Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Ha! Stephen Dolan had to add this to jq quite sometime back, making it preserve object key input order on output. And yes, it's infuriating, but it's also somewhat convenient, and yes, there really is software out there that cares about object key order (sigh).


Doesn't anything using jwt depend on a specific order?


It shouldn't, unless you base64 decode the header, then parse it with a library that causes the order to change, encode it again, and then use your own re-encoding to calculate the signature:

  HMAC-SHA256(
    b64(reencoded_header) + '.' + b64(payload),
    secret
  )
You should really just verify the signature for the provided header + payload in their base64 encoded form.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: