Unnecessary custom base64 implementation
joonas-fi opened this issue · 2 comments
Go has RawStdEncoding which makes this unnecessary:
Line 247 in 1639fcf
Not trying to nitpick here, rather I think security-wise it's dangerous as a concept to mutate untrusted input data before it's fed to a signature validation algorithm
If you're open to more suggestions:
Line 6 in 1639fcf
I think Go has recently done some optimizations where the compiler automatically optimizes these. I feel a bit unsafe with unsafe and doing special tricks in a security-critical library
Hello @joonas-fi,
BytesToString and Base64Encode are mostly helpers for users of this package. BytesToString is used just on a single return statement, inside the blockfile.go file, of course we can remove it from there if that's a "security" issue for you, I can live without it too. Base64Encode is used one "encodeToken" just to encode server-side data, the custom claims you/your program provides and NOT the user/client's one - I don't see any security-wise issue here but I am open for further discussion.