Love the product and keeping it free for 10 devices is awesome!
I’m concerned with the jwt session token. I see jwt_secret as part of the jwt and the alg is HS256 rather than RS256.
If my session jwt becomes compromised, what’s stopping someone from forging a new jwt with that “jwt_secret” value and updating the expiry etc.?
Wondering what the reasoning behind including jwt_secret and HS256 was?
Admittedly, I haven’t had a chance to try forging a new token to see what would happen. Thought I’d raise it just incase.