Ensure allowed algorithms list is overwritten instead of merged.

Closes #52, #54.

Author: ADmad

src/Auth/JwtAuthenticate.php

@@ -91,13 +91,16 @@ public function __construct(ComponentRegistry $registry, $config)
             'header' => 'authorization',
             'prefix' => 'bearer',
             'parameter' => 'token',
-            'allowedAlgs' => ['HS256'],
             'queryDatasource' => true,
             'fields' => ['username' => 'id'],
             'unauthenticatedException' => '\Cake\Network\Exception\UnauthorizedException',
             'key' => null,
         ]);
 
+        if (empty($config['allowedAlgs'])) {
+            $config['allowedAlgs'] = ['HS256'];
+        }
+
         parent::__construct($registry, $config);
     }
 

tests/TestCase/Auth/JwtAuthenticateTest.php

@@ -44,6 +44,22 @@ public function setUp()
             ->getMock();
     }
 
+    /**
+     * testConfig.
+     *
+     * @return void
+     */
+    public function testConfig()
+    {
+        $auth = new JwtAuthenticate($this->Registry, []);
+        $this->assertEquals(['HS256'], $auth->config('allowedAlgs'));
+
+        $auth = new JwtAuthenticate($this->Registry, [
+            'allowedAlgs' => ['RS256']
+        ]);
+        $this->assertEquals(['RS256'], $auth->config('allowedAlgs'));
+    }
+
     /**
      * test authenticate token as query parameter.
      *