From 1b4c93adb2d10c80a7859f07f86a9b8afd53995a Mon Sep 17 00:00:00 2001
From: Toby <mail@tobias-schneider.io>
Date: Thu, 29 May 2025 01:26:59 +0200
Subject: [PATCH] add algorithm none

---
 README.md                |  7 ++++---
 src/index.ts             | 37 +++++++++++++++++++++++--------------
 src/utils.ts             | 12 ++++--------
 tests/algorithms.spec.ts |  9 ++++++---
 4 files changed, 37 insertions(+), 28 deletions(-)

diff --git a/README.md b/README.md
index de120df..f54de3a 100644
--- a/README.md
+++ b/README.md
@@ -99,7 +99,7 @@ Signs a payload and returns the token.
 Argument                 | Type                                | Status   | Default     | Description
 ------------------------ | ----------------------------------- | -------- | ----------- | -----------
 `payload`                | `object`                            | required | -           | The payload object. To use `nbf` (Not Before) and/or `exp` (Expiration Time) add `nbf` and/or `exp` to the payload.
-`secret`                 | `string`, `JsonWebKey`, `CryptoKey` | required | -           | A string which is used to sign the payload.
+`secret`                 | `string`, `JsonWebKey`, `CryptoKey` | optional | -           | A secret which is used to sign the payload.
 `options`                | `string`, `object`                  | optional | `HS256`     | Either the `algorithm` string or an object.
 `options.algorithm`      | `string`                            | optional | `HS256`     | See [Available Algorithms](#available-algorithms)
 `options.header`         | `object`                            | optional | `undefined` | Extend the header of the resulting JWT.
@@ -121,7 +121,7 @@ Verifies the integrity of the token.
 Argument                 | Type                                | Status   | Default | Description
 ------------------------ | ----------------------------------- | -------- | ------- | -----------
 `token`                  | `string`                            | required | -       | The token string generated by `sign()`.
-`secret`                 | `string`, `JsonWebKey`, `CryptoKey` | required | -       | The string which was used to sign the payload.
+`secret`                 | `string`, `JsonWebKey`, `CryptoKey` | optional | -       | The secret which was used to sign the payload.
 `options`                | `string`, `object`                  | optional | `HS256` | Either the `algorithm` string or an object.
 `options.algorithm`      | `string`                            | optional | `HS256` | See [Available Algorithms](#available-algorithms)
 `options.clockTolerance` | `number`                            | optional | `0`     | Clock tolerance in seconds, to help with slighly out of sync systems.
@@ -188,4 +188,5 @@ Returns an `object` containing `header` and `payload`:
 
  - `ES256`, `ES384`, `ES512`
  - `HS256`, `HS384`, `HS512`
- - `RS256`, `RS384`, `RS512`
\ No newline at end of file
+ - `RS256`, `RS384`, `RS512`
+ - `none`
\ No newline at end of file
diff --git a/src/index.ts b/src/index.ts
index de9c2c7..a959c65 100644
--- a/src/index.ts
+++ b/src/index.ts
@@ -12,9 +12,9 @@ if (typeof crypto === "undefined" || !crypto.subtle)
 
 /**
  * @typedef JwtAlgorithm
- * @type {"ES256" | "ES384" | "ES512" | "HS256" | "HS384" | "HS512" | "RS256" | "RS384" | "RS512"}
+ * @type {"none" | "ES256" | "ES384" | "ES512" | "HS256" | "HS384" | "HS512" | "RS256" | "RS384" | "RS512"}
  */
-export type JwtAlgorithm = "ES256" | "ES384" | "ES512" | "HS256" | "HS384" | "HS512" | "RS256" | "RS384" | "RS512"
+export type JwtAlgorithm = "none" | "ES256" | "ES384" | "ES512" | "HS256" | "HS384" | "HS512" | "RS256" | "RS384" | "RS512"
 
 /**
  * @typedef JwtAlgorithms
@@ -118,11 +118,12 @@ export type JwtVerifyOptions = {
  * @prop {JwtPayload} payload
  */
 export type JwtData<Payload = {}, Header = {}> = {
-    header?: JwtHeader<Header>
-    payload?: JwtPayload<Payload>
+    header: JwtHeader<Header>
+    payload: JwtPayload<Payload>
 }
 
 const algorithms: JwtAlgorithms = {
+    none:  { name: "none" },
     ES256: { name: "ECDSA", namedCurve: "P-256", hash: { name: "SHA-256" } },
     ES384: { name: "ECDSA", namedCurve: "P-384", hash: { name: "SHA-384" } },
     ES512: { name: "ECDSA", namedCurve: "P-521", hash: { name: "SHA-512" } },
@@ -143,7 +144,7 @@ const algorithms: JwtAlgorithms = {
  * @throws If there"s a validation issue.
  * @returns Returns token as a `string`.
  */
-export async function sign<Payload = {}, Header = {}>(payload: JwtPayload<Payload>, secret: string | JsonWebKeyWithKid | CryptoKey, options: JwtSignOptions<Header> | JwtAlgorithm = "HS256"): Promise<string> {
+export async function sign<Payload = {}, Header = {}>(payload: JwtPayload<Payload>, secret: string | JsonWebKeyWithKid | CryptoKey | undefined, options: JwtSignOptions<Header> | JwtAlgorithm = "HS256"): Promise<string> {
     if (typeof options === "string")
         options = { algorithm: options }
 
@@ -152,7 +153,7 @@ export async function sign<Payload = {}, Header = {}>(payload: JwtPayload<Payloa
     if (!payload || typeof payload !== "object")
         throw new Error("payload must be an object")
 
-    if (!secret || (typeof secret !== "string" && typeof secret !== "object"))
+    if (options.algorithm !== "none" && (!secret || (typeof secret !== "string" && typeof secret !== "object")))
         throw new Error("secret must be a string, a JWK object or a CryptoKey object")
 
     if (typeof options.algorithm !== "string")
@@ -168,7 +169,10 @@ export async function sign<Payload = {}, Header = {}>(payload: JwtPayload<Payloa
 
     const partialToken = `${textToBase64Url(JSON.stringify({ ...options.header, alg: options.algorithm }))}.${textToBase64Url(JSON.stringify(payload))}`
 
-    const key = secret instanceof CryptoKey ? secret : await importKey(secret, algorithm, ["sign"])
+    if (options.algorithm === "none")
+        return partialToken
+
+    const key = secret instanceof CryptoKey ? secret : await importKey(secret!, algorithm, ["sign"])
     const signature = await crypto.subtle.sign(algorithm, key, textToUint8Array(partialToken))
 
     return `${partialToken}.${arrayBufferToBase64Url(signature)}`
@@ -183,7 +187,7 @@ export async function sign<Payload = {}, Header = {}>(payload: JwtPayload<Payloa
  * @throws Throws integration errors and if `options.throwError` is set to `true` also throws `NOT_YET_VALID`, `EXPIRED` or `INVALID_SIGNATURE`.
  * @returns Returns the decoded token or `undefined`.
  */
-export async function verify<Payload = {}, Header = {}>(token: string, secret: string | JsonWebKeyWithKid | CryptoKey, options: JwtVerifyOptions | JwtAlgorithm = "HS256"): Promise<JwtData<Payload, Header> | undefined> {
+export async function verify<Payload = {}, Header = {}>(token: string, secret: string | JsonWebKeyWithKid | CryptoKey | undefined, options: JwtVerifyOptions | JwtAlgorithm = "HS256"): Promise<JwtData<Payload, Header> | undefined> {
     if (typeof options === "string")
         options = { algorithm: options }
     options = { algorithm: "HS256", clockTolerance: 0, throwError: false, ...options }
@@ -191,16 +195,18 @@ export async function verify<Payload = {}, Header = {}>(token: string, secret: s
     if (typeof token !== "string")
         throw new Error("token must be a string")
 
-    if (typeof secret !== "string" && typeof secret !== "object")
+    if (options.algorithm !== "none" && typeof secret !== "string" && typeof secret !== "object")
         throw new Error("secret must be a string, a JWK object or a CryptoKey object")
 
     if (typeof options.algorithm !== "string")
         throw new Error("options.algorithm must be a string")
 
-    const tokenParts = token.split(".")
+    const tokenParts = token.split(".", 3)
 
-    if (tokenParts.length !== 3)
-        throw new Error("token must consist of 3 parts")
+    if (tokenParts.length < 2)
+        throw new Error("token must consist of 2 or more parts")
+
+    const [ tokenHeader, tokenPayload, tokenSignature ] = tokenParts
 
     const algorithm: SubtleCryptoImportKeyAlgorithm = algorithms[options.algorithm]
 
@@ -223,9 +229,12 @@ export async function verify<Payload = {}, Header = {}>(token: string, secret: s
                 throw new Error("EXPIRED")
         }
 
-        const key = secret instanceof CryptoKey ? secret : await importKey(secret, algorithm, ["verify"])
+        if (algorithm.name === "none")
+            return decodedToken
 
-        if (!await crypto.subtle.verify(algorithm, key, base64UrlToUint8Array(tokenParts[2]), textToUint8Array(`${tokenParts[0]}.${tokenParts[1]}`)))
+        const key = secret instanceof CryptoKey ? secret : await importKey(secret!, algorithm, ["verify"])
+
+        if (!await crypto.subtle.verify(algorithm, key, base64UrlToUint8Array(tokenSignature), textToUint8Array(`${tokenHeader}.${tokenPayload}`)))
             throw new Error("INVALID_SIGNATURE")
 
         return decodedToken
diff --git a/src/utils.ts b/src/utils.ts
index 18d89ad..80d9f1d 100644
--- a/src/utils.ts
+++ b/src/utils.ts
@@ -84,13 +84,9 @@ export async function importKey(key: string | JsonWebKeyWithKid, algorithm: Subt
     return importTextSecret(key, algorithm, keyUsages)
 }
 
-export function decodePayload<T = any>(raw: string): T | undefined {
-    try {
-        const bytes = Array.from(atob(raw), char => char.charCodeAt(0));
-        const decodedString = new TextDecoder("utf-8").decode(new Uint8Array(bytes));
+export function decodePayload<T = any>(raw: string): T {
+    const bytes = Array.from(atob(raw), char => char.charCodeAt(0));
+    const decodedString = new TextDecoder("utf-8").decode(new Uint8Array(bytes));
 
-        return JSON.parse(decodedString);
-    } catch {
-        return
-    }
+    return JSON.parse(decodedString);
 }
\ No newline at end of file
diff --git a/tests/algorithms.spec.ts b/tests/algorithms.spec.ts
index bdb21f2..69fa9fb 100644
--- a/tests/algorithms.spec.ts
+++ b/tests/algorithms.spec.ts
@@ -2,8 +2,8 @@ import { describe, expect, test } from 'vitest'
 import jwt, { JwtAlgorithm } from '../src/index'
 
 type Dataset = {
-    public: string
-    private: string
+    public?: string
+    private?: string
     token: string
 }
 
@@ -18,6 +18,9 @@ type Payload = {
 }
 
 const data: Data = {
+    'none': {
+        token: 'eyJhbGciOiJub25lIiwidHlwIjoiSldUIn0.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ'
+    },
     'ES256': {
         public: '-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEEVs/o5+uQbTjL3chynL4wXgUg2R9\nq9UU8I5mEovUf86QZ7kOBIjJwqnzD1omageEHWwHdBO6B+dFabmdT9POxg==\n-----END PUBLIC KEY-----',
         private: '-----BEGIN PRIVATE KEY-----\nMIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgevZzL1gdAFr88hb2\nOF/2NxApJCzGCEDdfSp6VQO30hyhRANCAAQRWz+jn65BtOMvdyHKcvjBeBSDZH2r\n1RTwjmYSi9R/zpBnuQ4EiMnCqfMPWiZqB4QdbAd0E7oH50VpuZ1P087G\n-----END PRIVATE KEY-----',
@@ -72,7 +75,7 @@ const payload: Payload = {
     emoji: "😎"
 }
 
-const jwtRegex = /^[a-zA-Z0-9\-_]+\.[a-zA-Z0-9\-_]+\.[a-zA-Z0-9\-_]+$/
+const jwtRegex = /^[a-zA-Z0-9\-_]+\.[a-zA-Z0-9\-_]+(\.[a-zA-Z0-9\-_]+)?$/
 
 describe("Internal", () => {
     test.each(Object.entries(data) as [JwtAlgorithm, Dataset][])('%s', async (algorithm, data) => {