New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
chore(docs): example of unsafe header decode in README #501
chore(docs): example of unsafe header decode in README #501
Conversation
We do not want to add a utility function to decode headers because this could encourage our users to decode insecure headers (this happens before any validation occurs). To exclude these helpers is an intentional decision. Additionally, if users want to check their headers (insecurely), they can do so easily: list($headersB64, $payloadB64, $sig) = explode('.', $jwt);
$headers = json_decode(base64_decode($headersB64), true); |
It may be a good idea to add this to the |
b2d5db7
to
f4c294f
Compare
Updated PR to only show the example in the readme. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Adds more disclaimers and information regarding unvalidated headers
Is it worth making sure we return the headers from
decodeHeaders
as an array?Headers often have dashed key names and in order to access them currently, the user will have to do:
$cls->{'x-header-key'}
.In order to make sure we return array, I think it's best to add a default argument to
JWT::jsonDecode
which forwards the second param to\json_decode()
.