Skip to content

Commit

Permalink
Adds not to README on decoded payload validation (#646)
Browse files Browse the repository at this point in the history
Adds a note to the README that suggest that decoded payload should not be trusted and should be treated as user inputs.
  • Loading branch information
CriGoT authored and ziluvatar committed Nov 29, 2019
1 parent 5ed1f06 commit a6235fa
Showing 1 changed file with 5 additions and 0 deletions.
5 changes: 5 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -125,6 +125,8 @@ jwt.sign({

(Synchronous) If a callback is not supplied, function acts synchronously. Returns the payload decoded if the signature is valid and optional expiration, audience, or issuer are valid. If not, it will throw the error.

> __Warning:__ When the token comes from an untrusted source (e.g. user input or external requests), the returned decoded payload should be treated like any other user input; please make sure to sanitize and only work with properties that are expected
`token` is the JsonWebToken string

`secretOrPublicKey` is a string or buffer containing either the secret for HMAC algorithms, or the PEM
Expand Down Expand Up @@ -234,6 +236,9 @@ jwt.verify(token, getKey, options, function(err, decoded) {

> __Warning:__ This will __not__ verify whether the signature is valid. You should __not__ use this for untrusted messages. You most likely want to use `jwt.verify` instead.
> __Warning:__ When the token comes from an untrusted source (e.g. user input or external request), the returned decoded payload should be treated like any other user input; please make sure to sanitize and only work with properties that are expected

`token` is the JsonWebToken string

`options`:
Expand Down

0 comments on commit a6235fa

Please sign in to comment.