add algorithm none

README.md

@@ -99,7 +99,7 @@ Signs a payload and returns the token.
 Argument                 | Type                                | Status   | Default     | Description
 ------------------------ | ----------------------------------- | -------- | ----------- | -----------
 `payload`                | `object`                            | required | -           | The payload object. To use `nbf` (Not Before) and/or `exp` (Expiration Time) add `nbf` and/or `exp` to the payload.
-`secret`                 | `string`, `JsonWebKey`, `CryptoKey` | required | -           | A string which is used to sign the payload.
+`secret`                 | `string`, `JsonWebKey`, `CryptoKey` | optional | -           | A secret which is used to sign the payload.
 `options`                | `string`, `object`                  | optional | `HS256`     | Either the `algorithm` string or an object.
 `options.algorithm`      | `string`                            | optional | `HS256`     | See [Available Algorithms](#available-algorithms)
 `options.header`         | `object`                            | optional | `undefined` | Extend the header of the resulting JWT.
@@ -121,7 +121,7 @@ Verifies the integrity of the token.
 Argument                 | Type                                | Status   | Default | Description
 ------------------------ | ----------------------------------- | -------- | ------- | -----------
 `token`                  | `string`                            | required | -       | The token string generated by `sign()`.
-`secret`                 | `string`, `JsonWebKey`, `CryptoKey` | required | -       | The string which was used to sign the payload.
+`secret`                 | `string`, `JsonWebKey`, `CryptoKey` | optional | -       | The secret which was used to sign the payload.
 `options`                | `string`, `object`                  | optional | `HS256` | Either the `algorithm` string or an object.
 `options.algorithm`      | `string`                            | optional | `HS256` | See [Available Algorithms](#available-algorithms)
 `options.clockTolerance` | `number`                            | optional | `0`     | Clock tolerance in seconds, to help with slighly out of sync systems.
@@ -188,4 +188,5 @@ Returns an `object` containing `header` and `payload`:
 
  - `ES256`, `ES384`, `ES512`
  - `HS256`, `HS384`, `HS512`
- - `RS256`, `RS384`, `RS512`
+ - `RS256`, `RS384`, `RS512`
+ - `none`

package.json

@@ -1,6 +1,6 @@
 {
   "name": "@tsndr/cloudflare-worker-jwt",
-  "version": "3.1.5",
+  "version": "3.1.7",
   "description": "A lightweight JWT implementation with ZERO dependencies for Cloudflare Worker",
   "type": "module",
   "exports": "./index.js",
@@ -30,10 +30,10 @@
   },
   "homepage": "https://github.com/tsndr/cloudflare-worker-jwt#readme",
   "devDependencies": {
-    "@cloudflare/workers-types": "^4.20250313.0",
+    "@cloudflare/workers-types": "^4.20250525.0",
     "@edge-runtime/vm": "^5.0.0",
-    "esbuild": "^0.25.1",
-    "typescript": "^5.8.2",
-    "vitest": "^3.0.8"
+    "esbuild": "^0.25.4",
+    "typescript": "^5.8.3",
+    "vitest": "^3.1.4"
   }
 }

src/index.ts

@@ -12,9 +12,9 @@ if (typeof crypto === "undefined" || !crypto.subtle)
 
 /**
  * @typedef JwtAlgorithm
- * @type {"ES256" | "ES384" | "ES512" | "HS256" | "HS384" | "HS512" | "RS256" | "RS384" | "RS512"}
+ * @type {"none" | "ES256" | "ES384" | "ES512" | "HS256" | "HS384" | "HS512" | "RS256" | "RS384" | "RS512"}
  */
-export type JwtAlgorithm = "ES256" | "ES384" | "ES512" | "HS256" | "HS384" | "HS512" | "RS256" | "RS384" | "RS512"
+export type JwtAlgorithm = "none" | "ES256" | "ES384" | "ES512" | "HS256" | "HS384" | "HS512" | "RS256" | "RS384" | "RS512"
 
 /**
  * @typedef JwtAlgorithms
@@ -118,11 +118,12 @@ export type JwtVerifyOptions = {
  * @prop {JwtPayload} payload
  */
 export type JwtData<Payload = {}, Header = {}> = {
-    header?: JwtHeader<Header>
-    payload?: JwtPayload<Payload>
+    header: JwtHeader<Header>
+    payload: JwtPayload<Payload>
 }
 
 const algorithms: JwtAlgorithms = {
+    none:  { name: "none" },
     ES256: { name: "ECDSA", namedCurve: "P-256", hash: { name: "SHA-256" } },
     ES384: { name: "ECDSA", namedCurve: "P-384", hash: { name: "SHA-384" } },
     ES512: { name: "ECDSA", namedCurve: "P-521", hash: { name: "SHA-512" } },
@@ -143,7 +144,7 @@ const algorithms: JwtAlgorithms = {
  * @throws If there"s a validation issue.
  * @returns Returns token as a `string`.
  */
-export async function sign<Payload = {}, Header = {}>(payload: JwtPayload<Payload>, secret: string | JsonWebKey | CryptoKey, options: JwtSignOptions<Header> | JwtAlgorithm = "HS256"): Promise<string> {
+export async function sign<Payload = {}, Header = {}>(payload: JwtPayload<Payload>, secret: string | JsonWebKeyWithKid | CryptoKey | undefined, options: JwtSignOptions<Header> | JwtAlgorithm = "HS256"): Promise<string> {
     if (typeof options === "string")
         options = { algorithm: options }
 
@@ -152,7 +153,7 @@ export async function sign<Payload = {}, Header = {}>(payload: JwtPayload<Payloa
     if (!payload || typeof payload !== "object")
         throw new Error("payload must be an object")
 
-    if (!secret || (typeof secret !== "string" && typeof secret !== "object"))
+    if (options.algorithm !== "none" && (!secret || (typeof secret !== "string" && typeof secret !== "object")))
         throw new Error("secret must be a string, a JWK object or a CryptoKey object")
 
     if (typeof options.algorithm !== "string")
@@ -168,7 +169,10 @@ export async function sign<Payload = {}, Header = {}>(payload: JwtPayload<Payloa
 
     const partialToken = `${textToBase64Url(JSON.stringify({ ...options.header, alg: options.algorithm }))}.${textToBase64Url(JSON.stringify(payload))}`
 
-    const key = secret instanceof CryptoKey ? secret : await importKey(secret, algorithm, ["sign"])
+    if (options.algorithm === "none")
+        return partialToken
+
+    const key = secret instanceof CryptoKey ? secret : await importKey(secret!, algorithm, ["sign"])
     const signature = await crypto.subtle.sign(algorithm, key, textToUint8Array(partialToken))
 
     return `${partialToken}.${arrayBufferToBase64Url(signature)}`
@@ -183,7 +187,7 @@ export async function sign<Payload = {}, Header = {}>(payload: JwtPayload<Payloa
  * @throws Throws integration errors and if `options.throwError` is set to `true` also throws `NOT_YET_VALID`, `EXPIRED` or `INVALID_SIGNATURE`.
  * @returns Returns the decoded token or `undefined`.
  */
-export async function verify<Payload = {}, Header = {}>(token: string, secret: string | JsonWebKey | CryptoKey, options: JwtVerifyOptions | JwtAlgorithm = "HS256"): Promise<JwtData<Payload, Header> | undefined> {
+export async function verify<Payload = {}, Header = {}>(token: string, secret: string | JsonWebKeyWithKid | CryptoKey | undefined, options: JwtVerifyOptions | JwtAlgorithm = "HS256"): Promise<JwtData<Payload, Header> | undefined> {
     if (typeof options === "string")
         options = { algorithm: options }
     options = { algorithm: "HS256", clockTolerance: 0, throwError: false, ...options }
@@ -191,16 +195,18 @@ export async function verify<Payload = {}, Header = {}>(token: string, secret: s
     if (typeof token !== "string")
         throw new Error("token must be a string")
 
-    if (typeof secret !== "string" && typeof secret !== "object")
+    if (options.algorithm !== "none" && typeof secret !== "string" && typeof secret !== "object")
         throw new Error("secret must be a string, a JWK object or a CryptoKey object")
 
     if (typeof options.algorithm !== "string")
         throw new Error("options.algorithm must be a string")
 
-    const tokenParts = token.split(".")
+    const tokenParts = token.split(".", 3)
 
-    if (tokenParts.length !== 3)
-        throw new Error("token must consist of 3 parts")
+    if (tokenParts.length < 2)
+        throw new Error("token must consist of 2 or more parts")
+
+    const [ tokenHeader, tokenPayload, tokenSignature ] = tokenParts
 
     const algorithm: SubtleCryptoImportKeyAlgorithm = algorithms[options.algorithm]
 
@@ -223,9 +229,12 @@ export async function verify<Payload = {}, Header = {}>(token: string, secret: s
                 throw new Error("EXPIRED")
         }
 
-        const key = secret instanceof CryptoKey ? secret : await importKey(secret, algorithm, ["verify"])
+        if (algorithm.name === "none")
+            return decodedToken
 
-        if (!await crypto.subtle.verify(algorithm, key, base64UrlToUint8Array(tokenParts[2]), textToUint8Array(`${tokenParts[0]}.${tokenParts[1]}`)))
+        const key = secret instanceof CryptoKey ? secret : await importKey(secret!, algorithm, ["verify"])
+
+        if (!await crypto.subtle.verify(algorithm, key, base64UrlToUint8Array(tokenSignature), textToUint8Array(`${tokenHeader}.${tokenPayload}`)))
             throw new Error("INVALID_SIGNATURE")
 
         return decodedToken

src/utils.ts

@@ -56,7 +56,7 @@ export async function importTextSecret(key: string, algorithm: SubtleCryptoImpor
     return await crypto.subtle.importKey("raw", textToUint8Array(key), algorithm, true, keyUsages)
 }
 
-export async function importJwk(key: JsonWebKey, algorithm: SubtleCryptoImportKeyAlgorithm, keyUsages: KeyUsages[]): Promise<CryptoKey> {
+export async function importJwk(key: JsonWebKeyWithKid, algorithm: SubtleCryptoImportKeyAlgorithm, keyUsages: KeyUsages[]): Promise<CryptoKey> {
     return await crypto.subtle.importKey("jwk", key, algorithm, true, keyUsages)
 }
 
@@ -68,7 +68,7 @@ export async function importPrivateKey(key: string, algorithm: SubtleCryptoImpor
     return await crypto.subtle.importKey("pkcs8", pemToBinary(key), algorithm, true, keyUsages)
 }
 
-export async function importKey(key: string | JsonWebKey, algorithm: SubtleCryptoImportKeyAlgorithm, keyUsages: KeyUsages[]): Promise<CryptoKey> {
+export async function importKey(key: string | JsonWebKeyWithKid, algorithm: SubtleCryptoImportKeyAlgorithm, keyUsages: KeyUsages[]): Promise<CryptoKey> {
     if (typeof key === "object")
         return importJwk(key, algorithm, keyUsages)
 
@@ -84,13 +84,9 @@ export async function importKey(key: string | JsonWebKey, algorithm: SubtleCrypt
     return importTextSecret(key, algorithm, keyUsages)
 }
 
-export function decodePayload<T = any>(raw: string): T | undefined {
-    try {
-        const bytes = Array.from(atob(raw), char => char.charCodeAt(0));
-        const decodedString = new TextDecoder("utf-8").decode(new Uint8Array(bytes));
+export function decodePayload<T = any>(raw: string): T {
+    const bytes = Array.from(atob(raw), char => char.charCodeAt(0));
+    const decodedString = new TextDecoder("utf-8").decode(new Uint8Array(bytes));
 
-        return JSON.parse(decodedString);
-    } catch {
-        return
-    }
+    return JSON.parse(decodedString);
 }

tests/algorithms.spec.ts

@@ -2,8 +2,8 @@ import { describe, expect, test } from 'vitest'
 import jwt, { JwtAlgorithm } from '../src/index'
 
 type Dataset = {
-    public: string
-    private: string
+    public?: string
+    private?: string
     token: string
 }
 
@@ -18,6 +18,9 @@ type Payload = {
 }
 
 const data: Data = {
+    'none': {
+        token: 'eyJhbGciOiJub25lIiwidHlwIjoiSldUIn0.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ'
+    },
     'ES256': {
         public: '-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEEVs/o5+uQbTjL3chynL4wXgUg2R9\nq9UU8I5mEovUf86QZ7kOBIjJwqnzD1omageEHWwHdBO6B+dFabmdT9POxg==\n-----END PUBLIC KEY-----',
         private: '-----BEGIN PRIVATE KEY-----\nMIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgevZzL1gdAFr88hb2\nOF/2NxApJCzGCEDdfSp6VQO30hyhRANCAAQRWz+jn65BtOMvdyHKcvjBeBSDZH2r\n1RTwjmYSi9R/zpBnuQ4EiMnCqfMPWiZqB4QdbAd0E7oH50VpuZ1P087G\n-----END PRIVATE KEY-----',
@@ -72,7 +75,7 @@ const payload: Payload = {
     emoji: "😎"
 }
 
-const jwtRegex = /^[a-zA-Z0-9\-_]+\.[a-zA-Z0-9\-_]+\.[a-zA-Z0-9\-_]+$/
+const jwtRegex = /^[a-zA-Z0-9\-_]+\.[a-zA-Z0-9\-_]+(\.[a-zA-Z0-9\-_]+)?$/
 
 describe("Internal", () => {
     test.each(Object.entries(data) as [JwtAlgorithm, Dataset][])('%s', async (algorithm, data) => {

tests/index.spec.ts

@@ -13,27 +13,27 @@ describe("Verify", async () => {
     const notYetValidToken = await jwt.sign({ sub: "me", nbf: now + offset }, secret)
     const expiredToken = await jwt.sign({ sub: "me", exp: now - offset }, secret)
 
-    test("Valid", () => {
-        expect(jwt.verify(validToken, secret, { throwError: true })).resolves.toBeTruthy()
+    test("Valid", async () => {
+        await expect(jwt.verify(validToken, secret, { throwError: true })).resolves.toBeTruthy()
     })
 
-    test("Not yet expired", () => {
-        expect(jwt.verify(notYetExpired, secret, { throwError: true })).resolves.toBeTruthy()
+    test("Not yet expired", async () => {
+        await expect(jwt.verify(notYetExpired, secret, { throwError: true })).resolves.toBeTruthy()
     })
 
-    test("Not yet valid", () => {
-        expect(jwt.verify(notYetValidToken, secret, { throwError: true })).rejects.toThrowError("NOT_YET_VALID")
+    test("Not yet valid", async () => {
+        await expect(jwt.verify(notYetValidToken, secret, { throwError: true })).rejects.toThrowError("NOT_YET_VALID")
     })
 
-    test("Expired", () => {
-        expect(jwt.verify(expiredToken, secret, { throwError: true })).rejects.toThrowError("EXPIRED")
+    test("Expired", async () => {
+        await expect(jwt.verify(expiredToken, secret, { throwError: true })).rejects.toThrowError("EXPIRED")
     })
 
-    test("Clock offset", () => {
-        expect(jwt.verify(notYetValidToken, secret, { clockTolerance: offset, throwError: true })).resolves.toBeTruthy()
-        expect(jwt.verify(expiredToken, secret, { clockTolerance: offset, throwError: true })).resolves.toBeTruthy()
+    test("Clock offset", async () => {
+        await expect(jwt.verify(notYetValidToken, secret, { clockTolerance: offset, throwError: true })).resolves.toBeTruthy()
+        await expect(jwt.verify(expiredToken, secret, { clockTolerance: offset, throwError: true })).resolves.toBeTruthy()
 
-        expect(jwt.verify(notYetValidToken, secret, { clockTolerance: offset - 1, throwError: true })).rejects.toThrowError("NOT_YET_VALID")
-        expect(jwt.verify(expiredToken, secret, { clockTolerance: offset - 1, throwError: true })).rejects.toThrowError("EXPIRED")
+        await expect(jwt.verify(notYetValidToken, secret, { clockTolerance: offset - 1, throwError: true })).rejects.toThrowError("NOT_YET_VALID")
+        await expect(jwt.verify(expiredToken, secret, { clockTolerance: offset - 1, throwError: true })).rejects.toThrowError("EXPIRED")
     })
 })

tests/utils.spec.ts

@@ -67,7 +67,7 @@ describe("Imports", () => {
         const testAlgorithm = { name: "HMAC", hash: { name: "SHA-256" } }
         const testCryptoKey = { type: "secret", extractable: true, algorithm: { ...testAlgorithm, length: 168 }, usages: ["verify", "sign"] }
 
-        expect(await importTextSecret(testKey, testAlgorithm, ["verify", "sign"])).toMatchObject(testCryptoKey)
+        await expect(importTextSecret(testKey, testAlgorithm, ["verify", "sign"])).resolves.toMatchObject(testCryptoKey)
     })
 
     test.todo("importJwk")