Lemur 1.9.0 JWT Algorithm Confusion in auth/service.py

JWT verifier in auth/service.py:130-137 reads the 'alg' header from the unverified token and passes it directly to pyjwt.decode() as the algorithms parameter, instead of pinning a server-side allowlist. This is a classic JWT algorithm confusion vulnerability.

All deployments of Lemur 1.9.0 and prior releases using the same code path. Direct exploitation is blocked by PyJWT 2.x rejecting alg=none, but chain-dependent attacks are possible if LEMUR_TOKEN_SECRET is disclosed, and future asymmetric signing could enable algorithm confusion.

Pin the allowed algorithms in auth/service.py by replacing algorithms=[header_data["alg"]] with a server-side list, e.g., algorithms=current_app.config["JWT_ACCEPTED_ALGS"], to prevent attacker-controlled algorithm selection.