New API, tests! #1
Conversation
failing case for the mentioned vulnerability, where you can use a public rsa key and get validated via hmac failing case for verifying with the private key, why does this not work? note: this actually includes a fix. before this it was not possible to use the RSA method for signing keys because it was always defaulting to hmac
until i can figure that out
|
Shouldn't we hold off on 1.0.0 until it has feature parity w/ jjwt (signingKeyResolver, etc)? jjwt is just on 0.5... |
| RS256: 'RSA-SHA256', | ||
| RS384: 'RSA-SHA384', | ||
| RS512: 'RSA-SHA512', | ||
| ES256: 'RSA-SHA256', |
There was a problem hiding this comment.
I think ES256-ES512 are not correct as they reflect RSA-SHA*
There was a problem hiding this comment.
Node's crytpo library has strange names for things, hence this map. There are tests with ES keypairs that assert the correct behavior.
|
I should also mention that JWT as a specification has finally been finalized - it is no longer in 'draft' status. All jwtk libraries should reflect all capabilities defined here: http://www.rfc-editor.org/rfc/rfc7519.txt (or at least not yet be called 1.0 final until they support all features of the spec) |
|
(side note: I'm checking if the final spec removed the capability for plaintext bodies in favor of only a claims one - I haven't seen the spec changes in ~ 2 months). |
|
I'm bumping to 1.0.0 because i'm breaking the api from 0.0.1 |
|
We don't need to support semantic versioning until 1.0.0 final. Releasing 0.1 is safer unless you're positive that the library is feature complete and stable. |
This will become v1.0.0