Merged
Conversation
when decoding a valid token with `algorithm: none`, unless explicitly requesting not to verify the token, it could not be validated and raised DecodeError with a message about insufficient segments. This error message is misleading, because there are the correct number of segments provided for that algorithm. With this change, when a token with `algorithm: none` is provided: * if the caller requests verification && does not specify `none` as an algorithm (default behaviour) it now raises `IncorrectAlgorithm`, which is a subclass of `DecodeError` to make the issue more clear. This is technically a minor change, but should not be breaking - it is returning a subclass, so the same rescues will still work. The message provided will be different. * if the caller requests verification && specifies `none` as an allowed algorithm, it verifies the claims and decodes the token as it would for a valid, signed token. This is new behaviour supporting claims verification for 'none' which was not previously available and is only "accessed" through explicit settings * if the caller explicitly requests no verification, the token is decoded without checking anything (no change in behaviour)
|
Hello, @danleyden! This is your first Pull Request that will be reviewed by SourceLevel, an automatic Code Review service. It will leave comments on this diff with potential issues and style violations found in the code as you push new commits. You can also see all the issues found on this Pull Request on its review page. Please check our documentation for more information. |
excpt
approved these changes
Sep 1, 2020
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
when decoding a valid token with
algorithm: none, unless explicitlyrequesting not to verify the token, it could not be validated and raised
DecodeError with a message about insufficient segments.
This error message is misleading, because there are the correct number
of segments provided for that algorithm.
With this change, when a token with
algorithm: noneis provided:if the caller requests verification && does not specify
noneas analgorithm (default behaviour) it now raises
IncorrectAlgorithm,which is a subclass of
DecodeErrorto make the issue more clear.This is technically a minor change, but should not be breaking -
it is returning a subclass, so the same rescues will still work. The
message provided will be different.
if the caller requests verification && specifies
noneas an allowedalgorithm, it verifies the claims and decodes the token as it would
for a valid, signed token.
This is new behaviour supporting claims verification for 'none' which
was not previously available and is only "accessed" through explicit
settings
if the caller explicitly requests no verification, the token is
decoded without checking anything (no change in behaviour)