If a JSON Web Token (JWT) is not signed with a strong cipher algorithm (or not signed at all) an attacker can forge it and impersonate user identities.
none algorithm to sign or verify the validity of a token. For pyjwt module:
jwt.decode(token, verify = False) # Noncompliant
jwt.decode(token, key, options={"verify_signature": False}) # Noncompliant
For python_jwt module:
jwt.process_jwt(token) # Noncompliant
For pyjwt module:
jwt.decode(token, key, algo)
For python_jwt module:
jwt.process_jwt(token) # Compliant because followed by verify_jwt() jwt.verify_jwt(token, key, algo)