Comments (4)
I find JWT tricky to use securely which is why I avoid it like the plague whenever I can for my own stuff. You cannot avoid JWT much for external interoperability obviously but I will not deprecate itsdangerous as a result :)
from itsdangerous.
Thanks for the quick reply. Just out of curiosity, which aspect of JWT security do you find tricky to use? There were several implementation bugs a while back, e.g. none
algo being allowed by default, but those have all been fixed now.
from itsdangerous.
none
is just the obvious example but the entire algorithm negotation is not thought through well. You would need to match the algorithm exactly against what you issued with a sliding window for potential upgrades and not a single JWT library supports this. none
was just obviously broken because it disable the signature entirely. But you can still downgrade to signature to the shittiest version someone accepts. This is particularly problematic if a public part of one protocol becomes the private part of another.
For instance the server thinks it will get an RSA token but you actually send an HMAC token then the public part of the RSA key will be used for the secret of the HMAC token. But this is just an example, there are many more cases where libraries completely fail currently.
JWT is just too complex of a system that people would write good implementations for.
from itsdangerous.
Interesting insights, thank you for sharing!
from itsdangerous.
Related Issues (20)
- pgAdmin4 broken using itsdangerous > 2.0.0a1 HOT 1
- base64encode should be injected as a dependency in Signer class HOT 1
- Outdated pip link HOT 2
- Different lenght of tokens from 0.26 to 2.0.1? HOT 4
- ImportError: cannot import name 'json' from 'itsdangerous' HOT 5
- Incompatibility with Flask 1.1.1 (cannot import name 'json' from 'itsdangerous') HOT 4
- ImportError: cannot import name 'json' from 'itsdangerous' HOT 2
- Migration guide for deprecated JSONWebSignatureSerializer HOT 2
- Document that itsdangerous does not follow semver HOT 2
- ImportError: cannot import name 'TimedJSONWebSignatureSerializer' from 'itsdangerous' HOT 2
- catch overflow error on 32bit platforms
- Support async
- Issue with importing TimedJSONWebSignatureSerializer when updating db with Flask. HOT 1
- TimedJSONWebSignatureSerializer HOT 1
- Consider making `Serializer` generic in `t.AnyStr` for type checking to avoid overly ambiguous return types HOT 6
- Last character of serialized/signed data not robust HOT 1
- deprecate `__version__`
- use of `hashlib.sha1` causes issue in FIPS build
- Support digest_size when using blake2s or blake2b HOT 1
- serializer_kwargs are missing in load_payload function
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from itsdangerous.