tomasdrgon

decode() doesn't verify the authenticity of the jwt from localStorage (in index.js), so PrivateRoutes might be accessible with a forged jwt