Unnecessary custom base64 implementation #5
Comments
|
If you're open to more suggestions: Line 6 in 1639fcf I think Go has recently done some optimizations where the compiler automatically optimizes these. I feel a bit unsafe with |
|
Hello @joonas-fi, BytesToString and Base64Encode are mostly helpers for users of this package. BytesToString is used just on a single return statement, inside the blockfile.go file, of course we can remove it from there if that's a "security" issue for you, I can live without it too. Base64Encode is used one "encodeToken" just to encode server-side data, the custom claims you/your program provides and NOT the user/client's one - I don't see any security-wise issue here but I am open for further discussion. |
Go has RawStdEncoding which makes this unnecessary:
jwt/token.go
Line 247 in 1639fcf
Not trying to nitpick here, rather I think security-wise it's dangerous as a concept to mutate untrusted input data before it's fed to a signature validation algorithm
The text was updated successfully, but these errors were encountered: