diff --git a/src/decoding.rs b/src/decoding.rs index 922b02aa..9461937c 100644 --- a/src/decoding.rs +++ b/src/decoding.rs @@ -280,7 +280,7 @@ pub fn decode( let token = token.as_ref(); let header = decode_header(token)?; - if validation.validate_signature && !validation.algorithms.contains(&header.alg) { + if !validation.algorithms.contains(&header.alg) { return Err(new_error(ErrorKind::InvalidAlgorithm)); } @@ -334,25 +334,21 @@ pub(crate) fn verify_signature_body( validation: &Validation, verifying_provider: Box, ) -> Result<()> { - if validation.validate_signature && validation.algorithms.is_empty() { + if validation.algorithms.is_empty() { return Err(new_error(ErrorKind::MissingAlgorithm)); } - if validation.validate_signature { - for alg in &validation.algorithms { - if verifying_provider.algorithm().family() != alg.family() { - return Err(new_error(ErrorKind::InvalidAlgorithm)); - } + for alg in &validation.algorithms { + if verifying_provider.algorithm().family() != alg.family() { + return Err(new_error(ErrorKind::InvalidAlgorithm)); } } - if validation.validate_signature && !validation.algorithms.contains(&header.alg) { + if !validation.algorithms.contains(&header.alg) { return Err(new_error(ErrorKind::InvalidAlgorithm)); } - if validation.validate_signature - && verifying_provider.verify(message, &b64_decode(signature)?).is_err() - { + if verifying_provider.verify(message, &b64_decode(signature)?).is_err() { return Err(new_error(ErrorKind::InvalidSignature)); } diff --git a/src/validation.rs b/src/validation.rs index decc0537..0d2e6596 100644 --- a/src/validation.rs +++ b/src/validation.rs @@ -103,9 +103,6 @@ pub struct Validation { /// /// Defaults to `vec![Algorithm::HS256]`. pub algorithms: Vec, - - /// Whether to validate the JWT signature. Very insecure to turn that off - pub(crate) validate_signature: bool, } impl Validation { @@ -136,8 +133,6 @@ impl Validation { iss: None, sub: None, aud: None, - - validate_signature: true, } } @@ -161,17 +156,6 @@ impl Validation { pub fn set_required_spec_claims(&mut self, items: &[T]) { self.required_spec_claims = items.iter().map(|x| x.to_string()).collect(); } - - /// Whether to validate the JWT cryptographic signature. - /// Disabling validation is dangerous, only do it if you know what you're doing. - /// With validation disabled you should not trust any of the values of the claims. - #[deprecated( - since = "10.1.0", - note = "Use `jsonwebtoken::dangerous::insecure_decode` if you require this functionality." - )] - pub fn insecure_disable_signature_validation(&mut self) { - self.validate_signature = false; - } } impl Default for Validation { diff --git a/tests/hmac.rs b/tests/hmac.rs index b7f5ef46..e309670a 100644 --- a/tests/hmac.rs +++ b/tests/hmac.rs @@ -1,5 +1,5 @@ -#![allow(deprecated)] use jsonwebtoken::Extras; +use jsonwebtoken::dangerous::insecure_decode; use serde::{Deserialize, Serialize}; use time::OffsetDateTime; use wasm_bindgen_test::wasm_bindgen_test; @@ -268,41 +268,14 @@ fn decode_header_only() { #[wasm_bindgen_test] fn dangerous_insecure_decode_valid_token() { let token = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJiQGIuY29tIiwiY29tcGFueSI6IkFDTUUiLCJleHAiOjI1MzI1MjQ4OTF9.9r56oF7ZliOBlOAyiOFperTGxBtPykRQiWNFxhDCW98"; - let mut validation = Validation::new(Algorithm::HS256); - validation.insecure_disable_signature_validation(); - let claims = decode::(token, &DecodingKey::from_secret(&[]), &validation); - claims.unwrap(); + insecure_decode::(&token).unwrap(); } #[test] #[wasm_bindgen_test] fn dangerous_insecure_decode_token_invalid_signature() { let token = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJiQGIuY29tIiwiY29tcGFueSI6IkFDTUUiLCJleHAiOjI1MzI1MjQ4OTF9.wrong"; - let mut validation = Validation::new(Algorithm::HS256); - validation.insecure_disable_signature_validation(); - let claims = decode::(token, &DecodingKey::from_secret(&[]), &validation); - claims.unwrap(); -} - -#[test] -#[wasm_bindgen_test] -fn dangerous_insecure_decode_token_wrong_algorithm() { - let token = "eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJiQGIuY29tIiwiY29tcGFueSI6IkFDTUUiLCJleHAiOjI1MzI1MjQ4OTF9.fLxey-hxAKX5rNHHIx1_Ch0KmrbiuoakDVbsJjLWrx8fbjKjrPuWMYEJzTU3SBnYgnZokC-wqSdqckXUOunC-g"; - let mut validation = Validation::new(Algorithm::HS256); - validation.insecure_disable_signature_validation(); - let claims = decode::(token, &DecodingKey::from_secret(&[]), &validation); - claims.unwrap(); -} - -#[test] -#[wasm_bindgen_test] -fn dangerous_insecure_decode_token_with_validation_wrong_algorithm() { - let token = "eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJiQGIuY29tIiwiY29tcGFueSI6IkFDTUUiLCJleHAiOjk1MzI1MjQ4OX0.ONtEUTtP1QmyksYH9ijtPCaXoHjZVHcHKZGX1DuJyPiSyKlT93Y-oKgrp_OSkHSu4huxCcVObLzwsdwF-xwiAQ"; - let mut validation = Validation::new(Algorithm::HS256); - validation.insecure_disable_signature_validation(); - let claims = decode::(token, &DecodingKey::from_secret(&[]), &validation); - let err = claims.unwrap_err(); - assert_eq!(err.kind(), &ErrorKind::ExpiredSignature); + insecure_decode::(&token).unwrap(); } #[test]