Verify algorithm before evaluating keyfinder

[zinosama]

Summary

As of 2.2.1, Decode#verify_signature evaluates &@keyfinder before validating algorithm. This is quite inefficient and results in misleading failure messages (see reasoning below). I propose we move algorithm validation before finding the key so that we don't waste our time evaluating key finder when we know the algorithm is wrong.

Reasoning

1. Key finder evaluation is usually used for supporting features like JWKS, where a network call needs to be made to get a public key. Making network calls can often be expensive for Ruby applications. Therefore it makes sense to do the cheaper checks such as alg validation first. The performance impact of this can be especially significant in applications where multiple types of token are accepted.
2. A token with the wrong algorithm is most likely never gonna find the right key. In this case, the exception should clearly indicating the issue with the incorrect algorithm and raise JWT::IncorrectAlgorithm instead of JWT::DecodeError, 'No verification key available.

Please let me know if you are willing to accept a PR on this.

[zinosama]

cc @laurawyse @jb08 @pjo336

[ab320012]

@zinosama it sounds good to me

[zinosama]

@zinosama it sounds good to me

Cool. I'll look into opening a PR. Thank you.

[anakinj]

Closing this issue. The order of validating algorithm and evaluating keyfinder was changed in #346