Summary
As of 2.2.1, Decode#verify_signature evaluates &@keyfinder before validating algorithm. This is quite inefficient and results in misleading failure messages (see reasoning below). I propose we move algorithm validation before finding the key so that we don't waste our time evaluating key finder when we know the algorithm is wrong.
Reasoning
- Key finder evaluation is usually used for supporting features like JWKS, where a network call needs to be made to get a public key. Making network calls can often be expensive for Ruby applications. Therefore it makes sense to do the cheaper checks such as
alg validation first. The performance impact of this can be especially significant in applications where multiple types of token are accepted.
- A token with the wrong algorithm is most likely never gonna find the right key. In this case, the exception should clearly indicating the issue with the incorrect algorithm and raise
JWT::IncorrectAlgorithm instead of JWT::DecodeError, 'No verification key available.
Please let me know if you are willing to accept a PR on this.
Summary
As of 2.2.1,
Decode#verify_signatureevaluates&@keyfinderbefore validating algorithm. This is quite inefficient and results in misleading failure messages (see reasoning below). I propose we move algorithm validation before finding the key so that we don't waste our time evaluating key finder when we know the algorithm is wrong.Reasoning
algvalidation first. The performance impact of this can be especially significant in applications where multiple types of token are accepted.JWT::IncorrectAlgorithminstead ofJWT::DecodeError, 'No verification key available.Please let me know if you are willing to accept a PR on this.