Multithreading application about jwt-cpp HOT 6 CLOSED

You should be fine as long as you follow some basic rules:

• Don't call modifying methods from multiple threads without synchronization
• Don't call const methods concurrently with any modifying methods

There are no global objects used by this library and create, decode and verify return by value.

So the library on its own should be fine. However it uses OpenSSL under the hood which might not be fully thread safe. Most people I talked to and read on the internet said that the way I use it should be fine (i.e. all the verify and sign methods of algorithms should be thread safe) but I am yet to find a definitive answer in the OpenSSL docs.
The only real info I found on this is here, which means that it might be a problem.

I do run it in multithreaded code (in microservices to be precise) and I generally use a thread_local verifier just to be sure (however a single global one should be fine too) and did not have any problems with OpenSSL so far (however I might have just been lucky). I construct builders as needed because signing a token does not happen that often in my apps.

I hope this helps, if you have further questions feel free to ask.

from jwt-cpp.

Thanks for reply!

About Claims, i saw in "ClaimTest.cpp" a example to set array of int as claim on payload. It would be common to have different type of data inside array? Ex an integer, a string, a bool , etc.

from jwt-cpp.

The constructor used in the example is templated on the iterator type and supports

• std::string
• int64_t
• double
• picojson::array
• picojson::object

However if you need more control over the structure, you have to build a picojson::value yourself.
You can then pass picojson::value to the claim constructor.

from jwt-cpp.

Hi Thalhammer

Thanks for reply!

I am building my application and i have another question. When i have a token with claim of number type and i want to verify as example:

double c = 10.55; picojson::value val(c); auto verify = jwt::verify() .allow_algorithm(jwt::algorithm::none{}) .with_issuer("auth0") .with_claim("myclaim", jwt::claim(val);

The verify method don't check the number type and and throws the exception( token_verification_exception("internal error")). Also missing for boolean.

For my application, I added the check.

else if (c.get_type() == claim::type::number) { if (c.as_number() != jc.as_number()) throw token_verification_exception("claim " + key + " does not match expected"); }
... and others...

Is there any reason why this check was not done there? May I make to pull request?

Thanks!

Best regards.

from jwt-cpp.

No this indeed looks like an oversight on my part. Feel free to make a PR.
Note however that you can not safely use operator != for double (or float).

from jwt-cpp.

Closing due to inactivity

from jwt-cpp.