fix: prosody: token alg is checked before public key is used

resources/prosody-plugins/token/util.lib.lua

@@ -270,6 +270,13 @@ function Util:process_and_verify_token(session, acceptedIssuers)
         if kid == nil then
             return false, "not-allowed", "'kid' claim is missing";
         end
+        local alg = header["alg"];
+        if alg == nil then
+            return false, "not-allowed", "'alg' claim is missing";
+        end
+        if alg.sub(alg,1,2) ~= "RS" then
+            return false, "not-allowed", "'kid' claim only support with RS family";
+        end
         pubKey = self:get_public_key(kid);
         if pubKey == nil then
             return false, "not-allowed", "could not obtain public key";