yogsototh/clj-jwt
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
No description
19 commits 1 branch 2 tags 110 KiB
Clojure 100%
Find a file
Shane Kilkelly d07210c4d1 Validating an unsigned token with a key should be false. 
If the token supplied to the `verify` function is has a signature which
is an empty-string, the key is ignored, presuming that the token is
unsigned and that the calling code is not interested in ensuring the
token has been signed.

If the calling code is trying to verify that the token was signed with
their secret key, it is possible for a completely unsigned token to be
accepted as valid.

This patch adds a check to ensure that if the token is unsigned, but a
non-empty key was supplied to `validate`, then the token is considered
to not be valid.
2014-09-13 17:23:53 +01:00
src/clj_jwt Validating an unsigned token with a key should be false. 2014-09-13 17:23:53 +01:00
test Validating an unsigned token with a key should be false. 2014-09-13 17:23:53 +01:00
.gitignore first commit 2013-04-29 22:24:41 +09:00
.travis.yml add .travis.yml 2013-05-03 01:01:34 +09:00
project.clj Upgrade to version 0.0.4 2013-10-17 09:58:39 -04:00
README.md Upgrade to version 0.0.4 2013-10-17 09:58:39 -04:00

README.md

clj-jwt

Build Status

A Clojure library for JSON Web Token(JWT) draft-jones-json-web-token-10

Supporting algorithms

  • HS256, HS384, HS512
  • RS256, RS384, RS512
  • ES256, ES384, ES512

Not supporting

  • JSON Web Encryption (JWE)

Usage

Leiningen

[clj-jwt "0.0.4"]

Generate

(ns foo
  (:require
    [clj-jwt.core  :refer :all]
    [clj-jwt.key   :refer [private-key]]
    [clj-time.core :refer [now plus days]]))

(def claim
  {:iss "foo"
   :exp (plus (now) (days 1))
   :nbf (now)})

(def rsa-prv-key (private-key "rsa/private.key" "pass phrase"))
(def ec-prv-key  (private-key "ec/private.key"))

; plain JWT
(-> claim jwt to-str)

; HMAC256 signed JWT
(-> claim jwt (sign :HS256 "secret") to-str)

; RSA256 signed JWT
(-> claim jwt (sign :RS256 rsa-prv-key) to-str)

; ECDSA256 signed JWT
(-> claim jwt (sign :ES256 ec-prv-key) to-str)

Verify

(ns foo
  (:require
    [clj-jwt.core  :refer :all]
    [clj-jwt.key   :refer [private-key public-key]]
    [clj-time.core :refer [now plus days]]))

(def claim
  {:iss "foo"
   :exp (plus (now) (days 1))
   :nbf (now)})

(def rsa-prv-key (private-key "rsa/private.key" "pass phrase"))
(def rsa-pub-key (public-key  "rsa/public.key"))
(def ec-prv-key  (private-key "ec/private.key"))
(def ec-pub-key  (public-key  "ec/public.key"))

(let [token (-> claim jwt to-str)]
  (-> token str->jwt verify))

(let [token (-> claim jwt (sign :HS256 "secret") to-str)]
  (-> token str->jwt (verify "secret")))

(let [token (-> claim jwt (sign :RS256 rsa-prv-key) to-str)]
  (-> token str->jwt (verify rsa-pub-key)))

(let [token (-> claim jwt (sign :ES256 ec-prv-key) to-str)]
  (-> token str->jwt (verify ec-pub-key)))

License

Copyright © 2013 uochan

Distributed under the Eclipse Public License, the same as Clojure.