Add the ability to use rust implementations even on non-wasm targets

Fixes #102
Fixes #103

.github/workflows/ci.yml

@@ -15,9 +15,17 @@ jobs:
 
     steps:
       - uses: actions/checkout@v2
-      - name: Build
-        run: cargo build --verbose
-      - name: WASI Build
+      - name: build
+        run: cargo build
+      - name: build with cwt
+        run: cargo build --features="cwt"
+      - name: pure rust implementations
+        run: cargo build --no-default-features --features="pure-rust"
+      - name: wasm32-freestanding build
+        run: |
+          rustup target add wasm32-unknown-unknown
+          cargo build --verbose --target=wasm32-unknown-unknown
+      - name: wasi32-wasi build
         run: |
           rustup target add wasm32-wasi
           cargo build --verbose --target=wasm32-wasi

Cargo.toml

@@ -31,16 +31,20 @@ thiserror = "1.0.51"
 zeroize = "1.7.0"
 
 [target.'cfg(not(any(target_arch = "wasm32", target_arch = "wasm64")))'.dependencies]
-boring = "4.2.0"
+boring = { version = "4.2.0", optional = true }
+superboring = { version = "0.1.2", optional = true }
 
 [target.'cfg(any(target_arch = "wasm32", target_arch = "wasm64"))'.dependencies]
-superboring = "0.1.0"
+superboring = { version = "0.1.2" }
 
 [dev-dependencies]
 benchmark-simple = "0.1.8"
 
 [features]
+default = ["optimal"]
 cwt = ["ciborium"]
+optimal = ["boring"]
+pure-rust = ["superboring"]
 
 [[bench]]
 name = "benchmark"

README.md

@@ -22,6 +22,8 @@
     - [Creating and attaching key identifiers](#creating-and-attaching-key-identifiers)
     - [Mitigations against replay attacks](#mitigations-against-replay-attacks)
     - [CWT (CBOR) support](#cwt-cbor-support)
+  - [Working around compilation issues with the `boring` crate](#working-around-compilation-issues-with-the-boring-crate)
+  - [Usage in Web browsers](#usage-in-web-browsers)
   - [Why yet another JWT crate](#why-yet-another-jwt-crate)
 
 <!-- /code_chunk_output -->
@@ -289,6 +291,20 @@ Also, the existing Rust crates for JSON and CBOR deserialization are not safe. A
 
 As a mitigation, we highly recommend rejecting tokens that would be too large in the context of your application. That can be done by with the `max_token_length` verification option.
 
+## Working around compilation issues with the `boring` crate
+
+As a temporary workaround for portability issues with one of the dependencies (the `boring` crate), this library can be compiled to use only Rust implementations.
+
+In order to do so, import the crate with `default-features=false, features=["pure-rust"]` in your Cargo configuration.
+
+Do not do it unconditionally. This is only required for very specific setups and targets, and only until issues with the `boring` crate have been solved. The way to configure this in Cargo may also change in future versions.
+
+## Usage in Web browsers
+
+The `wasm32-freestanding` target (still sometimes called `wasm32-unknown-unknown` in Rust) is supported (as in "it compiles").
+
+However, using a native JavaScript implementation is highly recommended instead. There are high-quality JWT implementations in JavaScript, leveraging the WebCrypto API, that provide better performance and security guarantees than a WebAssembly module.
+
 ## Why yet another JWT crate
 
 This crate is not an endorsement of JWT. JWT is [an awful design](https://tools.ietf.org/html/rfc8725), and one of the many examples that "but this is a standard" doesn't necessarily mean that it is good.

src/lib.rs

@@ -301,6 +301,12 @@
 
 #![forbid(unsafe_code)]
 
+#[cfg(all(feature = "pure-rust", feature = "optimal"))]
+compile_error!("jwt-simple: the `optimal` feature is only available when the `pure-rust` feature is disabled - Consider disabling default Cargo features.");
+
+#[cfg(all(not(feature = "pure-rust"), not(feature = "optimal")))]
+compile_error!("jwt-simple: the `optimal` feature is required when the `pure-rust` feature is disabled - Consider enabling default Cargo features.");
+
 pub mod algorithms;
 pub mod claims;
 pub mod common;