From 55d5834f7b637011e1d8b927ff78a92a5fd521cf Mon Sep 17 00:00:00 2001
From: Mircea Danila Dumitrescu <mircea@statustoday.com>
Date: Wed, 10 Aug 2016 09:52:10 +0100
Subject: [PATCH 1/2] Removing unnecessary extra decoding. jwtString is already
 verified as valid and signature checked

---
 verify.js | 8 +-------
 1 file changed, 1 insertion(+), 7 deletions(-)

diff --git a/verify.js b/verify.js
index a0950e0..828e61e 100644
--- a/verify.js
+++ b/verify.js
@@ -96,13 +96,7 @@ module.exports = function (jwtString, secretOrPublicKey, options, callback) {
   if (!valid)
     return done(new JsonWebTokenError('invalid signature'));
 
-  var payload;
-
-  try {
-    payload = decode(jwtString);
-  } catch(err) {
-    return done(err);
-  }
+  var payload=decodedToken.payload;
 
   if (typeof payload.nbf !== 'undefined' && !options.ignoreNotBefore) {
     if (typeof payload.nbf !== 'number') {

From 01903bcdc61b4ed429acbbd1fe0ffe0db364473b Mon Sep 17 00:00:00 2001
From: Mircea Danila Dumitrescu <mircea@statustoday.com>
Date: Wed, 10 Aug 2016 11:33:45 +0100
Subject: [PATCH 2/2] Fixed tests, however typ: 'JWT' should not be in the
 options at all, so please review other tests

---
 test/verify.tests.js | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/test/verify.tests.js b/test/verify.tests.js
index da8dce4..d3366d5 100644
--- a/test/verify.tests.js
+++ b/test/verify.tests.js
@@ -11,7 +11,7 @@ describe('verify', function() {
   var priv = fs.readFileSync(path.join(__dirname, 'priv.pem'));
 
   it('should first assume JSON claim set', function (done) {
-    var header = { alg: 'RS256' };
+    var header = { typ: 'JWT', alg: 'RS256' };
     var payload = { iat: Math.floor(Date.now() / 1000 ) };
 
     var signed = jws.sign({
@@ -21,7 +21,7 @@ describe('verify', function() {
         encoding: 'utf8'
     });
 
-    jwt.verify(signed, pub, {typ: 'JWT'}, function(err, p) {
+    jwt.verify(signed, pub, function(err, p) {
       assert.isNull(err);
       assert.deepEqual(p, payload);
       done();
@@ -29,7 +29,7 @@ describe('verify', function() {
   });
 
   it('should be able to validate unsigned token', function (done) {
-    var header = { alg: 'none' };
+    var header = { typ: 'JWT', alg: 'none' };
     var payload = { iat: Math.floor(Date.now() / 1000 ) };
 
     var signed = jws.sign({
@@ -39,7 +39,7 @@ describe('verify', function() {
       encoding: 'utf8'
     });
 
-    jwt.verify(signed, null, {typ: 'JWT'}, function(err, p) {
+    jwt.verify(signed, null, function(err, p) {
       assert.isNull(err);
       assert.deepEqual(p, payload);
       done();
@@ -93,7 +93,7 @@ describe('verify', function() {
 
     it('should not error on expired token within clockTolerance interval', function (done) {
       clock = sinon.useFakeTimers(1437018584000);
-      var options = {algorithms: ['HS256'], clockTolerance: 100}
+      var options = {algorithms: ['HS256'], clockTolerance: 100};
 
       jwt.verify(token, key, options, function (err, p) {
         assert.isNull(err);