--alg should be required when performing signature validation #134
Description
When no algorithm is given during signature validation, HS256 is used by default. This leads to an error message stating that the JWT has a different algorithm than the one the user provided. PR #133 improves on this by showing the algorithm specified in the JWT and the algorithm used for signature validation (HS256 per default) but still, this is not ideal.
I would therefore suggest to require the --alg parameter when a secret is given (-S).
Current behavior:
$ JWT=`cargo run -- encode '{"field":"value"}' --secret 1234567890 --alg 'HS512' --exp '+1 year'`
$ cargo run -- decode -S 1234567890 $JWT
The JWT provided has a different signing algorithm than the one you provided
Token header
------------
{
"typ": "JWT",
"alg": "HS512"
}
Token claims
------------
{
"exp": 1657552783,
"field": "value",
"iat": 1625995831
}Expected behavior:
$ JWT=`cargo run -- encode '{"field":"value"}' --secret 1234567890 --alg 'HS512' --exp '+1 year'`
$ cargo run -- decode -S 1234567890 $JWT
error: The following required arguments were not provided:
--alg <algorithm>Even better, it would be nice to allow for specifying multiple valid algorithms like this:
$ cargo run -- decode -S 1234567890 --algs HS256,HS384,HS512 $JWT