Detected use of the `'none'` algorithm in a JWT token and Instead, use an algorithm such as `'HS256'`

Detected use of the 'none' algorithm in a JWT token. The 'none' algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the 'none' algorithm. Instead, use an algorithm such as 'HS256'.

references

Cryptographic Failures

Apply with the Grit CLI

grit apply jwt_python_none_algorithm

`algorithm='none'`

BEFORE

import jwt

def bad1():
    encoded = jwt.encode({'some': 'payload'}, None, algorithm='none')
    return encoded

AFTER

import jwt

def bad1():
    encoded = jwt.encode({'some': 'payload'}, None, algorithm='HS256')
    return encoded

`algorithm=['none']`

BEFORE

import jwt

def bad2(encoded):
    jwt.decode(encoded, None, algorithms=['none'])
    return encoded

AFTER

import jwt

def bad2(encoded):
    jwt.decode(encoded, None, algorithm='HS256')
    return encoded

`algorithm='HS256'`

PYTHON

import jwt

def ok(secret_key):
    encoded = jwt.encode({'some': 'payload'}, secret_key, algorithm='HS256')
    return encoded

`algorithms=["none", "other", "HS256"]`

BEFORE

import jwt

def bad2(encoded):
    jwt.decode(encoded, None, algorithms=["none", "other", "HS256"])
    return encoded

AFTER

import jwt

def bad2(encoded):
    jwt.decode(encoded, None, algorithms=[ "other", "HS256"])
    return encoded

`algorithms=["HS256"]`

PYTHON

import jwt

def bad2(encoded):
    jwt.decode(encoded, None, algorithms=["HS256"])
    return encoded

`algorithms=["none", "md5"]`

BEFORE

import jwt

def bad2(encoded):
    jwt.decode(encoded, None, algorithms=["none", "md5"])
    return encoded

AFTER

import jwt

def bad2(encoded):
    jwt.decode(encoded, None, algorithms=[ "md5"])
    return encoded