rrrodzilla / rusty_paseto Goto Github PK

This is needed to prevent failures like this.

Default tokens expire in 1 hour. A user can update the expiration time by adding a new Expiration Claim or they can explicitly specify the token should never expire.

Describe the bug
While testing i discovered a case where the library will panic instead of throwing an error. Explicitly while attempting a wrong token "v4.local.1234".

The error is

rusty_paseto-0.6.0/src/core/paseto.rs:766:47:
range end index 32 out of range for slice of length 3

To Reproduce
just try to decrypt "v4.local.1234"

Expected behavior
i was expecting to catch the error same as other errors.

Additional context
I think this problem could be solved by checking the length of the third part. I am interested to create a PR for this as first contribution.

The generic parser handles decrypting the paseto structure (claims, etc) but does not enforce paseto logic such as validating expiration claim and other time related claims. The Paseto Token Parser should wrap the generic parser with the custom paseto logic.

The generic builder handles building and enforcing paseto structure (claims, etc) but does not enforce paseto logic such as providing a default expiration claim and issue claim while allowing for overrides and non-expiring tokens. The Paseto Token Builder should wrap the generic builder with the custom paseto logic.

An expiration claim, if provided, should be later than NOW UTC, else fail validation with an err.

There aren't updates, commits or activity in 6 months.
Is the project still active and/or mantained?

Need to implement doc comments and tests for the public API for rust docs.

Claim keys should only appear once in the top-level JSON payload of the builder to prevent the user from accidentally overwriting claim data in a single build session which would cause confusion. Users should groups of duplicate keys in a child struct with a unique claim key to enable that scenario.

A default token should have its issued at claim set to NOW. A user can update the claim by adding an IssuedAtClaim while building the token.

The NotBeforeClaim, if provided should be greater than NOW UTC, else throw a claim validation error.

Hello, could you please add additional information to the docs that if token is expired, then PasetoParser::<V4, Local> will throw an error? That would be cool, because I was trying to find a way to verify token itself. It's a good design choice, but that was not mentioned in docs, or I'm simply blind (sorry 😢)

Currently, claim validation is a simple check that the claim exists in the decrypted token and the decrypted value matches the provided value. The API needs to be extended to allow the user to provide their own validation closure in order to support more complex validation scenarios.

Hey hey,

really nice implementation and an amazing documentation!

I'm new to rust and my problem might just stem from the fact that I do not know how to archive this the rust-way.

I'm trying to set a subject claim from a non-static reference/dynamic value in a trait implementation.

let token = PasetoBuilder::<V4, Local>::default()
  .set_claim(SubjectClaim::from(&id))
  .build(&key)
  .unwrap();

From what I understand the signature of set_claim required the argument to have a 'static lifetime which will not be possible for a dynamic value (I could be wrong).

How could this be archived?

What is your plans re v3.public will you be supporting it? If so do you have an ETA?

Implement all of the test vectors for v2.public

Default to using lighter-weight time crate than chrono for the batteries-included API implementation

The user needs to be able to explicitly specify when a token should NOT have an expiration date when building a claim.

Currently the direct dependency [email protected] cannot be built on platforms like RISC-V.

So would it be possible to bump ring to 0.17+ (briansmith/ring#1627)?
I try to force a update locally, and it seems the compiler happy with new ring (:

Describe the bug
Every time set_implicit_assertion on GenericBuilder is used, the assertion is printed to stdout.

To Reproduce

PasetoBuilder::<V4, Local>::default().set_implicit_assertion(ImplicitAssertion::from("example"));

Expected behavior
For a library to not write to stdout.

Describe the bug
Found vulnerability when ruining cargo audit.

To Reproduce
Steps to reproduce the behavior:

1. just run cargo audit.

Expected behavior
the vulnerability can be resolved by bumping up the ed25519-dalek crate version.

Screenshots

Desktop (please complete the following information):

• OS: Fedora
• Browser chrome