1 package jwt 2 3 import "time" 4 5 // ParserOption is used to implement functional-style options that modify the 6 // behavior of the parser. To add new options, just create a function (ideally 7 // beginning with With or Without) that returns an anonymous function that takes 8 // a *Parser type as input and manipulates its configuration accordingly. 9 type ParserOption func(*Parser) 10 11 // WithValidMethods is an option to supply algorithm methods that the parser 12 // will check. Only those methods will be considered valid. It is heavily 13 // encouraged to use this option in order to prevent attacks such as 14 // https://auth0.com/blog/critical-vulnerabilities-in-json-web-token-libraries/. 15 func WithValidMethods(methods []string) ParserOption { 16 return func(p *Parser) { 17 p.validMethods = methods 18 } 19 } 20 21 // WithJSONNumber is an option to configure the underlying JSON parser with 22 // UseNumber. 23 func WithJSONNumber() ParserOption { 24 return func(p *Parser) { 25 p.useJSONNumber = true 26 } 27 } 28 29 // WithoutClaimsValidation is an option to disable claims validation. This 30 // option should only be used if you exactly know what you are doing. 31 func WithoutClaimsValidation() ParserOption { 32 return func(p *Parser) { 33 p.skipClaimsValidation = true 34 } 35 } 36 37 // WithLeeway returns the ParserOption for specifying the leeway window. 38 func WithLeeway(leeway time.Duration) ParserOption { 39 return func(p *Parser) { 40 p.validator.leeway = leeway 41 } 42 } 43 44 // WithTimeFunc returns the ParserOption for specifying the time func. The 45 // primary use-case for this is testing. If you are looking for a way to account 46 // for clock-skew, WithLeeway should be used instead. 47 func WithTimeFunc(f func() time.Time) ParserOption { 48 return func(p *Parser) { 49 p.validator.timeFunc = f 50 } 51 } 52 53 // WithIssuedAt returns the ParserOption to enable verification 54 // of issued-at. 55 func WithIssuedAt() ParserOption { 56 return func(p *Parser) { 57 p.validator.verifyIat = true 58 } 59 } 60 61 // WithExpirationRequired returns the ParserOption to make exp claim required. 62 // By default exp claim is optional. 63 func WithExpirationRequired() ParserOption { 64 return func(p *Parser) { 65 p.validator.requireExp = true 66 } 67 } 68 69 // WithAudience configures the validator to require the specified audience in 70 // the `aud` claim. Validation will fail if the audience is not listed in the 71 // token or the `aud` claim is missing. 72 // 73 // NOTE: While the `aud` claim is OPTIONAL in a JWT, the handling of it is 74 // application-specific. Since this validation API is helping developers in 75 // writing secure application, we decided to REQUIRE the existence of the claim, 76 // if an audience is expected. 77 func WithAudience(aud string) ParserOption { 78 return func(p *Parser) { 79 p.validator.expectedAud = aud 80 } 81 } 82 83 // WithIssuer configures the validator to require the specified issuer in the 84 // `iss` claim. Validation will fail if a different issuer is specified in the 85 // token or the `iss` claim is missing. 86 // 87 // NOTE: While the `iss` claim is OPTIONAL in a JWT, the handling of it is 88 // application-specific. Since this validation API is helping developers in 89 // writing secure application, we decided to REQUIRE the existence of the claim, 90 // if an issuer is expected. 91 func WithIssuer(iss string) ParserOption { 92 return func(p *Parser) { 93 p.validator.expectedIss = iss 94 } 95 } 96 97 // WithSubject configures the validator to require the specified subject in the 98 // `sub` claim. Validation will fail if a different subject is specified in the 99 // token or the `sub` claim is missing. 100 // 101 // NOTE: While the `sub` claim is OPTIONAL in a JWT, the handling of it is 102 // application-specific. Since this validation API is helping developers in 103 // writing secure application, we decided to REQUIRE the existence of the claim, 104 // if a subject is expected. 105 func WithSubject(sub string) ParserOption { 106 return func(p *Parser) { 107 p.validator.expectedSub = sub 108 } 109 } 110 111 // WithPaddingAllowed will enable the codec used for decoding JWTs to allow 112 // padding. Note that the JWS RFC7515 states that the tokens will utilize a 113 // Base64url encoding with no padding. Unfortunately, some implementations of 114 // JWT are producing non-standard tokens, and thus require support for decoding. 115 func WithPaddingAllowed() ParserOption { 116 return func(p *Parser) { 117 p.decodePaddingAllowed = true 118 } 119 } 120 121 // WithStrictDecoding will switch the codec used for decoding JWTs into strict 122 // mode. In this mode, the decoder requires that trailing padding bits are zero, 123 // as described in RFC 4648 section 3.5. 124 func WithStrictDecoding() ParserOption { 125 return func(p *Parser) { 126 p.decodeStrict = true 127 } 128 } 129