verify request jwt alg everytime

[se77en]

Ref: Critical vulnerabilities in JSON Web Token libraries

The main changes: https://github.com/adam-hanna/jwt-auth/pull/4/files#diff-6f8ed8d198ab9102a6690c6b49d249c6R330

Plus go fmt code.

[adam-hanna]

Excellent!

Thanks for this. Also, thanks for linting the code.

What are your thoughts on checking the signing alg every time there is a "ParseWithClaims"? Or maybe when a new auth token is being generated from the refresh token (and therefore, the refresh token is being parsed)?

[se77en]

According to the Auth0's blog, an attacker can modify request header. If a server is expecting a token signed with RSA, but actually receives a token signed with HMAC, it will think the public key is actually an HMAC secret key.

And also the refresh token must be verify everytime if auth token is expired.

[adam-hanna]

Great, thanks for this!

Sorry, I hadn't seen that you were checking the alg when issuing a new auth token. Thanks for that.

Merged. Thanks again!

[se77en]

My pleasure and this repo are easy to use and awesome~