mirror of
https://github.com/github/codeql.git
synced 2025-12-21 03:06:31 +01:00
47 lines
1.0 KiB
Go
47 lines
1.0 KiB
Go
package jwt
|
|
|
|
//go:generate depstubber -vendor github.com/go-jose/go-jose/v3/jwt JSONWebToken ParseSigned
|
|
|
|
import (
|
|
"fmt"
|
|
"github.com/go-jose/go-jose/v3/jwt"
|
|
"net/http"
|
|
)
|
|
|
|
type CustomerInfo struct {
|
|
Name string
|
|
ID int
|
|
}
|
|
|
|
var JwtKey = []byte("AllYourBase")
|
|
|
|
func jose(r *http.Request) {
|
|
signedToken := r.URL.Query().Get("signedToken")
|
|
// OK: first decode and then verify
|
|
notVerifyJWT(signedToken)
|
|
verifyJWT(signedToken)
|
|
|
|
// NOT OK: no verification
|
|
signedToken = r.URL.Query().Get("signedToken")
|
|
notVerifyJWT(signedToken)
|
|
}
|
|
|
|
func notVerifyJWT(signedToken string) {
|
|
fmt.Println("only decoding JWT")
|
|
DecodedToken, _ := jwt.ParseSigned(signedToken)
|
|
out := CustomerInfo{}
|
|
if err := DecodedToken.UnsafeClaimsWithoutVerification(&out); err != nil {
|
|
panic(err)
|
|
}
|
|
fmt.Printf("%v\n", out)
|
|
}
|
|
func verifyJWT(signedToken string) {
|
|
fmt.Println("verifying JWT")
|
|
DecodedToken, _ := jwt.ParseSigned(signedToken)
|
|
out := CustomerInfo{}
|
|
if err := DecodedToken.Claims(JwtKey, &out); err != nil {
|
|
panic(err)
|
|
}
|
|
fmt.Printf("%v\n", out)
|
|
}
|