It looks like most of the advice from the OWASP REST Cheat Sheet is discussed in this API-Security-Checklist, but OWASP talks about the importance of CORS, which is not mentioned at all in this API-Security-Checklist. Probably good to make mention. Also, the OWASP REST Cheat Sheet provides a bit more guidance regarding validation that might be good to incorporate.

https://github.com/OWASP/Che

The quick start guide for version 1.0.0 suggests in the AuthController to apply the 'auth:api' middleware in the constructor in this manner:

public function __construct(){
        $this->middleware('auth:api', ['except' => ['login']]);
}

that means this route: Route::post('refresh', 'AuthController@refresh'); and this method:

public function refresh(){
        return $this-

提交 Issues 请提供

1. 提供发生错误的步骤，最好有 GIf 动图
2. 异常日志（尽量详细，异常日志可以使用MD语法）

对于没有提供详细日志的 Issues 将直接关闭。谢谢

RFC 7515, Section 2 states:

JWS Payload
The sequence of octets to be secured -- a.k.a. the message. The
payload can contain an arbitrary sequence of octets.

This is reinforced by the example shown in Appendix A4 using a payload of the string literal Payload.

As

Would be very helpful for the docs to clearly document the various types of error codes.

I had all sorts of problems because I didn't know which errors were coming from this library, and what they meant.

I went through the code and found these:

• 'credentials_bad_scheme'
• 'credentials_bad_format'
• 'credentials_required'
• 'invalid_token' x2
• 'revoked_token'

Note that the `'invalid

I would like to know whether or not the classes in this library are thread-safe.

I know there are already two closed issues asking for the thread safety of JWTVerifier.
I want to use an Algorithm with multiple threads for signing. Is this class threadsafe as well?

I recommend to document the thread-safety in the readme, or at least in the class / method javadocs.

It's actually quite difficult to find information on different key formats for Asymmetric keys. Add an example key format or at least a command to generate one correctly; eg:

ssh-keygen -t rsa -b 4096 -m PEM

1. [Applies to <= 2.1.0, fixed in >= 2.2.0] While it is possible to use symbolized claim names everywhere, the exp claim is only validated if passed as string key to encode.

> JWT.encode({ 'exp' => 'asd' }, 'key')
JWT::InvalidPayload: exp claim must be an integer

> JWT.encode({ exp: 'asd' }, 'key')
=> "eyJhbGciOiJIUzI1NiJ9.eyJleHAiOiJhc2QifQ.vMAZ6k88kjdSq9UW_raFMNlhBGz2L01

Hello 🙂

I am currently following the tutorial Getting started with Guardian and within the section Create Implementation Module is a broke link to the implementation module docs.
The correct one would be `https://github.com/ueberauth/guardian/blob/master/guides/introduction/

https://developer.apple.com/documentation/usernotifications/setting_up_a_remote_notification_server/sending_notification_requests_to_apns/

The date at which the notification is no longer valid. This value is a UNIX epoch expressed in seconds (UTC). If the value is nonzero, APNs stores the notification and tries to deliver it at least once, repeating the attempt as needed until the specified d

authlib contains pretty much all you need to implement JWT token validation. It would be nice if there was a simple default one provided. I'm not sure how many moving parts it would have. If no single validator would cover 80% of cases, maybe provide more docs on how to assemble one.

@lepture If you have a general idea of how you would like to see this implemented I would probably be able to do