JWT alg confusion: forging tokens by switching RS256 to HS256

The public key, served at a well-known endpoint, was accepted as an HMAC secret when the alg header was changed.

The verifier trusted the token's own alg header. Switching RS256→HS256 and signing with the public key produced a token the server accepted. Fix: pin the expected algorithm server-side; never let the token choose.