Change jwt.decode to jwt.verify

[shahzore-qureshi]

Description

In the documentation for the "jsonwebtoken" library, it gives the following warning for the function jwt.decode:

---

https://www.npmjs.com/package/jsonwebtoken

Warning: This will not verify whether the signature is valid. You should not use this for untrusted messages. You most likely want to use jwt.verify instead.

---

Therefore, to ensure that the signature is valid, the jwt.verify should be called, not jwt.decode.

Type of change

Please delete options that are not relevant.

• Bug fix (non-breaking change which fixes an issue)

How Has This Been Tested?

This has not been tested.

Checklist:

• My code follows the style guidelines of this project
• I have performed a self-review of my own code
• My code has been reviewed by at least one peer
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation
• My changes generate no new warnings
• I have added tests that prove my fix is effective or that my feature works
• New and existing unit tests pass locally with my changes

[james-wallis]

FYI @ahrjarrett I came across this in your blog post https://ahrjarrett.com/posts/2019-02-08-resetting-user-passwords-with-node-and-jwt. Spent a while trying to work out why I was able to re-use the same link even though the password had changed in the database.

With the combination of the user’s password hash and createdAt date the JWT becomes a one-time-use token, because once the user has changed her password, successive calls to that route will generate a new password hash, invalidating the secret key which references the defunct password.

The example you give has the same call to decode (its the same code after all)

[dayadam]

This needs to change