== Why is this an issue?

include::../description.adoc[]

=== Noncompliant code example

https://www.npmjs.com/package/jsonwebtoken[jsonwebtoken] library:

[source,javascript]
----
const jwt = require('jsonwebtoken');

let token = jwt.sign({ foo: 'bar' }, key, { algorithm: 'none' }); // Noncompliant: 'none' cipher doesn't sign the JWT (no signature will be included)

jwt.verify(token, key, { expiresIn: 360000 * 5, algorithms: ['RS256', 'none'] }, callbackcheck); // Noncompliant: 'none' cipher should not be used when verifying JWT signature
----

=== Compliant solution

https://www.npmjs.com/package/jsonwebtoken[jsonwebtoken] library:

[source,javascript]
----
const jwt = require('jsonwebtoken');

let token = jwt.sign({ foo: 'bar' }, key, { algorithm: 'HS256' }); // Compliant

jwt.verify(token, key, { expiresIn: 360000 * 5, algorithms: ['HS256'] }, callbackcheck); // Compliant
----

include::../see.adoc[]

ifdef::env-github,rspecator-view[]

'''
== Implementation Specification
(visible only on this page)

include::../message.adoc[]

=== Highlighting

* primary location: the call to sign/verify method
* secondary location: on the incorrect option argument (third argument)
** message: 'The "algorithms" option should be defined and should not contain 'none'.'


'''
== Comments And Links
(visible only on this page)

include::../comments-and-links.adoc[]
endif::env-github,rspecator-view[]