You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
As of 2.2.1, Decode#verify_signature evaluates &@keyfinder before validating algorithm. This is quite inefficient and results in misleading failure messages (see reasoning below). I propose we move algorithm validation before finding the key so that we don't waste our time evaluating key finder when we know the algorithm is wrong.
Reasoning
Key finder evaluation is usually used for supporting features like JWKS, where a network call needs to be made to get a public key. Making network calls can often be expensive for Ruby applications. Therefore it makes sense to do the cheaper checks such as alg validation first. The performance impact of this can be especially significant in applications where multiple types of token are accepted.
A token with the wrong algorithm is most likely never gonna find the right key. In this case, the exception should clearly indicating the issue with the incorrect algorithm and raise JWT::IncorrectAlgorithm instead of JWT::DecodeError, 'No verification key available.
Please let me know if you are willing to accept a PR on this.
The text was updated successfully, but these errors were encountered:
Summary
As of 2.2.1,
Decode#verify_signature
evaluates&@keyfinder
before validating algorithm. This is quite inefficient and results in misleading failure messages (see reasoning below). I propose we move algorithm validation before finding the key so that we don't waste our time evaluating key finder when we know the algorithm is wrong.Reasoning
alg
validation first. The performance impact of this can be especially significant in applications where multiple types of token are accepted.JWT::IncorrectAlgorithm
instead ofJWT::DecodeError, 'No verification key available
.Please let me know if you are willing to accept a PR on this.
The text was updated successfully, but these errors were encountered: