You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Add a verify(token, algorithm, verificationKey) method as per this posting regarding vulnerabilities in jwt: https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/
#14
Open
nethermead opened this issue
Apr 1, 2015
· 3 comments
It's good that you don't support the 'none' algorithm as per the JWT spec, but if the algorithm used can't be enforced by the server, exploits are feasible.
Passing the algorithm should be shown in the readme, which someone has already recommended in #16. (In my opinion passing the algorithm should be required.) This issue caused a fairly severe security hole in my application because I use RS256.
No description provided.
The text was updated successfully, but these errors were encountered: