-
I was just affected by #864 after a composer upgrade, in my case due to it being a dependency on https://github.com/PHP-Open-Source-Saver/jwt-auth which has this constraint I was lucky I caught this in a test suite which uses a (now) invalid key, my production is affected as well though. It might catch ppl by surprise who might have a valid key in their test/dev setup but a different one in prod and as we know. Further, changing the key might not be trivial in some cases. I guess revert this change and saving it for a major release is not an option? Thanks! |
Beta Was this translation helpful? Give feedback.
Replies: 2 comments 4 replies
-
Was implicitly answered via #877 (comment)
and #877 (comment)
|
Beta Was this translation helpful? Give feedback.
-
@lcobucci While I do get where you are coming from, and going forward forcing it/throwing the error is the best way for overall security, I am in the situation where I actually can't change hundreds of incorrect length keys, or at least doing so will take a phenomenal amount of work either issuing all new keys and asking people to update them, by using a different JWT package altogether, or forking your package and making my own changes. Ideally, could you just keep the "UnsafeSha(256/384/512)" classes in the code instead of removing them in v5.0.0? This would very much help me (and probably others) in the long run, otherwise I will have to go through the process of using a different package in my code for some users. |
Beta Was this translation helpful? Give feedback.
Was implicitly answered via #877 (comment)
and #877 (comment)