rspec/rules/S5659/python/how-to-fix-it/python-jose.adoc

== How to fix it in python-jose

=== Code examples

include::../../common/fix/code-rationale-decode.adoc[]

==== Noncompliant code example

[source,python,diff-id=111,diff-type=noncompliant]
----
from jose import jwt

jwt.decode(token, None, options={"verify_signature": False}) # Noncompliant
----

==== Compliant solution

By default, verification is enabled for the methods `decode` and `verify`.

[source,python,diff-id=111,diff-type=compliant]
----
from jose import jwt

jwt.decode(token, key, algorithms=["HS256"])
----

=== How does this work?

include::../../common/fix/decode.adoc[]

=== Going the extra mile

include::../../common/extra-mile/key-storage.adoc[]

include::../../common/extra-mile/key-rotation.adoc[]