decode(): Only decodes the token from base64url encoding without verifying the signature.
verify(): Decodes the token and verifies the signature.
decode()does NOT verify the signature at all. Sometimes developers might mix up these methods.
nonealgorithm is accepted by the server, then the signature won't be verified at all. That is, anyone can forge a malicious JWT and the server will accept it blindly. This is a dumb vulnerability, just disable the
verify()which takes two arguments depending on user-specified algorithm:
verify(token, secret)– if the user-specified algorithm is HS256
verify(token, public_key)– if the user-specified algorithm is RS256
verify()does NOT check whether the received token is signed using the application's expected algorithm. Suppose the server uses RS256. If the public key is accessible within the application, an attacker can forge malicious tokens by:
verify()method will treat the public key as an HMAC shared secret and use symmetric rather than asymmetric encryption. This means that the token will be signed using the application’s non-secret public key and then verified using the same public key.