What does Joken test when verifying tokens? What is the source code? Does it protect against algorithm tampering?

This link was provided to me in another discussion with a good discussion on how JWT’s can be compromised if you are not checking the encryption type.

They link the following best practices which seem pretty straight forward.

I have looked at the Joken code but can’t find the code for verify or validate to see what it is actually doing. Perhaps this is in JOSE from the sound of it?

https://github.com/joken-elixir/joken/tree/de299190741a7991dd2e66da98ec3f9d91fda737/lib

I wrote the following to do my own “pre-authentication” of tokens before Joken.verify_and_validate. Any obvious flaw? If it can be written better I’m open, as I’m still learning Elixir coding. My method here is just to nil the token if it fails (my preferred system for simpllicity).

Failure is (1) not being a three piece string, (2) not having RS256 set as “alg”, (3) having a “kid” (which can bypass the encryption method set by “alg” and I am not using) that is not nil.

Is this necessary though? Is Joken already checking this? Where is the source code for what Joken does?

        token = if is_binary(token) do
            case String.split(token, ".") do
                [header, _, _] ->
                    header
                    |> Base.decode64()
                    |> case do
                        {:ok, decoded} ->
                            header_map = Jason.decode(decoded); # returns {:ok, map} if works
                            case (header_map) do
                                {:ok, map} ->
                                    if Map.get(map, "alg" ) == "RS256" && Map.get(map, "kid") == nil do
                                        IO.puts("TOKEN FOUND AS RS256")
                                        token
                                    else
                                        nil #not rs256 or has kid set to value
                                    end
                                _->
                                    nil #json not decoded as map
                            end
                        _ -> nil # failed to base64 decode header
                    end

                _ ->
                    nil # not three piece string
            end
        else
            nil # not binary
        end

Thanks.