JWT::decode fails in embedq2.php due to missing statesecret

[MathTV]

$statesecret is not passed to the decode method at line 39:

`

    // verification using 'auth' is built-into the JWT method

    $QS = json_decode(json_encode(JWT::decode($_REQUEST['jwt'])), true);

`

Adding $statesecret elliminates decode error:

`

    // verification using 'auth' is built-into the JWT method

    $QS = json_decode(json_encode(JWT::decode($_REQUEST['jwt'], $statesecret)), true);

`

[drlippman]

Sorry for taking so long in getting back to you about this.

I'm not sure what error you're talking about. I haven't run into any error with any of my testing with embedq2.

I was just looking into it, and it looks like only the state is intended to be encoded/decoded using $statesecret. Line 39 is decoding the wrapping JWT, which contains the encoded state, but the wrapping JWT itself isn't meant to be encoded or decoded using $statesecret. Instead, it's either encoded with no key (for practice use), or the JWT should include an auth key (for more secure scenarios), in which case the JWT decode method automatically looks up the associated key during the decode process.

The $statesecret is meant to be something only the site hosting embedq2 knows, while the JWT auth key is a shared secret between the page hosting embedq2 and the page embedding it.