If a JSON Web Token (JWT) is not signed with a strong cipher algorithm (or not signed at all) an attacker can forge it and impersonate user
identities.
- Don’t use
none algorithm to sign or verify the validity of a token.
- Don’t use a token without verifying its signature before.
Noncompliant Code Example
For pyjwt module:
jwt.decode(token, verify = False) # Noncompliant
jwt.decode(token, key, options={"verify_signature": False}) # Noncompliant
For python_jwt module:
jwt.process_jwt(token) # Noncompliant
Compliant Solution
For pyjwt module:
jwt.decode(token, key, algo)
For python_jwt module:
jwt.process_jwt(token) # Compliant because followed by verify_jwt()
jwt.verify_jwt(token, key, algo)
See
