|
|
|
|
|
|
by rahkiin
3619 days ago
|
|
|
You don't know who the user is until you verified the integrity of the JWT. Verifiying the integrity requires the secret. Your solution adds the dependency: the secret requires the user. It is cyclic, unsolvable without breaking a constraint. You could assume the username is correct, then get the secret, validate. But that sounds like something breakable. |
|
|