Merge pull request #160 from excpt/issue-153

Signature validation before claim verification

lib/jwt.rb

@@ -133,9 +133,6 @@ def decode(jwt, key = nil, verify = true, custom_options = {}, &keyfinder)
 
     decoder = Decode.new jwt, key, verify, merged_options, &keyfinder
     header, payload, signature, signing_input = decoder.decode_segments
-    decoder.verify
-
-    fail(JWT::DecodeError, 'Not enough or too many segments') unless header && payload
 
     if verify
       algo, key = signature_algorithm_and_key(header, key, &keyfinder)
@@ -145,6 +142,10 @@ def decode(jwt, key = nil, verify = true, custom_options = {}, &keyfinder)
       verify_signature(algo, key, signing_input, signature)
     end
 
+    decoder.verify
+
+    fail(JWT::DecodeError, 'Not enough or too many segments') unless header && payload
+
     [payload, header]
   end