Plugin: add tool to encode and decode JWT (JSON Web Tokens) #28
Conversation
There was a problem hiding this comment.
Hi @bowenliang123 👋 We truly appreciate all the work that has gone into this plugin, below are some suggestions:
-
Header JSON String: If users leave the “Header JSON String” field empty, the plugin currently treats it as an empty string and fails when trying to parse it. It would be more user-friendly to automatically convert an empty value to "{}" so the code won’t break when nothing is provided.
-
Encryption Algorithm (HS256) Key Length: When a user selects HS256 but supplies a very short key, it becomes vulnerable to brute force attacks. We recommend adding a simple check on key length (for example, at least 32 characters) and either rejecting an obviously weak key or at least warning the user about the security risk. If you prefer not to enforce it in code, be sure to mention this requirement explicitly in your YAML descriptions, so people understand they need a robust key. 🙂
-
YAML Field Descriptions: The current YAML descriptions are quite brief and don’t offer enough context. It’s best to give users more details on what each field means, plus sample inputs. For instance, remind them of safe key lengths or show them exactly how to format a payload. More clarity in your descriptions will help reduce configuration mistakes. If the name and description of the parameters are identical, it wastes the functionality of the description right?
-
About Key Generation Notes: cuz your plugin doesn’t generate keys for RSA or other algorithms, it would be really helpful to mention in your README how they can generate their own keys. A quick step-by-step (e.g., with OpenSSL commands or references to third-party tools) would give them a clearer picture of where to get the right private key and how to paste it in.
-
EdDSA Logic: When it comes to EdDSA, the plugin code needs to handle objects; simply passing a string might not work. It would be good to update your code to parse or convert strings into the proper key object when users choose EdDSA.
-
About README.md and PRIVATE.md: Your README file is currently missing important explanations. It could include usage examples, key generation pointers, any requirements or dependencies, and so forth. And PRIVACY must outline what user data is collected, how it’s stored or processed, and any retention policy.
Again, thank you for your contribution, these fixes will make the plugin more robust and user-friendly, and we really encourage you to keep up the great work! 🚀
|
Thanks for the feedback and detailed review comments. Will follow your suggestions and make the changes. |
JSON Web Tokens are an open, industry standard RFC 7519 method for representing claims securely between two parties.
add tool to encode and decode JWT based on
pyjwt, with various supported algorithms:tool: JWT encoder