If a JSON Web Token (JWT) is not signed with a strong cipher algorithm (or not signed at all) an attacker can forge it and impersonate user identities.

Noncompliant Code Examples

For pyjwt module:

jwt.decode(token, verify = False)  # Noncompliant
jwt.decode(token, key, options={"verify_signature": False})  # Noncompliant

For python_jwt module:

jwt.process_jwt(token)  # Noncompliant

Compliant Solution

For pyjwt module:

jwt.decode(token, key, algo)

For python_jwt module:

jwt.process_jwt(token)  #  Compliant because followed by verify_jwt()
jwt.verify_jwt(token, key, algo)

See