Specify algorithm when decoding.

rdm3an · Jun 12, 2017 · 8084900 · 8084900
1 parent 6e392e1
commit 8084900
Showing 1 changed file with 4 additions and 4 deletions.
diff --git a/app/lib/login_token.rb b/app/lib/login_token.rb
@@ -18,16 +18,16 @@ def self.decode(token: nil)
     end
 
     begin
-      payload, _config = JWT.decode(token, self.secret_key, 'HS256')
+      payload, _config = JWT.decode(token, self.secret_key, true, { algorithm: 'HS256' })
     rescue JWT::ExpiredSignature
       # If the token has expired, try again to decode it, but with expiration
       # checking turned off, so we can tell who tried to log in.
       begin
-        payload, _config = JWT.decode(token, self.secret_key, true, verify_expiration: false)
-        
+        payload, _config = JWT.decode(token, self.secret_key, true, { algorithm: 'HS256', verify_expiration: false })
+
         user_id = payload['data']['user_id']
         user = User.find_by(id: user_id)
-        
+
         if user.blank?
           return false
         else