| Abhay Kumar | a61c522 | 2025-11-10 07:32:50 +0000 | [diff] [blame^] | 1 | package jwt |
| 2 | |
| 3 | import "time" |
| 4 | |
| 5 | // ParserOption is used to implement functional-style options that modify the |
| 6 | // behavior of the parser. To add new options, just create a function (ideally |
| 7 | // beginning with With or Without) that returns an anonymous function that takes |
| 8 | // a *Parser type as input and manipulates its configuration accordingly. |
| 9 | type ParserOption func(*Parser) |
| 10 | |
| 11 | // WithValidMethods is an option to supply algorithm methods that the parser |
| 12 | // will check. Only those methods will be considered valid. It is heavily |
| 13 | // encouraged to use this option in order to prevent attacks such as |
| 14 | // https://auth0.com/blog/critical-vulnerabilities-in-json-web-token-libraries/. |
| 15 | func WithValidMethods(methods []string) ParserOption { |
| 16 | return func(p *Parser) { |
| 17 | p.validMethods = methods |
| 18 | } |
| 19 | } |
| 20 | |
| 21 | // WithJSONNumber is an option to configure the underlying JSON parser with |
| 22 | // UseNumber. |
| 23 | func WithJSONNumber() ParserOption { |
| 24 | return func(p *Parser) { |
| 25 | p.useJSONNumber = true |
| 26 | } |
| 27 | } |
| 28 | |
| 29 | // WithoutClaimsValidation is an option to disable claims validation. This |
| 30 | // option should only be used if you exactly know what you are doing. |
| 31 | func WithoutClaimsValidation() ParserOption { |
| 32 | return func(p *Parser) { |
| 33 | p.skipClaimsValidation = true |
| 34 | } |
| 35 | } |
| 36 | |
| 37 | // WithLeeway returns the ParserOption for specifying the leeway window. |
| 38 | func WithLeeway(leeway time.Duration) ParserOption { |
| 39 | return func(p *Parser) { |
| 40 | p.validator.leeway = leeway |
| 41 | } |
| 42 | } |
| 43 | |
| 44 | // WithTimeFunc returns the ParserOption for specifying the time func. The |
| 45 | // primary use-case for this is testing. If you are looking for a way to account |
| 46 | // for clock-skew, WithLeeway should be used instead. |
| 47 | func WithTimeFunc(f func() time.Time) ParserOption { |
| 48 | return func(p *Parser) { |
| 49 | p.validator.timeFunc = f |
| 50 | } |
| 51 | } |
| 52 | |
| 53 | // WithIssuedAt returns the ParserOption to enable verification |
| 54 | // of issued-at. |
| 55 | func WithIssuedAt() ParserOption { |
| 56 | return func(p *Parser) { |
| 57 | p.validator.verifyIat = true |
| 58 | } |
| 59 | } |
| 60 | |
| 61 | // WithExpirationRequired returns the ParserOption to make exp claim required. |
| 62 | // By default exp claim is optional. |
| 63 | func WithExpirationRequired() ParserOption { |
| 64 | return func(p *Parser) { |
| 65 | p.validator.requireExp = true |
| 66 | } |
| 67 | } |
| 68 | |
| 69 | // WithAudience configures the validator to require the specified audience in |
| 70 | // the `aud` claim. Validation will fail if the audience is not listed in the |
| 71 | // token or the `aud` claim is missing. |
| 72 | // |
| 73 | // NOTE: While the `aud` claim is OPTIONAL in a JWT, the handling of it is |
| 74 | // application-specific. Since this validation API is helping developers in |
| 75 | // writing secure application, we decided to REQUIRE the existence of the claim, |
| 76 | // if an audience is expected. |
| 77 | func WithAudience(aud string) ParserOption { |
| 78 | return func(p *Parser) { |
| 79 | p.validator.expectedAud = aud |
| 80 | } |
| 81 | } |
| 82 | |
| 83 | // WithIssuer configures the validator to require the specified issuer in the |
| 84 | // `iss` claim. Validation will fail if a different issuer is specified in the |
| 85 | // token or the `iss` claim is missing. |
| 86 | // |
| 87 | // NOTE: While the `iss` claim is OPTIONAL in a JWT, the handling of it is |
| 88 | // application-specific. Since this validation API is helping developers in |
| 89 | // writing secure application, we decided to REQUIRE the existence of the claim, |
| 90 | // if an issuer is expected. |
| 91 | func WithIssuer(iss string) ParserOption { |
| 92 | return func(p *Parser) { |
| 93 | p.validator.expectedIss = iss |
| 94 | } |
| 95 | } |
| 96 | |
| 97 | // WithSubject configures the validator to require the specified subject in the |
| 98 | // `sub` claim. Validation will fail if a different subject is specified in the |
| 99 | // token or the `sub` claim is missing. |
| 100 | // |
| 101 | // NOTE: While the `sub` claim is OPTIONAL in a JWT, the handling of it is |
| 102 | // application-specific. Since this validation API is helping developers in |
| 103 | // writing secure application, we decided to REQUIRE the existence of the claim, |
| 104 | // if a subject is expected. |
| 105 | func WithSubject(sub string) ParserOption { |
| 106 | return func(p *Parser) { |
| 107 | p.validator.expectedSub = sub |
| 108 | } |
| 109 | } |
| 110 | |
| 111 | // WithPaddingAllowed will enable the codec used for decoding JWTs to allow |
| 112 | // padding. Note that the JWS RFC7515 states that the tokens will utilize a |
| 113 | // Base64url encoding with no padding. Unfortunately, some implementations of |
| 114 | // JWT are producing non-standard tokens, and thus require support for decoding. |
| 115 | func WithPaddingAllowed() ParserOption { |
| 116 | return func(p *Parser) { |
| 117 | p.decodePaddingAllowed = true |
| 118 | } |
| 119 | } |
| 120 | |
| 121 | // WithStrictDecoding will switch the codec used for decoding JWTs into strict |
| 122 | // mode. In this mode, the decoder requires that trailing padding bits are zero, |
| 123 | // as described in RFC 4648 section 3.5. |
| 124 | func WithStrictDecoding() ParserOption { |
| 125 | return func(p *Parser) { |
| 126 | p.decodeStrict = true |
| 127 | } |
| 128 | } |