Add link to URL with details about security vulnerabilities.

parser.go

@@ -15,7 +15,6 @@ type Parser struct {
 
 // Parse parses, validates, verifies the signature and returns the parsed token.
 // keyFunc will receive the parsed token and should return the key for validating.
-// If everything is kosher, err will be nil.
 func (p *Parser) Parse(tokenString string, keyFunc Keyfunc) (*Token, error) {
 	return p.ParseWithClaims(tokenString, MapClaims{}, keyFunc)
 }

token.go

@@ -88,7 +88,8 @@ func (t *Token) SigningString() (string, error) {
 // keyFunc will receive the parsed token and should return the cryptographic key
 // for verifying the signature.
 // keyFunc should validate the 'alg' claim in the token matches the expected algorithm.
-// If everything is kosher, err will be nil.
+// For more details about the importance of validating the 'alg' claim,
+// see https://auth0.com/blog/critical-vulnerabilities-in-json-web-token-libraries/ 
 func Parse(tokenString string, keyFunc Keyfunc) (*Token, error) {
 	return new(Parser).Parse(tokenString, keyFunc)
 }