Merge pull request auth0#386 from ziluvatar/issue_381

fiddur · web-flow · commit 2e4e30b75077 · 2017-08-17T14:28:20.000+02:00
Fix breaking change on 7.4.2 for empty secret + "none" algorithm (sync code style)
diff --git a/sign.js b/sign.js
@@ -66,7 +66,7 @@ module.exports = function (payload, secretOrPrivateKey, options, callback) {
     throw err;
   }
 
-  if (!secretOrPrivateKey) {
+  if (!secretOrPrivateKey && options.algorithm !== 'none') {
     return failure(new Error('secretOrPrivateKey must have a value'));
   }
 
diff --git a/test/async_sign.tests.js b/test/async_sign.tests.js
@@ -32,6 +32,24 @@ describe('signing a token asynchronously', function() {
       });
     });
 
+    it('should work with none algorithm where secret is set', function(done) {
+      jwt.sign({ foo: 'bar' }, 'secret', { algorithm: 'none' }, function(err, token) {
+        expect(token).to.be.a('string');
+        expect(token.split('.')).to.have.length(3);
+        done();
+      });
+    });
+
+    //Known bug: https://github.com/brianloveswords/node-jws/issues/62
+    //If you need this use case, you need to go for the non-callback-ish code style.
+    it.skip('should work with none algorithm where secret is falsy', function(done) {
+      jwt.sign({ foo: 'bar' }, undefined, { algorithm: 'none' }, function(err, token) {
+        expect(token).to.be.a('string');
+        expect(token.split('.')).to.have.length(3);
+        done();
+      });
+    });
+
     it('should return error when secret is not a cert for RS256', function(done) {
       //this throw an error because the secret is not a cert and RS256 requires a cert.
       jwt.sign({ foo: 'bar' }, secret, { algorithm: 'RS256' }, function (err) {
@@ -66,7 +84,7 @@ describe('signing a token asynchronously', function() {
 
     describe('secret must have a value', function(){
       [undefined, '', 0].forEach(function(secret){
-        it('should return an error if the secret is falsy: ' + (typeof secret === 'string' ? '(empty string)' : secret), function(done) {
+        it('should return an error if the secret is falsy and algorithm is not set to none: ' + (typeof secret === 'string' ? '(empty string)' : secret), function(done) {
         // This is needed since jws will not answer for falsy secrets
           jwt.sign('string', secret, {}, function(err, token) {
             expect(err).to.be.exist();
diff --git a/test/jwt.hs.tests.js b/test/jwt.hs.tests.js
@@ -51,6 +51,16 @@ describe('HS256', function() {
       });
     });
 
+    it('should work with falsy secret and token not signed', function(done) {
+      var signed = jwt.sign({ foo: 'bar' }, null, { algorithm: 'none' });
+      var unsigned = signed.split('.')[0] + '.' + signed.split('.')[1] + '.';
+      jwt.verify(unsigned, 'secret', function(err, decoded) {
+        assert.isUndefined(decoded);
+        assert.isNotNull(err);
+        done();
+      });
+    });
+
     it('should throw when verifying null', function(done) {
       jwt.verify(null, 'secret', function(err, decoded) {
         assert.isUndefined(decoded);

Original file line number	Diff line number	Diff line change
`@@ -66,7 +66,7 @@ module.exports = function (payload, secretOrPrivateKey, options, callback) {`
`66`	`66`	`throw err;`
`67`	`67`	`}`
`68`	`68`
`69`		`- if (!secretOrPrivateKey) {`
	`69`	`+ if (!secretOrPrivateKey && options.algorithm !== 'none') {`
`70`	`70`	`return failure(new Error('secretOrPrivateKey must have a value'));`
`71`	`71`	`}`
`72`	`72`