Decoding with two extra digits added to the signature reports a warning

[nezarfadle]

File: JWT.php

  $key = "secret";
  $payload=  ["id" => 1, "name" => "foo"];
  $jwt = JWT::encode( $payload, $key );

Encoding the payload will genrate this JWT

eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpZCI6MSwibmFtZSI6ImZvbyJ9.Q4Kee9E8o0Xfo4ADXvYA8t7dN_X_bU9K5w6tXuiSjlU

The error arise when I add two extra digits to the signature ( and only two digits )

  $fake = "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpZCI6MSwibmFtZSI6ImZvbyJ9.Q4Kee9E8o0Xfo4ADXvYA8t7dN_X_bU9K5w6tXuiSjlUxx";
  print_r( JWT::decode( $fake, $key, ['HS256'] ));

The code above will report a warning

Warning: hash_equals(): Expected known_string to be a string, boolean given in vendor/firebasephp-jwt/src/JWT.php on line 237

[psignoret]

Those two extra characters make the signature an invalid Base64 encoding (i.e. there is no sequence of signature bytes that would produce that when Base64-URL-encoded). It would be reasonable for JWT to identify this case.

I've submitted a PR (#103) with a proposed enhancement to this (throws exception if encoded signature cannot be decoded).