Remove validate_signature option and add decode_header

2017-08-25 17:48:53 +09:00 · 2017-08-25 17:48:53 +09:00 · d213fb8a62
parent 01d6b906e0
commit d213fb8a62
4 changed files with 32 additions and 14 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -1,5 +1,13 @@
 # Changelog

+## 3.0.0 (unreleased)
+
+### Breaking change
+- Remove `validate_signature` from `Validation`
+
+### Other
+- Add `decode_header` to only decode the header: replaces the use case of `validate_signature`
+
 ## 2.0.3 (2017-07-18)

 - Make `TokenData` public
--- a/src/lib.rs
+++ b/src/lib.rs
@ -22,7 +22,7 @@ mod crypto;
 mod serialization;
 mod validation;

-pub use header::{Header};
+pub use header::Header;
 pub use crypto::{
    Algorithm,
    sign,
@ -107,7 +107,7 @@ pub fn decode<T: DeserializeOwned>(token: &str, key: &[u8], validation: &Validat
    let (claims, header) = expect_two!(signing_input.rsplitn(2, '.'));
    let header: Header = from_jwt_part(header)?;

-    if validation.validate_signature && !verify(signature, signing_input, key, header.alg)? {
+    if !verify(signature, signing_input, key, header.alg)? {
        return Err(ErrorKind::InvalidSignature.into());
    }

@ -123,3 +123,21 @@ pub fn decode<T: DeserializeOwned>(token: &str, key: &[u8], validation: &Validat

    Ok(TokenData { header: header, claims: decoded_claims })
 }
+
+/// Decode a token and return the Header. This is not doing any kind of validation: it is meant to be
+/// used when you don't know which `alg` the token is using and want to check
+///
+/// If the token is invalid, it will return an error.
+///
+/// ```rust,ignore
+/// use jsonwebtoken::decode_header;
+///
+///
+/// let token = "a.jwt.token".to_string();
+/// let header = decode_header(&token);
+/// ```
+pub fn decode_header(token: &str) -> Result<Header> {
+    let (_, signing_input) = expect_two!(token.rsplitn(2, '.'));
+    let (_, header) = expect_two!(signing_input.rsplitn(2, '.'));
+    from_jwt_part(header)
+}
--- a/src/validation.rs
+++ b/src/validation.rs
@ -32,12 +32,6 @@ pub struct Validation {
    ///
    /// Defaults to `0`.
    pub leeway: i64,
-    /// Whether to actually validate the signature of the token.
-    ///
-    /// WARNING: only set that to false if you know what you are doing.
-    ///
-    /// Defaults to `true`.
-    pub validate_signature: bool,
    /// Whether to validate the `exp` field.
    ///
    /// It will return an error if the time in the `exp` field is past.
@ -93,8 +87,6 @@ impl Default for Validation {
        Validation {
            leeway: 0,

-            validate_signature: true,
-
            validate_exp: true,
            validate_iat: true,
            validate_nbf: true,
--- a/tests/lib.rs
+++ b/tests/lib.rs
@ -2,7 +2,7 @@ extern crate jsonwebtoken;
 #[macro_use]
 extern crate serde_derive;

-use jsonwebtoken::{encode, decode, Algorithm, Header, sign, verify, Validation};
+use jsonwebtoken::{encode, decode, decode_header, Algorithm, Header, sign, verify, Validation};


 #[derive(Debug, PartialEq, Clone, Serialize, Deserialize)]
@ -97,9 +97,9 @@ fn decode_token_with_shuffled_header_fields() {
 }

 #[test]
-fn decode_without_validating_signature() {
+fn decode_header_only() {
    let token = "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJjb21wYW55IjoiMTIzNDU2Nzg5MCIsInN1YiI6IkpvaG4gRG9lIn0.S";
-    let claims = decode::<Claims>(token, "secret".as_ref(), &Validation {validate_signature: false, ..Validation::default()});
-    assert!(claims.is_ok());
+    let header = decode_header(token).unwrap();
+    assert_eq!(header.alg, Algorithm::HS256);

 }