Inconsistent use of symbol and string keys in args (exp and alrogithm).

[hesalx]

1. [Applies to <= 2.1.0, fixed in >= 2.2.0] While it is possible to use symbolized claim names everywhere, the exp claim is only validated if passed as string key to encode.

> JWT.encode({ 'exp' => 'asd' }, 'key')
JWT::InvalidPayload: exp claim must be an integer

> JWT.encode({ exp: 'asd' }, 'key')
=> "eyJhbGciOiJIUzI1NiJ9.eyJleHAiOiJhc2QifQ.vMAZ6k88kjdSq9UW_raFMNlhBGz2L01a_4o_ZI1SCgU"

Which may lead to unexpected results:

> token = JWT.encode({ exp: "#{Time.now + 2629746}" }, 'key')
=> "eyJhbGciOiJIUzI1NiJ9.eyJleHAiOiJhc2QifQ.vMAZ6k88kjdSq9UW_raFMNlhBGz2L01a_4o_ZI1SCgU"
> JWT.decode(token, 'key')
JWT::ExpiredSignature: Signature has expired

2. While it is possible to use string keys everywhere, algorithm/algorithms is requred to be a symbol, while being in the same options hash where string keys work perfectly fine.

> token = JWT.encode({ 'aud' => 'foo'}, 'key')
=> "eyJhbGciOiJIUzI1NiJ9.e30.FOOB1UqKAhjxqs3lV7BidJ12zFAsIGq1erQfNyaFf80"
> JWT.decode(token, 'key', true, 'aud' => 'foo', 'verify_aud' => true, 'algorithm' => 'HS384')
=> [{"aud"=>"foo"}, {"alg"=>"HS256"}] # not the allowed algorithm!

Gladly, none is not an allowed algorithm in the payload by default, but if this logic is changed in a wrongfull manner (see #323 as a possible cause of such changes, for example) it is going to create a security whole immediately regarding misued string 'algorithm' key.

Anyway, even without the known "alg none" issue, a possibility to unknowingly break algorith validation is concerning.

[hesalx]

Didn't notice we've been using sighly older verison. The first issue (exp validation) is actually fixed (can't be reproduced) in 2.2.1.

Though the alg issue is still valid for 2.2.1.