From df355ebd7d4e7516ac076619e9bf5a6a0a6cf782 Mon Sep 17 00:00:00 2001
From: HadleySo <71105018+HadleySo@users.noreply.github.com>
Date: Thu, 19 Mar 2026 22:33:17 -0500
Subject: [PATCH] Changing JWT low-security to alg none check only. DOCS ok

---
 application/controllers/Header_auth.php | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/application/controllers/Header_auth.php b/application/controllers/Header_auth.php
index 790733efb..7e48e1e72 100644
--- a/application/controllers/Header_auth.php
+++ b/application/controllers/Header_auth.php
@@ -202,8 +202,8 @@ class Header_auth extends CI_Controller {
                 return null;
             }
 
-            $alg = $header['alg'] ?? '';
-            if (!in_array($alg, ['RS256', 'RS384', 'RS512', 'ES256', 'ES384'], true)) {
+            $alg = $header['alg'] ?? 'none';
+            if ($alg == "none") {
                 log_message('error', 'SSO Authentication: Algorithm "' . $alg . '" is not allowed.');
                 return null;
             }