ParseUnverified godoc update #340
Description
This is sort of a nitpick or my side, but the godoc for the ParseUnverified is the following:
// ParseUnverified parses the token but doesn't validate the signature.
//
// WARNING: Don't use this method unless you know what you're doing.
//
// It's only ever useful in cases where you know the signature is valid (because it has
// been checked previously in the stack) and you want to extract values from it.
The part that I would suggest changing is because it has been checked previously in the stack, that does not necessarily must be true, for example, when receiving a JWT that will be validated after the parse has happened, we should be exposed to any risks as well.
So the godoc could be something like:
// ParseUnverified parses the token but doesn't validate the signature.
//
// WARNING: Don't use this method unless you know what you're doing.
//
// It's only ever useful in cases where you know the signature is valid (since it has already
// been or will be checked elsewhere in the stack) and you want to extract values from it.
Opening an issue to understand if that makes sense, and if so I can open this really short PR to fix as well.