It looks like most of the advice from the OWASP REST Cheat Sheet is discussed in this API-Security-Checklist, but OWASP talks about the importance of CORS, which is not mentioned at all in this API-Security-Checklist. Probably good to make mention. Also, the OWASP REST Cheat Sheet provides a bit more guidance regarding validation that might be good to incorporate.

https://github.com/OWASP/Che

The quick start guide for version 1.0.0 suggests in the AuthController to apply the 'auth:api' middleware in the constructor in this manner:

public function __construct(){
        $this->middleware('auth:api', ['except' => ['login']]);
}

that means this route: Route::post('refresh', 'AuthController@refresh'); and this method:

public function refresh(){
        return $this-

提交 Issues 请提供

1. 提供发生错误的步骤，最好有 GIf 动图
2. 异常日志（尽量详细，异常日志可以使用MD语法）

对于没有提供详细日志的 Issues 将直接关闭。谢谢

Would be very helpful for the docs to clearly document the various types of error codes.

I had all sorts of problems because I didn't know which errors were coming from this library, and what they meant.

I went through the code and found these:

• 'credentials_bad_scheme'
• 'credentials_bad_format'
• 'credentials_required'
• 'invalid_token' x2
• 'revoked_token'

Note that the `'invalid

https://pyjwt.readthedocs.io/en/latest/index.html has examples 😄
https://pyjwt.readthedocs.io/en/latest/api.html has only exceptions 😕

I wish there was complete documentation for jwt.encode and jwt.decode high level methods / public API.

Specifically, there are keyword arguments which are not trivial and options= which have defaults, but it takes digging into the source code to unders

I've finally ingtegrated drf jwt but only when I specified authentication_classes = (JSONWebTokenAuthentication,) inside my view. I think the documentation needs to be a bit more precise, other drf always expects a Token but not JWT.

1. [Applies to <= 2.1.0, fixed in >= 2.2.0] While it is possible to use symbolized claim names everywhere, the exp claim is only validated if passed as string key to encode.

> JWT.encode({ 'exp' => 'asd' }, 'key')
JWT::InvalidPayload: exp claim must be an integer

> JWT.encode({ exp: 'asd' }, 'key')
=> "eyJhbGciOiJIUzI1NiJ9.eyJleHAiOiJhc2QifQ.vMAZ6k88kjdSq9UW_raFMNlhBGz2L01

The doumentation state that you can use:

    JwtModule.forRoot({
      config: {
        tokenGetter: tokenGetter,
        whitelistedDomains: ['example.com'],
        blacklistedRoutes: ['example.com/examplebadroute/']
      }
    })

It would be nice to have a warning on the documentation saying whitelistedDomains: ['http://example.com'] won't work.

• Document common APNs gotchas and errors (dev/prod gateway etc)
• Examples of how to use with go channels and go routines
• Document Client timeout behaviour (issue #24)
• Document ClientManager and concurrent access safety (issue #44)
• Document Generating correct .pem/p12 certificates (issue #33 and issue #46)

Describe the bug

The docs describe a process for integrating Authlib, Starlette, and Twitter into an app that needs to be revised. I followed these docs to add Twitter OAuth 1 to my app, but got the following errors.

The example in the docs should also be edited to create a FastAPI instance instead of Starlette instance, because