = true } } +// WithoutClaimsValidation is an option to disable claims validation. This option should only be used if you exactly know +// what you are doing. func WithoutClaimsValidation() ParserOption { return func(p *Parser) { p.SkipClaimsValidation = true From b722d4e3e80c0aead797adc859cbf5e83e8f391d Mon Sep 17 00:00:00 2001 From: Christian Banse Date: Sun, 26 Sep 2021 10:12:23 +0200 Subject: [PATCH 4/5] Some more documentation --- parser.go | 17 ++++++++++++++--- 1 file changed, 14 insertions(+), 3 deletions(-) diff --git a/parser.go b/parser.go index db4c7b64..b723cea6 100644 --- a/parser.go +++ b/parser.go @@ -8,9 +8,20 @@ import ( ) type Parser struct { - ValidMethods []string // If populated, only these methods will be considered valid. In future releases, this field will not be exported anymore - UseJSONNumber bool // Use JSON Number format in JSON decoder. In future releases, this field will not be exported anymore - SkipClaimsValidation bool // Skip claims validation during token parsing. In future releases, this field will not be exported anymore + // If populated, only these methods will be considered valid. + // + // In future releases, this field will not be exported anymore and should be set with an option to NewParser instead. + ValidMethods []string + + // Use JSON Number format in JSON decoder. + // + // In future releases, this field will not be exported anymore and should be set with an option to NewParser instead. + UseJSONNumber bool + + // Skip claims validation during token parsing. + // + // In future releases, this field will not be exported anymore and should be set with an option to NewParser instead. + SkipClaimsValidation bool } // NewParser creates a new Parser with the specified options From 600ac32ef95a268ab7e8d8fb687affc74f4a4f3c Mon Sep 17 00:00:00 2001 From: Christian Banse Date: Wed, 13 Oct 2021 17:05:34 +0200 Subject: [PATCH 5/5] Added deprecation to Parser struct fields --- parser.go | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/parser.go b/parser.go index b723cea6..af2dfd33 100644 --- a/parser.go +++ b/parser.go @@ -10,17 +10,17 @@ import ( type Parser struct { // If populated, only these methods will be considered valid. // - // In future releases, this field will not be exported anymore and should be set with an option to NewParser instead. + // Deprecated: In future releases, this field will not be exported anymore and should be set with an option to NewParser instead. ValidMethods []string // Use JSON Number format in JSON decoder. // - // In future releases, this field will not be exported anymore and should be set with an option to NewParser instead. + // Deprecated: In future releases, this field will not be exported anymore and should be set with an option to NewParser instead. UseJSONNumber bool // Skip claims validation during token parsing. // - // In future releases, this field will not be exported anymore and should be set with an option to NewParser instead. + // Deprecated: In future releases, this field will not be exported anymore and should be set with an option to NewParser instead. SkipClaimsValidation bool }