If the token supplied to the verify function is has a signature which
is an empty-string, the key is ignored, presuming that the token is
unsigned and that the calling code is not interested in ensuring the
token has been signed.
If the calling code is trying to verify that the token was signed with
their secret key, it is possible for a completely unsigned token to be
accepted as valid.
This patch adds a check to ensure that if the token is unsigned, but a
non-empty key was supplied to validate, then the token is considered
to not be valid.
If the token supplied to the
verify
function is has a signature which is an empty-string, the key is ignored, presuming that the token is unsigned and that the calling code is not interested in ensuring the token has been signed.If the calling code is trying to verify that the token was signed with their secret key, it is possible for a completely unsigned token to be accepted as valid.
This patch adds a check to ensure that if the token is unsigned, but a non-empty key was supplied to
validate
, then the token is considered to not be valid.See github issue https://github.com/liquidz/clj-jwt/issues/8