Raise IncorrectAlgorithm if token has no alg header #411
Conversation
|
Hello, @bouk! This is your first Pull Request that will be reviewed by SourceLevel, an automatic Code Review service. It will leave comments on this diff with potential issues and style violations found in the code as you push new commits. You can also see all the issues found on this Pull Request on its review page. Please check our documentation for more information. |
|
SourceLevel has finished reviewing this Pull Request and has found:
|
![sourcelevel-bot[bot]](https://avatars.githubusercontent.com/in/597?s=60&v=4){kind=small}
| @@ -34,6 +34,7 @@ def decode_segments | |||
|
|
|||
| def verify_signature | |||
| raise(JWT::IncorrectAlgorithm, 'An algorithm must be specified') if allowed_algorithms.empty? | |||
| raise(JWT::IncorrectAlgorithm, 'Token is missing alg header') unless header['alg'] | |||
There was a problem hiding this comment.
JWT::Decode#verify_signature calls 'header['alg']' 2 times
|
Thanks for the fix. As long as the alg header is required by the validation i think this is a great change. In general I think the alg header should be of almost no relevance and maybe we should make it less important when validating the signature. |
Closes #410