frasertweedale
commented
9 years ago I believe that this implementation is not affected by either of the vulnerabilities outlined in the post. Nevertheless please note the disclaimer of warranty in the license.
Thank you for bringing this matter to my attention!
I have gone through all the jwt libraries on hackage, and it seems like this one actually has typed keys, and thus might be protected against this common vulnerability:
https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/
An audit of some sort and a signoff that the library is OK is needed.