Fix possible vulnerability with decoding tokens (refs #39)

Author: vimalloc

flask_jwt_extended/tokens.py

@@ -88,7 +88,7 @@ def decode_jwt(encoded_token, secret, algorithm, csrf):
     :return: Dictionary containing contents of the JWT
     """
     # This call verifies the ext, iat, and nbf claims
-    data = jwt.decode(encoded_token, secret, algorithm=algorithm)
+    data = jwt.decode(encoded_token, secret, algorithms=[algorithm])
 
     # Make sure that any custom claims we expect in the token are present
     if 'jti' not in data:

tests/test_protected_endpoints.py

@@ -385,6 +385,22 @@ def bad_logout():
         with self.assertRaises(RuntimeWarning):
             client.post('/logout-bad')
 
+    def test_jwt_with_different_algorithm(self):
+        self.app.config['JWT_ALGORITHM'] = 'HS256'
+        self.app.secret_key = 'test_secret'
+        access_token = encode_access_token(
+            identity='bobdobbs',
+            secret='test_secret',
+            algorithm='HS512',
+            expires_delta=timedelta(minutes=5),
+            fresh=True,
+            user_claims={},
+            csrf=False
+        )
+        status, data = self._jwt_get('/protected', access_token)
+        self.assertEqual(status, 422)
+        self.assertIn('msg', data)
+
 
 class TestEndpointsWithCookies(unittest.TestCase):