refactor: removed nonce option from JWT.sign

BREAKING CHANGE: `JWT.sign` function options no longer accept a `nonce` property. To create a JWT with a `nonce` just pass the value to the payload.
panva · Sep 8, 2020 · c4267cc · c4267cc
1 parent 6556797
commit c4267cc
Show file tree

Hide file tree

Showing 4 changed files with 2 additions and 14 deletions.
diff --git a/docs/README.md b/docs/README.md
@@ -857,8 +857,6 @@ that will be used to sign with is either provided as part of the 'options.algori
  - `jti`: `<string>` JWT ID, "jti" claim value, if provided it will replace "jti" found in the
  payload
  - `kid`: `<Boolean>` When true it pushes the key's "kid" to the JWT Header. **Default:** 'true' for asymmetric keys, 'false' for symmetric keys.
- - `nonce`: `<string>` ID Token Nonce, "nonce" claim value, if provided it will replace "nonce"
- found in the payload. See [OpenID Connect Core 1.0][connect-core] for details.
  - `notBefore`: `<string>` JWT Not Before, "nbf" claim value, specified as string which is added to
  the current unix epoch timestamp e.g. `24 hours`, `20 m`, `60s`, etc., if provided it will
  replace Not Before found in the payload

diff --git a/lib/jwt/sign.js b/lib/jwt/sign.js
@@ -36,7 +36,6 @@ const validateOptions = (options) => {
  isString(options.expiresIn, 'options.expiresIn')
  isString(options.notBefore, 'options.notBefore')
  isString(options.jti, 'options.jti')
- isString(options.nonce, 'options.nonce')
 
  if (options.now !== undefined && (!(options.now instanceof Date) || !options.now.getTime())) {
  throw new TypeError('options.now must be a valid Date object')
@@ -50,11 +49,11 @@ module.exports = (payload, key, options = {}) => {
 
  const {
  algorithm, audience, expiresIn, header = {}, iat = true,
- issuer, jti, kid = true, nonce, notBefore, subject, now
+ issuer, jti, kid = true, notBefore, subject, now
  } = options
 
  validateOptions({
- algorithm, audience, expiresIn, header, iat, issuer, jti, kid, nonce, notBefore, now, subject
+ algorithm, audience, expiresIn, header, iat, issuer, jti, kid, notBefore, now, subject
  })
 
  if (!isObject(payload)) {
@@ -73,7 +72,6 @@ module.exports = (payload, key, options = {}) => {
  iss: issuer || payload.iss,
  jti: jti || payload.jti,
  iat: iat ? unix : payload.iat,
- nonce: nonce || payload.nonce,
  exp: expiresIn ? unix + secs(expiresIn) : payload.exp,
  nbf: notBefore ? unix + secs(notBefore) : payload.nbf
  }

diff --git a/test/jwt/sign.test.js b/test/jwt/sign.test.js
@@ -24,7 +24,6 @@ test('options.algorithm must be string', string, 'algorithm')
 test('options.expiresIn must be string', string, 'expiresIn')
 test('options.issuer must be string', string, 'issuer')
 test('options.jti must be string', string, 'jti')
-test('options.nonce must be string', string, 'nonce')
 test('options.notBefore must be string', string, 'notBefore')
 test('options.subject must be string', string, 'subject')
 
@@ -142,12 +141,6 @@ test('options.iat', t => {
  t.is(decoded.iat, epoch)
 })
 
-test('options.nonce', t => {
- const nonce = 'foo'
- const { nonce: pNonce } = JWT.decode(JWT.sign({ nonce: 'bar' }, key, { nonce }))
- t.is(pNonce, nonce)
-})
-
 test('options.audience', t => {
  const audience = 'foo'
  const { aud } = JWT.decode(JWT.sign({}, key, { audience }))

diff --git a/types/index.d.ts b/types/index.d.ts
@@ -471,7 +471,6 @@ export namespace JWT {
  expiresIn?: string;
  notBefore?: string;
  jti?: string;
- nonce?: string;
  now?: Date;
  }