From 4fa34722ef54130257f4fd8962ba573475b8d20d Mon Sep 17 00:00:00 2001
From: serosset <serosset@cisco.com>
Date: Sun, 19 Sep 2021 17:46:37 +0000
Subject: [PATCH 1/5] improve code comments, including security consideration

---
 parser.go |  4 ++--
 token.go  | 14 +++++++++-----
 2 files changed, 11 insertions(+), 7 deletions(-)

diff --git a/parser.go b/parser.go
index 0c811f31..bd2fc3ab 100644
--- a/parser.go
+++ b/parser.go
@@ -13,9 +13,9 @@ type Parser struct {
 	SkipClaimsValidation bool     // Skip claims validation during token parsing
 }
 
-// Parse parses, validates, and returns a token.
+// Parse parses, validates, verifies the signature and returns the parsed token.
 // keyFunc will receive the parsed token and should return the key for validating.
-// If everything is kosher, err will be nil
+// If everything is kosher, err will be nil.
 func (p *Parser) Parse(tokenString string, keyFunc Keyfunc) (*Token, error) {
 	return p.ParseWithClaims(tokenString, MapClaims{}, keyFunc)
 }
diff --git a/token.go b/token.go
index b896acb0..e5598922 100644
--- a/token.go
+++ b/token.go
@@ -29,11 +29,12 @@ type Token struct {
 	Valid     bool                   // Is the token valid?  Populated when you Parse/Verify a token
 }
 
-// New creates a new Token.  Takes a signing method
+// New creates a new Token with the specified a signing method and an empty map of claims.
 func New(method SigningMethod) *Token {
 	return NewWithClaims(method, MapClaims{})
 }
 
+// NewWithClaims creates a new Token with the specified signing method and claims.
 func NewWithClaims(method SigningMethod, claims Claims) *Token {
 	return &Token{
 		Header: map[string]interface{}{
@@ -45,7 +46,8 @@ func NewWithClaims(method SigningMethod, claims Claims) *Token {
 	}
 }
 
-// SignedString retrieves the complete, signed token
+// SignedString creates and returns a complete, signed JWT token.
+// The token is signed using the SigningMethod specified in the token.
 func (t *Token) SignedString(key interface{}) (string, error) {
 	var sig, sstr string
 	var err error
@@ -82,9 +84,11 @@ func (t *Token) SigningString() (string, error) {
 	return strings.Join(parts, "."), nil
 }
 
-// Parse parses, validates, and returns a token.
-// keyFunc will receive the parsed token and should return the key for validating.
-// If everything is kosher, err will be nil
+// Parse parses, validates, verifies the signature and returns the parsed token.
+// keyFunc will receive the parsed token and should return the cryptographic key
+// for verifying the signature.
+// keyFunc should validate the 'alg' claim in the token matches the expected algorithm.
+// If everything is kosher, err will be nil.
 func Parse(tokenString string, keyFunc Keyfunc) (*Token, error) {
 	return new(Parser).Parse(tokenString, keyFunc)
 }

From 5b39b518a778e26003f148f86a153e78a8d602a2 Mon Sep 17 00:00:00 2001
From: "Sebastien Rosset (serosset)" <serosset@cisco.com>
Date: Thu, 23 Sep 2021 20:43:11 -0700
Subject: [PATCH 2/5] Add link to URL with details about security
 vulnerabilities.

---
 parser.go | 1 -
 token.go  | 3 ++-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/parser.go b/parser.go
index bd2fc3ab..23d0e8a4 100644
--- a/parser.go
+++ b/parser.go
@@ -15,7 +15,6 @@ type Parser struct {
 
 // Parse parses, validates, verifies the signature and returns the parsed token.
 // keyFunc will receive the parsed token and should return the key for validating.
-// If everything is kosher, err will be nil.
 func (p *Parser) Parse(tokenString string, keyFunc Keyfunc) (*Token, error) {
 	return p.ParseWithClaims(tokenString, MapClaims{}, keyFunc)
 }
diff --git a/token.go b/token.go
index e5598922..b55aee79 100644
--- a/token.go
+++ b/token.go
@@ -88,7 +88,8 @@ func (t *Token) SigningString() (string, error) {
 // keyFunc will receive the parsed token and should return the cryptographic key
 // for verifying the signature.
 // keyFunc should validate the 'alg' claim in the token matches the expected algorithm.
-// If everything is kosher, err will be nil.
+// For more details about the importance of validating the 'alg' claim,
+// see https://auth0.com/blog/critical-vulnerabilities-in-json-web-token-libraries/ 
 func Parse(tokenString string, keyFunc Keyfunc) (*Token, error) {
 	return new(Parser).Parse(tokenString, keyFunc)
 }

From 86f109005e4dad3a6abfbbbd6c183e4316b5efa2 Mon Sep 17 00:00:00 2001
From: Sebastien Rosset <serosset@cisco.com>
Date: Fri, 24 Sep 2021 18:11:32 -0700
Subject: [PATCH 3/5] Update token.go

Co-authored-by: Christian Banse <oxisto@aybaze.com>
---
 token.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/token.go b/token.go
index b55aee79..8b4ebbf8 100644
--- a/token.go
+++ b/token.go
@@ -29,7 +29,7 @@ type Token struct {
 	Valid     bool                   // Is the token valid?  Populated when you Parse/Verify a token
 }
 
-// New creates a new Token with the specified a signing method and an empty map of claims.
+// New creates a new Token with the specified signing method and an empty map of claims.
 func New(method SigningMethod) *Token {
 	return NewWithClaims(method, MapClaims{})
 }

From 1e544b363cfa74a933c7648a7ad7e2824d596ad9 Mon Sep 17 00:00:00 2001
From: Sebastien Rosset <serosset@cisco.com>
Date: Fri, 24 Sep 2021 18:11:40 -0700
Subject: [PATCH 4/5] Update token.go

Co-authored-by: Christian Banse <oxisto@aybaze.com>
---
 token.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/token.go b/token.go
index 8b4ebbf8..eea49d5e 100644
--- a/token.go
+++ b/token.go
@@ -46,7 +46,7 @@ func NewWithClaims(method SigningMethod, claims Claims) *Token {
 	}
 }
 
-// SignedString creates and returns a complete, signed JWT token.
+// SignedString creates and returns a complete, signed JWT.
 // The token is signed using the SigningMethod specified in the token.
 func (t *Token) SignedString(key interface{}) (string, error) {
 	var sig, sstr string

From 40c2c5c47ad046caf00764d4bd4d1bc3b2d8baf6 Mon Sep 17 00:00:00 2001
From: serosset <serosset@cisco.com>
Date: Wed, 13 Oct 2021 12:31:39 +0000
Subject: [PATCH 5/5] update code comments

---
 token.go | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/token.go b/token.go
index eea49d5e..c19ac1bc 100644
--- a/token.go
+++ b/token.go
@@ -87,9 +87,10 @@ func (t *Token) SigningString() (string, error) {
 // Parse parses, validates, verifies the signature and returns the parsed token.
 // keyFunc will receive the parsed token and should return the cryptographic key
 // for verifying the signature.
-// keyFunc should validate the 'alg' claim in the token matches the expected algorithm.
+// The caller is strongly encouraged to set the WithValidMethods option to
+// validate the 'alg' claim in the token matches the expected algorithm.
 // For more details about the importance of validating the 'alg' claim,
-// see https://auth0.com/blog/critical-vulnerabilities-in-json-web-token-libraries/ 
+// see https://auth0.com/blog/critical-vulnerabilities-in-json-web-token-libraries/
 func Parse(tokenString string, keyFunc Keyfunc) (*Token, error) {
 	return new(Parser).Parse(tokenString, keyFunc)
 }