This article has a serious security concern. If the advice is followed, it can leave the server open to attack.
The article is a good overview of JWT and how to generate and inspect JWTs. However, someone reading might naievely use the examples without context as a basis for actual production code.
In the section " Find out the algorithm used in a JWT", it has the following code:
# saving the header claims into a variable
header_data = jwt.get_unverified_header(token)
# using that variable in the decode method
jwt.decode(
token,
key='my_super_secret',
algorithms=[header_data['alg'], ]
)
The vulnerability here is that the JWT token could contain the alg “none”. This would bypass signature validation and allow an attacker to forge any token without having to know the secret.
RFC 8725 has best practices for JWT tokens:
2.1 “The algorithm can be changed to “none” by an attacker, and some libraries would trust this value and “validate” the JWT without checking any signature.”
3.1 “each key MUST be used with exactly one algorithm, and this MUST be checked when the cryptographic operation is performed.”
I recommend changing the examples to remove any usage of algorithms=[header_data['alg'], ]. Someone blindly copy/pasting would not understand the implications of this.