Skip to content

Update jsonwebtoken dependency #409

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

Update jsonwebtoken dependency #409

wants to merge 3 commits into from

Conversation

@DoumanAsh
Copy link
Contributor

@DoumanAsh DoumanAsh commented Nov 18, 2025
edited
Loading

I would like to remove multiple instances of jsonwebtoken in my dependency tree so I wanted to bump in this crate as I rely on it (This version introduces user's choice of crypto libraries so I defaulted to rust's one as it was before)

Unfortunately jsonwebtoken wants to deprecate useful API:

warning: use of deprecated method `jsonwebtoken::Validation::insecure_disable_signature_validation`: Use `jsonwebtoken::dangerous::insecure_decode` if you require this functionality.
  --> foundation/auth/src/token_source/mod.rs:71:20
   |
71 |         validation.insecure_disable_signature_validation();

Suggested alternative does not validate audience
Would you like me to implement audience validation as part of upgrade PR? (I'm not sure how critical it is in context of where signature validation is skipped, so if it is ok to skip validation, I can change code to use jsonwebtoken::dangerous::insecure_decode)

@yoshidan yoshidan added the safe to test safe to test label Nov 19, 2025
@DoumanAsh
Copy link
Contributor Author

DoumanAsh commented Nov 21, 2025

Sorry for failed CI
As I mentioned above
Library deprecated method that you currently use to skip signature verification so I wanted to confirm if you'd prefer to skip verification of audience too by using insecure_decode which skips all checks
Or would you prefer to retain audience verification? (in that case I will implement it as part of this PR)

@yoshidan
Copy link
Owner

yoshidan commented Nov 23, 2025

Hi @DoumanAsh

I would like to proceed with the removal of insecure_disable_signature_validation.
I anticipate that simply deleting it will be sufficient, so I would appreciate it if you could handle this as a straight removal within this Pull Request.
Should you encounter any unforeseen difficulties (or: complications), please use jsonwebtoken::dangerous::insecure_decode instead.

@DoumanAsh
Copy link
Contributor Author

DoumanAsh commented Nov 23, 2025

@yoshidan So, just removing method will cause you to attempt to construct invalid key (since there is no key) so I had to switch to insecure_decode which means audience is no longer checked, but I'm not sure if it is actually relevant in this context, since this part only needs expiration I assume audience should be anyway correct in this context

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

safe to test safe to test

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@DoumanAsh @yoshidan