Consider a better JWT library

Created on 27 August 2019, over 5 years ago
Updated 11 March 2023, almost 2 years ago

consider https://web-token.spomky-labs.com/ and other libraries that support more signatures and seem to be more maintained.
Also https://github.com/lcobucci/jwt

Probably need a new branch for this?

Feature request
Status

Closed: outdated

Version

1.0

Component

Code

Created by

🇺🇸United States pwolanin

Live updates comments and jobs are added and updated live.
  • Security

    It is used for security vulnerabilities which do not need a security advisory. For example, security issues in projects which do not have security advisory coverage, or forward-porting a change already disclosed in a security advisory. See Drupal’s security advisory policy for details. Be careful publicly disclosing security vulnerabilities! Use the “Report a security vulnerability” link in the project page’s sidebar. See how to report a security issue for details.

Sign in to follow issues

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

  • 🇫🇷France Renrhaf 📍 Strasbourg 🐦🦜
    + ./local-php-security-checker
    Symfony Security Check Report
    =============================
    1 package has known vulnerabilities.
    firebase/php-jwt (v5.5.1)
    -------------------------
     * [CVE-2021-46743][]: Key/algorithm type confusion
    [CVE-2021-46743]: ]8;;https://github.com/advisories/GHSA-8xf4-w7qw-pjjwhttps://github.com/advisories/GHSA-8xf4-w7qw-pjjw]8;;
    Note that this checker can only detect vulnerabilities that are referenced in the security advisories database.
    Execute this command regularly to check the newly discovered vulnerabilities

    There is a security issue with the currently used library

  • 🇫🇷France Renrhaf 📍 Strasbourg 🐦🦜
  • 🇺🇸United States pwolanin

    @Renrhaf did you read the extensive note I posted on the project page? https://www.drupal.org/project/jwt

    See also: 📌 Make a 2.x release series compatible with 6.x releases for JWT library Fixed

    Your comment isn't relevant to this issue which would be around considering a totally different library.

  • Status changed to Closed: outdated almost 2 years ago
  • 🇺🇸United States pwolanin

    Since firebase seems to be getting more regular support/development now and supports Ed25519 signatures I think this can be closed.

    I also like the the firebase library is pretty simple - most of these others seems to have gone out of their way to make the code complex and hard to use.

Production build 0.71.5 2024