Library not secure ?

[albertbuchard]

From what I can see, jwt-simple is not secure against chosen message attacks, why not use crypto.createCipheriv( algorithm, key, iv, options ) ?

Passing a random IV on each request ensures the key is secure.

[DevBrent]

This library signs or hashes the JWT it does not offer an encrypted copy of the key. For these use cases the algorithms are asymmetric and irreversible and not vulnerable to known message attacks so long as the key is of sufficient complexity (NIST recommends 3072 bits as of 2021).