Change to a more secure behavior of the noVerify argument of the decode function #106
Description
Current behavior
Currently when jwt.decode() get a noVerify argument with ANY value except for false the signature is not verified.
Issue
This could be a problem if a developer is confused and passes a value like 'HS256' (the algorithm) instead of the noVerify boolean value, e.g.
user = jwt.decode(token, secret, 'HS256')In this case the signature is not being verified, which could lead to authentication bypass.
Suggested Behavior
Signature verification is only skipped if the value of noVerify is true and is not skipped for any other value, e.g. a string like 'HS256'.
Reproduction steps:
- Create a token
const jwt = require('jwt-simple');
const secretKey = process.env.JWT_SECRET;
const username = "test1";
const token = jwt.encode({ username }, secretKey,'HS256');- Now try to decode with a different secret with the value of verify set to anything except
false. This will work allowing fake tokens to look like they were successfully verified
const decoded = jwt.decode(token, "wrong_secret", 'HS256');