From d06359ef3b4e619680e043ee7c16adda16598f52 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jose=CC=81=20F=2E=20Romaniello?= <jfromaniello@gmail.com>
Date: Thu, 11 Aug 2016 13:22:15 -0300
Subject: [PATCH] Revert "Merge branch 'venatir-master'"

This reverts commit d66d4ebd3e7620453671f9930801900a22ff4f80, reversing
changes made to 5117aacd0118a10331889a64e61d8186112d8a23.
---
 test/verify.tests.js | 10 +++++-----
 verify.js            |  8 +++++++-
 2 files changed, 12 insertions(+), 6 deletions(-)

diff --git a/test/verify.tests.js b/test/verify.tests.js
index d3366d5..da8dce4 100644
--- a/test/verify.tests.js
+++ b/test/verify.tests.js
@@ -11,7 +11,7 @@ describe('verify', function() {
   var priv = fs.readFileSync(path.join(__dirname, 'priv.pem'));
 
   it('should first assume JSON claim set', function (done) {
-    var header = { typ: 'JWT', alg: 'RS256' };
+    var header = { alg: 'RS256' };
     var payload = { iat: Math.floor(Date.now() / 1000 ) };
 
     var signed = jws.sign({
@@ -21,7 +21,7 @@ describe('verify', function() {
         encoding: 'utf8'
     });
 
-    jwt.verify(signed, pub, function(err, p) {
+    jwt.verify(signed, pub, {typ: 'JWT'}, function(err, p) {
       assert.isNull(err);
       assert.deepEqual(p, payload);
       done();
@@ -29,7 +29,7 @@ describe('verify', function() {
   });
 
   it('should be able to validate unsigned token', function (done) {
-    var header = { typ: 'JWT', alg: 'none' };
+    var header = { alg: 'none' };
     var payload = { iat: Math.floor(Date.now() / 1000 ) };
 
     var signed = jws.sign({
@@ -39,7 +39,7 @@ describe('verify', function() {
       encoding: 'utf8'
     });
 
-    jwt.verify(signed, null, function(err, p) {
+    jwt.verify(signed, null, {typ: 'JWT'}, function(err, p) {
       assert.isNull(err);
       assert.deepEqual(p, payload);
       done();
@@ -93,7 +93,7 @@ describe('verify', function() {
 
     it('should not error on expired token within clockTolerance interval', function (done) {
       clock = sinon.useFakeTimers(1437018584000);
-      var options = {algorithms: ['HS256'], clockTolerance: 100};
+      var options = {algorithms: ['HS256'], clockTolerance: 100}
 
       jwt.verify(token, key, options, function (err, p) {
         assert.isNull(err);
diff --git a/verify.js b/verify.js
index 828e61e..a0950e0 100644
--- a/verify.js
+++ b/verify.js
@@ -96,7 +96,13 @@ module.exports = function (jwtString, secretOrPublicKey, options, callback) {
   if (!valid)
     return done(new JsonWebTokenError('invalid signature'));
 
-  var payload=decodedToken.payload;
+  var payload;
+
+  try {
+    payload = decode(jwtString);
+  } catch(err) {
+    return done(err);
+  }
 
   if (typeof payload.nbf !== 'undefined' && !options.ignoreNotBefore) {
     if (typeof payload.nbf !== 'number') {