feat: add dangerous::insecure_decode
#441
Merged
+88
−0
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add `jsonwebtoken::dangerous::insecure_decode` to support decoding headers and claims with no signature validation.
This was referenced Oct 7, 2025
Keats
approved these changes
Oct 8, 2025
|
looks like we need to update the tests or allow deprecations |
dsykes16
force-pushed
the
add-dangerous-decode
branch
from
cf213d9 to
c592679
Compare
Keats
reviewed
Oct 9, 2025
Add deprecated attribute to `Validation::insecure_disable_signature_validation`
dsykes16
force-pushed
the
add-dangerous-decode
branch
from
c592679 to
d1b40bd
Compare
This was referenced Oct 9, 2025
1 task
|
Any idea when will this get released? |
ysndr
added a commit
to flox/flox
that referenced
this pull request
Oct 21, 2025
…ion` Client side we don't need to verify the signature, as all priviledged access is guarded server side. It's still convenient to verify common claims e.g. expiration dates. `Validation::insecure_disable_signature_validation` was deprecated in <Keats/jsonwebtoken#441> in favor of `jsonwebtoken::dangerous::insecure_decode`, which doesn't do _any_ validation. Thus, currently its only possible to get consistent validation either by copying the internal implementations or stick with the old deprecated method. The issue was raised upstream, will monitor.
ysndr
added a commit
to flox/flox
that referenced
this pull request
Oct 23, 2025
`jsonwebtoken` depricated (and completely removed the implementation of) validating tokens without validating the signature in <Keats/jsonwebtoken#441>. 4f6dd58 falsely assumed that while deprecated, `Validation::insecure_disable_signature_validation` would still be effective. However, `flox auth login` would now error with `InvalidKeyFormat`, on account of attempting to verify the signature against the dummy value we used to pass into the decoder (which was originally ignored). This change replaces `jsonwebtoken::decode` with `jsonwebtoken::dangerous::insecure_decode`, which skips _all_ validation, and manually reimplements expiry validation on top of the raw unvalidated claims. This is considered "safe" as the decoding only informs us of 1. the expriry date (for eager cli side management of the token) 2. the user handle for messaging and argument defaults Auth and validation are only performed server side!
ysndr
added a commit
to flox/flox
that referenced
this pull request
Oct 23, 2025
`jsonwebtoken` depricated (and completely removed the implementation of) validating tokens without validating the signature in <Keats/jsonwebtoken#441>. 4f6dd58 falsely assumed that while deprecated, `Validation::insecure_disable_signature_validation` would still be effective. However, `flox auth login` would now error with `InvalidKeyFormat`, on account of attempting to verify the signature against the dummy value we used to pass into the decoder (which was originally ignored). This change replaces `jsonwebtoken::decode` with `jsonwebtoken::dangerous::insecure_decode`, which skips _all_ validation, and manually reimplements expiry validation on top of the raw unvalidated claims. This is considered "safe" as the decoding only informs us of 1. the expriry date (for eager cli side management of the token) 2. the user handle for messaging and argument defaults Auth and validation are only performed server side!
ysndr
added a commit
to flox/flox
that referenced
this pull request
Oct 24, 2025
`jsonwebtoken` depricated (and completely removed the implementation of) validating tokens without validating the signature in <Keats/jsonwebtoken#441>. 4f6dd58 falsely assumed that while deprecated, `Validation::insecure_disable_signature_validation` would still be effective. While that is true, `flox auth login` would now error with `InvalidKeyFormat`, on account of attempting to parse the dummy value we used to pass into the decoder (which was originally ignored) as RS256 (advertised by auth0). This issue was previously filed upstream as <Keats/jsonwebtoken#438>. And is a behaviour change starting with the crypto refector of v10.x. This change replaces `jsonwebtoken::decode` with `jsonwebtoken::dangerous::insecure_decode`, which skips _all_ validation, and manually reimplements expiry validation on top of the raw unvalidated claims. This is considered "safe" as the decoding only informs us of 1. the expriry date (for eager cli side management of the token) 2. the user handle for messaging and argument defaults Auth and validation are only performed server side!
github-merge-queue bot
pushed a commit
to flox/flox
that referenced
this pull request
Oct 24, 2025
`jsonwebtoken` depricated (and completely removed the implementation of) validating tokens without validating the signature in <Keats/jsonwebtoken#441>. 4f6dd58 falsely assumed that while deprecated, `Validation::insecure_disable_signature_validation` would still be effective. However, `flox auth login` would now error with `InvalidKeyFormat`, on account of attempting to verify the signature against the dummy value we used to pass into the decoder (which was originally ignored). This change replaces `jsonwebtoken::decode` with `jsonwebtoken::dangerous::insecure_decode`, which skips _all_ validation, and manually reimplements expiry validation on top of the raw unvalidated claims. This is considered "safe" as the decoding only informs us of 1. the expriry date (for eager cli side management of the token) 2. the user handle for messaging and argument defaults Auth and validation are only performed server side!
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
5 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Add
jsonwebtoken::dangerous::insecure_decodeto support decoding headers and claims with no signature validation.This should fulfill #401 and also provides a solution for #438