Validate fails when Content is not compatible with map[string]interface{}
FossoresLP opened this issue · comments
Validate()
tries to check if exp
or nbf
are set by casting Content interface{}
to map[string]interface{}
.
This should work for any kind of struct
but will fail for types like int
, string
and []byte
.
These are valid JSON but cannot be handled by Validate()
so please do not use those as the only payload of a JWT you plan to use with this package. Storing them in a JSON object works totally fine, it just takes a small bit of additional space.
I will fix this at some point but there's an easy workaround so it's not a high priority for me. Feel free to open a PR if you want to fix it.
My original assumption does not hold up as JWTs are submitted by the user and may therefore be tampered with.
After some reading I found that this issue is easily fixed by simply wrapping the type cast with a if clause just like retrieving values from the map.
I will fix this ASAP as it is not acceptable that users can crash your application with malicious content.